berbew | df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe
Size

101KB
MD5

d163cc077c188db15492ba1fb353b7a0
SHA1

d35ce5f11c77bf994d1daef45a211088869fdf9d
SHA256

df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3
SHA512

555801e0ababb015c5d47ce0b3b3f2dee73922aec7d8f07e618d34b7edfba99c243c25a32dcced4acb7d76c951392530dd3036ba0016c2dbb20f91607a4c8620
SSDEEP

3072:r7QS4CWCy3A/6ukz4duXqbyu0sY7q5AnrHY4vDX:nHd+/853Anr44vDX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nilhhdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okanklik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okdkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilhhdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigbhlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naimccpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 56 IoCs

pid	Process
2872	Naimccpo.exe
2864	Ngfflj32.exe
2844	Nekbmgcn.exe
2708	Ncpcfkbg.exe
1388	Npccpo32.exe
1044	Nilhhdga.exe
380	Ocdmaj32.exe
2384	Ohaeia32.exe
2072	Oaiibg32.exe
2716	Okanklik.exe
2516	Odjbdb32.exe
2404	Okdkal32.exe
1244	Ohhkjp32.exe
2448	Ojigbhlp.exe
2172	Pngphgbf.exe
1316	Pcdipnqn.exe
748	Pqhijbog.exe
840	Pgbafl32.exe
1088	Pmojocel.exe
2104	Pbkbgjcc.exe
1820	Piekcd32.exe
2600	Pkdgpo32.exe
604	Pfikmh32.exe
1512	Pmccjbaf.exe
2400	Qbplbi32.exe
2936	Qgmdjp32.exe
1568	Qodlkm32.exe
2932	Qbbhgi32.exe
2848	Qjnmlk32.exe
2680	Abeemhkh.exe
572	Amnfnfgg.exe
684	Achojp32.exe
2608	Ajbggjfq.exe
2772	Afiglkle.exe
2656	Aigchgkh.exe
3068	Aaolidlk.exe
1916	Abphal32.exe
2584	Alhmjbhj.exe
1424	Abbeflpf.exe
2432	Bbdallnd.exe
2268	Becnhgmg.exe
2276	Bnkbam32.exe
1504	Bhdgjb32.exe
2188	Bjbcfn32.exe
1612	Bhfcpb32.exe
1740	Bmclhi32.exe
1748	Bejdiffp.exe
1496	Bmeimhdj.exe
2916	Cdoajb32.exe
856	Ckiigmcd.exe
2244	Cpfaocal.exe
2496	Cbdnko32.exe
2728	Cinfhigl.exe
932	Cphndc32.exe
2012	Cbgjqo32.exe
2660	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2868	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe
2868	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe
2872	Naimccpo.exe
2872	Naimccpo.exe
2864	Ngfflj32.exe
2864	Ngfflj32.exe
2844	Nekbmgcn.exe
2844	Nekbmgcn.exe
2708	Ncpcfkbg.exe
2708	Ncpcfkbg.exe
1388	Npccpo32.exe
1388	Npccpo32.exe
1044	Nilhhdga.exe
1044	Nilhhdga.exe
380	Ocdmaj32.exe
380	Ocdmaj32.exe
2384	Ohaeia32.exe
2384	Ohaeia32.exe
2072	Oaiibg32.exe
2072	Oaiibg32.exe
2716	Okanklik.exe
2716	Okanklik.exe
2516	Odjbdb32.exe
2516	Odjbdb32.exe
2404	Okdkal32.exe
2404	Okdkal32.exe
1244	Ohhkjp32.exe
1244	Ohhkjp32.exe
2448	Ojigbhlp.exe
2448	Ojigbhlp.exe
2172	Pngphgbf.exe
2172	Pngphgbf.exe
1316	Pcdipnqn.exe
1316	Pcdipnqn.exe
748	Pqhijbog.exe
748	Pqhijbog.exe
840	Pgbafl32.exe
840	Pgbafl32.exe
1088	Pmojocel.exe
1088	Pmojocel.exe
2104	Pbkbgjcc.exe
2104	Pbkbgjcc.exe
1820	Piekcd32.exe
1820	Piekcd32.exe
2600	Pkdgpo32.exe
2600	Pkdgpo32.exe
604	Pfikmh32.exe
604	Pfikmh32.exe
1512	Pmccjbaf.exe
1512	Pmccjbaf.exe
2400	Qbplbi32.exe
2400	Qbplbi32.exe
2936	Qgmdjp32.exe
2936	Qgmdjp32.exe
1568	Qodlkm32.exe
1568	Qodlkm32.exe
2932	Qbbhgi32.exe
2932	Qbbhgi32.exe
2848	Qjnmlk32.exe
2848	Qjnmlk32.exe
2680	Abeemhkh.exe
2680	Abeemhkh.exe
572	Amnfnfgg.exe
572	Amnfnfgg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ifbgfk32.dll	Ojigbhlp.exe
File opened for modification	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Pfikmh32.exe	Pkdgpo32.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qgmdjp32.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Nlpdbghp.dll	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Oodajl32.dll	Pfikmh32.exe
File opened for modification	C:\Windows\SysWOW64\Qbbhgi32.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Pcdipnqn.exe	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Adagkoae.dll	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Pdiadenf.dll	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bmclhi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Naimccpo.exe	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe
File created	C:\Windows\SysWOW64\Cdepma32.dll	Oaiibg32.exe
File created	C:\Windows\SysWOW64\Qgmdjp32.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Eppddhlj.dll	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe
File created	C:\Windows\SysWOW64\Oaiibg32.exe	Ohaeia32.exe
File created	C:\Windows\SysWOW64\Pkdgpo32.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Qjnmlk32.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pmccjbaf.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Npccpo32.exe	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Odjbdb32.exe	Okanklik.exe
File created	C:\Windows\SysWOW64\Pmojocel.exe	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Qjnmlk32.exe	Qbbhgi32.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Pjclpeak.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Bpodeegi.dll	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pbkbgjcc.exe
File created	C:\Windows\SysWOW64\Bfenfipk.dll	Npccpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ohaeia32.exe	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Icdleb32.dll	Ocdmaj32.exe
File created	C:\Windows\SysWOW64\Edobgb32.dll	Odjbdb32.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Ojigbhlp.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pgbafl32.exe
File created	C:\Windows\SysWOW64\Igciil32.dll	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Ocdmaj32.exe	Nilhhdga.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2564	2660	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okanklik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaiibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojigbhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okdkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abeemhkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkdgpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdmaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npccpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilhhdga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohaeia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhijbog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdepma32.dll"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfenfipk.dll"	Npccpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilfila32.dll"	Pkdgpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qbbhgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll"	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okanklik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okdkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodajl32.dll"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbdiclb.dll"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfikmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdleb32.dll"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohaeia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pmccjbaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgmdjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnfnfgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2872	2868	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe	30
PID 2868 wrote to memory of 2872	2868	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe	30
PID 2868 wrote to memory of 2872	2868	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe	30
PID 2868 wrote to memory of 2872	2868	df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe	30
PID 2872 wrote to memory of 2864	2872	Naimccpo.exe	31
PID 2872 wrote to memory of 2864	2872	Naimccpo.exe	31
PID 2872 wrote to memory of 2864	2872	Naimccpo.exe	31
PID 2872 wrote to memory of 2864	2872	Naimccpo.exe	31
PID 2864 wrote to memory of 2844	2864	Ngfflj32.exe	32
PID 2864 wrote to memory of 2844	2864	Ngfflj32.exe	32
PID 2864 wrote to memory of 2844	2864	Ngfflj32.exe	32
PID 2864 wrote to memory of 2844	2864	Ngfflj32.exe	32
PID 2844 wrote to memory of 2708	2844	Nekbmgcn.exe	33
PID 2844 wrote to memory of 2708	2844	Nekbmgcn.exe	33
PID 2844 wrote to memory of 2708	2844	Nekbmgcn.exe	33
PID 2844 wrote to memory of 2708	2844	Nekbmgcn.exe	33
PID 2708 wrote to memory of 1388	2708	Ncpcfkbg.exe	34
PID 2708 wrote to memory of 1388	2708	Ncpcfkbg.exe	34
PID 2708 wrote to memory of 1388	2708	Ncpcfkbg.exe	34
PID 2708 wrote to memory of 1388	2708	Ncpcfkbg.exe	34
PID 1388 wrote to memory of 1044	1388	Npccpo32.exe	35
PID 1388 wrote to memory of 1044	1388	Npccpo32.exe	35
PID 1388 wrote to memory of 1044	1388	Npccpo32.exe	35
PID 1388 wrote to memory of 1044	1388	Npccpo32.exe	35
PID 1044 wrote to memory of 380	1044	Nilhhdga.exe	36
PID 1044 wrote to memory of 380	1044	Nilhhdga.exe	36
PID 1044 wrote to memory of 380	1044	Nilhhdga.exe	36
PID 1044 wrote to memory of 380	1044	Nilhhdga.exe	36
PID 380 wrote to memory of 2384	380	Ocdmaj32.exe	37
PID 380 wrote to memory of 2384	380	Ocdmaj32.exe	37
PID 380 wrote to memory of 2384	380	Ocdmaj32.exe	37
PID 380 wrote to memory of 2384	380	Ocdmaj32.exe	37
PID 2384 wrote to memory of 2072	2384	Ohaeia32.exe	38
PID 2384 wrote to memory of 2072	2384	Ohaeia32.exe	38
PID 2384 wrote to memory of 2072	2384	Ohaeia32.exe	38
PID 2384 wrote to memory of 2072	2384	Ohaeia32.exe	38
PID 2072 wrote to memory of 2716	2072	Oaiibg32.exe	39
PID 2072 wrote to memory of 2716	2072	Oaiibg32.exe	39
PID 2072 wrote to memory of 2716	2072	Oaiibg32.exe	39
PID 2072 wrote to memory of 2716	2072	Oaiibg32.exe	39
PID 2716 wrote to memory of 2516	2716	Okanklik.exe	40
PID 2716 wrote to memory of 2516	2716	Okanklik.exe	40
PID 2716 wrote to memory of 2516	2716	Okanklik.exe	40
PID 2716 wrote to memory of 2516	2716	Okanklik.exe	40
PID 2516 wrote to memory of 2404	2516	Odjbdb32.exe	41
PID 2516 wrote to memory of 2404	2516	Odjbdb32.exe	41
PID 2516 wrote to memory of 2404	2516	Odjbdb32.exe	41
PID 2516 wrote to memory of 2404	2516	Odjbdb32.exe	41
PID 2404 wrote to memory of 1244	2404	Okdkal32.exe	42
PID 2404 wrote to memory of 1244	2404	Okdkal32.exe	42
PID 2404 wrote to memory of 1244	2404	Okdkal32.exe	42
PID 2404 wrote to memory of 1244	2404	Okdkal32.exe	42
PID 1244 wrote to memory of 2448	1244	Ohhkjp32.exe	43
PID 1244 wrote to memory of 2448	1244	Ohhkjp32.exe	43
PID 1244 wrote to memory of 2448	1244	Ohhkjp32.exe	43
PID 1244 wrote to memory of 2448	1244	Ohhkjp32.exe	43
PID 2448 wrote to memory of 2172	2448	Ojigbhlp.exe	44
PID 2448 wrote to memory of 2172	2448	Ojigbhlp.exe	44
PID 2448 wrote to memory of 2172	2448	Ojigbhlp.exe	44
PID 2448 wrote to memory of 2172	2448	Ojigbhlp.exe	44
PID 2172 wrote to memory of 1316	2172	Pngphgbf.exe	45
PID 2172 wrote to memory of 1316	2172	Pngphgbf.exe	45
PID 2172 wrote to memory of 1316	2172	Pngphgbf.exe	45
PID 2172 wrote to memory of 1316	2172	Pngphgbf.exe	45

C:\Users\Admin\AppData\Local\Temp\df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe
"C:\Users\Admin\AppData\Local\Temp\df24296bd07d54c5929e3b1aca527fb826360953adb07bc042abb7d647070be3N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\Naimccpo.exe
  C:\Windows\system32\Naimccpo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\Ngfflj32.exe
    C:\Windows\system32\Ngfflj32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Nekbmgcn.exe
      C:\Windows\system32\Nekbmgcn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Npccpo32.exe
        
        C:\Windows\system32\Npccpo32.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Nilhhdga.exe
        
        C:\Windows\system32\Nilhhdga.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Ocdmaj32.exe
        
        C:\Windows\system32\Ocdmaj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Ohaeia32.exe
        
        C:\Windows\system32\Ohaeia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Oaiibg32.exe
        
        C:\Windows\system32\Oaiibg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Okanklik.exe
        
        C:\Windows\system32\Okanklik.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Odjbdb32.exe
        
        C:\Windows\system32\Odjbdb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Okdkal32.exe
        
        C:\Windows\system32\Okdkal32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Ohhkjp32.exe
        
        C:\Windows\system32\Ohhkjp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Pqhijbog.exe
        
        C:\Windows\system32\Pqhijbog.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Pkdgpo32.exe
        
        C:\Windows\system32\Pkdgpo32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Abeemhkh.exe
        
        C:\Windows\system32\Abeemhkh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 140
        59⤵
        Program crash
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
101KB

MD5
272001fd05d477d7d23fbd9ccde43393

SHA1
4927c4688ec458a708726a3bc3524a45397385c7

SHA256
7b625b349364351e4ff63db8cb5d69d0be5e089edd8c81fb45fdaac8aad33642

SHA512
634572c886d45668b93fdf090dbd52f389715d38c949730fe2c1e3db981e911504ab5a826944b4932dc36850a70c6a5a3928b4e0a2d0cc24556095793710d0b1

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
101KB

MD5
922c33e061d3c26ae9ce029e2f27b012

SHA1
8d906c2ff48ef07c97a389c97a12f1207ef0ba30

SHA256
c8cff8e6dd865196840798de17ce707e6b58fe7075c197ca15c74227483efa1f

SHA512
e7d5f17158f407510b1f6c29be06fa142407b527b9db75f601653c7681470940612e0766f3157f938393ad157168dce6cff18fe97b7d6d04b8465e402c533b20

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
101KB

MD5
d0dd5b345b1159134d67e4d54cc99d24

SHA1
78e6bcba4ad94ee8b24fc04db5a0b295ae97e3ef

SHA256
7d4ffa5ce9c730e5200afee825f9526faec75bea70e5ecb2419c06c1f72afec6

SHA512
6762321778d815c3b0d38c1b4f05b8d8ad41db8d130783d33876717038c8b62946b1314cd9cda5b6248f3c68df931738b15638ec772a758c74085d861cf599fe

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
101KB

MD5
84e30605a19e4108b000d8c783c3e57a

SHA1
e0d1195c6eebf9d4a9ce7fe830db47e309acab96

SHA256
085c0ba4b23521036da925b27a0373867d7c51089bf988161484a93bad50a939

SHA512
d2c136b8eff4df97d524ddc41f332c34e013d2a32089439a39472fdbf1547d9a88f2a109f3c2d4c21984b830f50acbe1bd983878f80ffb559b346a89cf55281f

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
101KB

MD5
8e0f3d64e8d2e7344512292a9fb9f338

SHA1
07b7b17db2abee4c85e87c9c6531adc130d036fa

SHA256
c7dd040b2ca8dbd41a7975973dcb063fcd7519a0281492537a4a3daf7b06cc39

SHA512
4e8ebe344a1a8e4df784963bb5d3311952f626fb16fafa6e26500f0956d4c1cd38b94d32ac842e77486057a21f79b6760274781ee71193975bb4a5f856be5a95

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
101KB

MD5
3b586efbae47cd9badce0e0069534791

SHA1
d60e8a33912ee22ba01b305596727de6303c17a3

SHA256
7720bcbd89fd22be07c69811448488301bada8f2004a729991b5516f418ececb

SHA512
14a9b36e6fcd85b3ba4888421c79a3e4c36a5fc334a292302db39d3bb830cf64926d9a5c13355419e38a85205a68833370c9260ee05eb3f5c96766370fe9c2b2

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
101KB

MD5
6afa1ddcf1b84be4ec217500588c1f81

SHA1
393ab69ff63e20e869bddc11a82cb0e440f5ff89

SHA256
d9ef799dfa91f95a05cf320f49964186456b02950d95fe101580edeb4a63e536

SHA512
87f72f375c18d6a4aa2e088977f824ba931abe860ebed687b3d430f084ac19520f752c0efc9613e011c55b48a0a26d4c81f66b62eebeac76a96d63324009c900

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
101KB

MD5
fcccb39c39eb28292a6e1d9971e28c65

SHA1
76b339ca99b991aea1afed02acdbc31dad7b63ad

SHA256
4e6c5847ac7d32c498fad68be120570f4c586cd0e2d3cf174041316a390b36ba

SHA512
f32c45227539cde9db7b771b25831ba2d29fe452ddfcb5030c7768e8624affcd3e565ec0ac4b71858f4708c74de4c86d80b65c3a185748aaee1c5e63a9499ea3

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
101KB

MD5
fd03dda952da2f5214ed629f4befc84d

SHA1
0cceee8fda41b22c38e6982957d45684d0f31f9a

SHA256
321e2269e4b7d75d1bf01acbd15fd4d2209e816b8e85bd8b38f5de8627775f9c

SHA512
353803b782b3b0b7a633b1f826b90457cbe5d06706fdcf3fe842f7b4415d1e717f71ddf35a985cb9b6b5777ad9825a05871ffc0557e70e993fef4f5c76bd0b11

Download Submit
C:\Windows\SysWOW64\Amnfnfgg.exe

Filesize
101KB

MD5
d49d0c3e77261e05350ab59a890f7d3d

SHA1
4e76e98890e263ee1d032bf77ef567ef24614e8d

SHA256
ae3e1ce1246f68faaf63c931a0ca7a726ec1bccf0f5d7e7ab291adff075207db

SHA512
5783e48b7bc15f6b0c0c30f268b39391acdcffac78f86984c0140f324b6dc2e0134609dce99ba7cb587ea53954747a068d3229012f1fec88eeb97a644770a9e3

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
101KB

MD5
77243bbd79dd32d21fba69d981e9df24

SHA1
4a4829092287a06506074ca1179b2c7a1ac943b9

SHA256
7c77bf2d996284121eb0be382803704d190b3bdce932dc314531d9385667fd17

SHA512
9f8478ff402915d10ac1fbec8a565596f732925ff51ed3da2134b2f97b5226746f6dc6d3038a0c412300f6154e2123bf8478dc8817ff215be2e6429611ad2802

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
101KB

MD5
b6bf8c5711b26406f5bc526f5b0d76bb

SHA1
264c0c257af8713d29ccdfb8358a225b1a51cd3b

SHA256
8478f7bbe4c48e545c2d769a2ec9e88a580a9bed65359b7bd0cb7be5d943e93a

SHA512
be187697d062208720f6f3083b9dadfc20ed5d2651c75388de40cc4a1cd31f572ab9ea9e8ce2e00a20f1658dac75fe2d7ad8e691a6cd170da545b960c2ce7c3d

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
101KB

MD5
f4a8ea7800da055f47e4a5e18f643958

SHA1
c5294ffcc6c038ed92199b02bf7cb0efc018760b

SHA256
88d0fbbd08d05d822fb9367fbe7ade30d5f388e70db775ec28794398097eaed4

SHA512
85f199dd5e173466780339bc84ea3b58d34c3392a85fbaf1a978dc5e5b83fc09d19f708a65c5bbcf7ea69d1080570bdbe26724b4dcea11f601b1e090caf35b1d

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
101KB

MD5
be04b97e1f172ac4b215e148deacc2eb

SHA1
3b30e8bfc16761f663ec0eb3b84208985a70246b

SHA256
3a62936ed8aa0ffbb695a58d6000c60868780083372c33286d23755ddff70a7f

SHA512
4cf337e46b739a7373616331fb3a85531535ece1963199cad1e89e73089e3e0ac12cf69698fd1e55c95794157f39176938d5e88de460bddda0a542df18063657

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
101KB

MD5
f87e663af8e7e46ff4e45c0fda377498

SHA1
21166764def13c97ae86605f7998255be9202b84

SHA256
ad4cda34c76628afaa589aafe5b241abf073654b3de825cce1d0734a5c06a8e6

SHA512
62a8a2c1e67d97ad2cb6d3fcc9ad4bd0e7ec035832a891fa08049913df81693921ed9e67a2f8e685cae06dccb29ab7a9aa4e5b2ec93310586eaef53c54f44357

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
101KB

MD5
36ad386fea838b949b1b4b709445c470

SHA1
428a82cc9750099b48bffe89db0a744293550156

SHA256
e3de310784babf32fdc3c73f12dca6ddda6bd24c9c636d5fa11abf43c41ca114

SHA512
d45a2b4b8d807bf31a62048e7ad776140c2cd435229a71e5d01956dab789bcddfdd68055c3a0328a4dc0b2fc801b5718fde49d25f4d81d6ef2bd741171d68939

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
101KB

MD5
a8a0ef238e9a70a70fafd83e5c96f396

SHA1
0676ef34f7f06e193e437e9a490f8ca98b353ac6

SHA256
d20c4dd5adf2722a59511593312a13a8583c531280766bdca3719b6c74ca6e7b

SHA512
a241d99ac2c4fac05f007d90e8f3c8ec365f6b1fbc3c577f3b2e89e2ce239bca2015ea5ccb4207b8b3f9d140bb12fe8140ff05db80bb4fd94bce212084d79e41

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
101KB

MD5
8f1750ab8c18309e162324cad2ef0991

SHA1
a026ac562972d72cd3c2d68dfead346fecc8ebf0

SHA256
4aba9cf966cf9926cc3db18f289245916ff931ea3b44619ec575eb5fe3428fe6

SHA512
eec667a69a0fa32005c70e68f9a78fd2324c2e67fe1e97067b19faa947081d785ef705ace669076549f9da06fd2394c65b2ecefaa2afb1f0a69f9421683547d0

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
101KB

MD5
afcc22dda6c89c2c9f11b0ee2de59e2e

SHA1
ec772b3728077bd2d2b98edd9974447a9e73ea32

SHA256
d18e58b0b4fc408fc41af0c14b478d89bb2b1a8793510b44a47ce1898b8ef6ce

SHA512
bd5195c7986531378b00f83902d4e07379b28df7de728abbbd480dfb052702353afcb208df050cee360184b48ffa162a7ff8e960dac7adae2ade2c0b86cdf880

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
101KB

MD5
8248d3ac9298b4c95588c0275bdabc6e

SHA1
604c6feda39527ecca3920104737af6b23fd8875

SHA256
d6418d15722156402edfb1cf0dacb3b90c50c3bd992ecab27f56300689e9104c

SHA512
262ec41e52af040e2ae4bc9586c344d3c218ef2b4d5fc6505f98c584dd257056bafeadce09ebd5b1ccfba90ef87958edf6c14d050f6e16436cd2f09317548a15

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
101KB

MD5
c6a5a3848de4f2c0c95f90045aa7c21c

SHA1
71d07a19047dc8069c40365dfff49a8becc1d870

SHA256
4481847a1d6b6f7b9de7a5e1bf320fde87a5920479b411c138394b4d455989a8

SHA512
12653b55afa52ca6f6170e0d47306262a50e5a31a192681e546432f52afe4cc9693b014ef71fcc1737b536d3b228c647b492f4392c4a983d452988daa50fa7e1

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
101KB

MD5
41ce083d4fd9f616d67d69a8073e4d07

SHA1
cb2bba2718e919eb44c0cc07e2580b3b8c8147ad

SHA256
811b379070848c27d5a62f9f4f9e665b8c6e4e61b880950ff444ecb4c94b4103

SHA512
0f8b34da30894f0ac4d8245230c0e5acfe0c6765e9322de609d8f009ea057b26176f240202aa6248926de07594ee54e433653d2e63511d31f170969433325ad2

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
101KB

MD5
c8223e13fe20ad13819f715692c5d07c

SHA1
e455a3bdad9ce3b729d3d0efb85a5e3a07fd4640

SHA256
b84a80ba4fbac9661620a4087ef9329e530c0718a82b81a2d2a4e412ffc836a8

SHA512
457b7f2d67f306fc1b79b8c4e659eb0cf53c1f5b5a7313f35484e78fdc865a316d886b46fb10dc12d57493bac2c1684eeff9ab5701c678d5150c79f7db08bdf5

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
101KB

MD5
d9cf26035c448452a7890d409010ce4f

SHA1
472e04eb8dd1a6befd776cf737d4a9206ad8b102

SHA256
3f53bdacad7c5697916449c3fe57a71c82d21f1f08d656c860add1be9e4fa9c5

SHA512
6b60addca6eaa3d2ec1ae9c1106b8341e0127947c75bf6b7cc59021f5d549367521c4834323b5bf1b05dc5a45e7faba19dbe19e381e85c3a5ffaf48f4085cc21

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
101KB

MD5
eff9826a83ecc7bde1e76d75fdd0c7e5

SHA1
619eebf6ee13a17e70bbac81fde6518fe05ad27c

SHA256
7d65e66091a252d764e35890d2e0dcb949d6572a897b9e34bcabf20e3a5fc93b

SHA512
02f56b020029197bfee5a0020af2b73e946a47941cb7662713697f9a5d46bafdbea8466a45e740ace99e19997bfce1af32a7e2e9f8b8e6ebd635e0dd4dd20b9f

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
101KB

MD5
01de0aa7c228045173036225060fc9f5

SHA1
bc8c7932ba942758a184b612276cd0beff530dd2

SHA256
7ab52256b1aa33caab93fc01a9fadef12f431138165e43083b7bb7f1d2351371

SHA512
bf1115aee6b642eece18ada85c0bff470f526b3f5543110b106a66437e112eddf11c9cce77a4ff983c3d579017b2898f9ee735197f9ca3574f643b0cb7f2f897

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
101KB

MD5
867bca20de8211d271463e8f982f5970

SHA1
fb8ac7833197fb57c42555d0c72b6ab3564b2308

SHA256
b05f502c5364908f2e978cdd4ae0d54973e0e1cca08cc7b0ce5d649038b1045b

SHA512
eef4b2a0b3692158478625e3d2c5a489da9c624ad7cb53a0899910e877ed18f2e69e8367c9410b7613b27d9cf68ce16b425f41548801f08dd75b9a1f4900c13c

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
101KB

MD5
81e81868e4a6e0a6c0fe8682372e1288

SHA1
02d614d69e157ebd140eee3461bacedc2bc2e15a

SHA256
7a777ebe0365819e86f55a6dec5b7fe93ee59293dd8c5f19bedd2eed72a56194

SHA512
b2ba80e155d903fbe8b5e161aae70519ca1ce3118f0a437526bce91c495ab416e2fb1547f049d4d74e39eedd93ad2c5c25ce2639a72ff67b0b42d1f275a2bc2a

Download Submit
C:\Windows\SysWOW64\Okdkal32.exe

Filesize
101KB

MD5
f5ae34e6c51f58cac61ad103c5ce7903

SHA1
b21ccb26f14bd73035b9d18c7741000464a91b88

SHA256
28c9f0e88835d9d7ac70a5cedf1c6704140ee5f5e53df20b65b71f1e74441d7f

SHA512
46023d7e25e507b806211dda87f523edee94195ce3bc9309bb2f41f7a66c46e10224abbcb2e85c56d8f9441e8b493edcffe363b1a17a5f1eab43ef89b576b6c8

Download Submit
C:\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
101KB

MD5
231c809ef51d4d4a67db9caf0307c84d

SHA1
ff93f10b53688abbd7c2d2cac8f4aafe09243c64

SHA256
ecefe9cb820d40e14923453751674a07d638e09759a33616e2526784ffc33a41

SHA512
9382d54c046028a264e9132fe9105938be8a6d3e931472e1a860f318066ce8ad07db5ab74ad96880381bbfa8efd82aca976eb5c7757c69f1fa7fb5ba7cc2fe09

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
101KB

MD5
d67b239bbb0b1516007329b86162e6b0

SHA1
044c4d33b175eb8408e97a5232409508f48931b2

SHA256
1c0c9f562d6a7e6300be92aeeb341a80ecce57f2cfa2d2cd20ae6570407d5d5d

SHA512
e5774cdd4b3c80e1ca3636b4e7698e683687cd3f6f14f64d8bf91cb176a92c59204f49a37d57483f8f906d649dd41951f2526bd1162588458ab9c54c366f2cc4

Download Submit
C:\Windows\SysWOW64\Pgbafl32.exe

Filesize
101KB

MD5
073c1376d463e7a4eb23bb6ab9405651

SHA1
4123209bd70ddb48320c0682a3d60ce3b557355b

SHA256
23c685ecba1de972ffa70b562b967213c3a8a77e2d8c8c54cb6f43c321246f33

SHA512
1d87031d9b16319e9890f753348494635aa1d07d5fdab09e27b070001fad1454aa7c5c7744c7cbf5e5aae08055b5b8b173743e1e2ae699491d1ebc97e1c0e0f6

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
101KB

MD5
8fe9a9509b4794a12d205364289c82f1

SHA1
d1ca6f32316e7711f44dc290fedf635eb0b54a57

SHA256
1be18e76f1803513ac80858049e6f6a27717b75c13ad360be59c93fe8b1b3a75

SHA512
03be1f70a37df1b9fdfb1511583b436fafa379969e3ef945105a7f918954c1bbc35b713a34229a5fa3251e71c05f311f9ddd0cccb7b5ab97a4986c5ac31aff36

Download Submit
C:\Windows\SysWOW64\Pkdgpo32.exe

Filesize
101KB

MD5
dec5a3a72acc3cf1ae4154199116e8c4

SHA1
5af0859bbdf4b05185f976eb64b2c7a30b7e7e8a

SHA256
424b76da783b4a45fbba72fcda280f81aa659e7dc3dfe1e4a418ed09c28736a0

SHA512
b0e181b0410c12961f1a9a27c60ec4dd294bff5c0c22e2b1e896ed99f2570a93a32a7a8e3bd8cc4fca6a497c03e2ced90427ff54a96916727467df0396c2c81d

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
101KB

MD5
b40a5753477fbe5fb44d88e42a424b72

SHA1
b4390a9d21614aae2b1166747f7240a007d7d046

SHA256
788c3bd27841673ab30f1b2dbe0b694dd37e5db9c3bb98faaed63e19b2520858

SHA512
67f9d9f485182dc26940ec44464fe44201379cad3c7ac0b9630822b1af23bd04e70a95c05363d32b1ade595d6d6797eb6e75cd45164872b33f304a864ab0cf99

Download Submit
C:\Windows\SysWOW64\Pmojocel.exe

Filesize
101KB

MD5
79fd5c73d10ffaf3d304cd1c62737aa5

SHA1
b81782ef628bbb35a77c4e3015f8ffce053e88fa

SHA256
ced96693b0c98f8589f78bc3287274f60ab3c4a0197928072edd727a4fc459ef

SHA512
9bd15626c5ae596b0a09cb833c297a4b1f27a523e0a68f7058f9acd7052fe0b6401e9bb6b5f9e34869c147092adbc0b6c1cba577b90ce062611dc66718d0b51b

Download Submit
C:\Windows\SysWOW64\Pqhijbog.exe

Filesize
101KB

MD5
0999570a0c727da346caeef5119ee004

SHA1
719b6d47c929c53af4dc685b590a1caa218560e4

SHA256
058102e5a46a185fa6098fb7a3b6c7fe1a53f33b9f287ac6f8ad3e2eea6359bb

SHA512
78f3ac226f65f3d8842aaf8a0ca30e5935ddadc87144f106ce570a99430d6c41161079d189fc68782c8b711e310b6c5b25025607e72bab666df8809523aa9925

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
101KB

MD5
1c177c6fd6e9e90da18f949dae3c6a37

SHA1
4da2f45aa3eea676a9411ea73467c4fd8349f452

SHA256
dcc2a5ae40ff49acb742381b1f592b369fcab13b23422d83209fb230a0739f15

SHA512
19e9f90db03b9501e90e5ba19216c3b108ffa9f252eed4d044e5c772b93bc7a5aa62e8f493793364770c8c2f8d5aa9401ae5a508abe30acd8e6b1093d6242e4f

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
101KB

MD5
13739522d19875b551fe606a00afadd0

SHA1
f29a6796931a4facbc32e06ebe58000ffcfd57ed

SHA256
f3e7ecaa065f35f650bff65f5b8a059de8a48fec22f566d3be4726c5c9c8bf7d

SHA512
72ef1988c4c2ccd991a1e7eb52bfb8d44a30e17628d27dbadee8c772f52f189b8eb1cdea566bedbec1182ee629549e349f40594d3d5eab93349764f24285fa7d

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
101KB

MD5
52ed299ba878f18bba6fdff8ef431df8

SHA1
91e5da318353dc5910dd9476a611c16eefcc4c12

SHA256
21ff052c7765a07e08558883da59e682a4cf0b8c4c68894f41fb684d5189e427

SHA512
deae82f46ee602697c95ebb2785b3ba3e47f753066c835e3bc362867aacc10e153ae269abf815341b334c7abdf177a561715c1a7c8948ee4d02faa07ce4beb45

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
101KB

MD5
bb09ef8a54ac4b3b830206a731a8ff96

SHA1
e3ebcf115604686ad575d669addd637d245f4452

SHA256
b95986f3a2ccaf4362f25f5211a63d44499a837ebc6fa19720866474735d9e5c

SHA512
fac06b7dcf27d49bfde5a50cbdf932f224690a90d9e3bef0bf07151ba524653c847e82577af4cf5a07a17f1e2e0735186d0c5c98ad65aa46f73e52b57f9ea56f

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
101KB

MD5
fdb38745eabf3c8b6ea90b561a1904a4

SHA1
c2ea56585c2836abb997b3316e93e906659a24f7

SHA256
00553869b9767ccce88010a868ab57f8c9f99abd062a9b3051cfb2d7f0a5674d

SHA512
6a39ee5e886a6f2a7c8fec5aa93fce1a77adb0f1d613715edf2773b225b6848feae9806cffdccf8cb04ab972439883b7fab5b9632c8f8c540ad4142ee8439e17

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
101KB

MD5
c7a78b94b7c124baa9f9e6912312da9f

SHA1
6951e5d2f6cafcd78b712fd8667a6a5a5fc3d842

SHA256
9f98954f5ca53e8147be5e30716e7ad682c1773d53bc6b2bfcf115030bc59250

SHA512
80a6da6142117fdef0ca793515430b44a3ff3db3c3f80d884510c96b9b2dd0f233fee46dd315136caf24c42dfd00a4e8c6707861774c8604753f390a7c4bd098

Download Submit
\Windows\SysWOW64\Nekbmgcn.exe

Filesize
101KB

MD5
b59665574cc41de4ba94f65608bf9483

SHA1
3787d6fa5fc0b4c9cbb57e656469d8c8134982be

SHA256
14303c55b294d5e14b605c1b9317fc90cb22c380e73d38dff50f8d8fee24899d

SHA512
2dfe77d5b26f3c7a48b6ced91ad58afc57b2248e63fc98e6d27e2fb0aaa1f8cf82a39439fa8732568a5cf46e63c389dd39fcd8c90b92af1682daefa4006868ec

Download Submit
\Windows\SysWOW64\Ngfflj32.exe

Filesize
101KB

MD5
37c7603f52e4ceefaeb45d1c49d027b9

SHA1
1bc8b3878781630f413c4cf489d054038aa6c13f

SHA256
7deea501b8b8f83db457ee63f60f9619546cba76f7c37bced112e7ef01fc45de

SHA512
def4158f8e78f14bc534db6b220abc8072894f0db424af493c6a88dcbdfb4634df94002ae0d4d5d1f1e5aceb05d7cda094dc0aa6e06813ecc097c735df677b45

Download Submit
\Windows\SysWOW64\Nilhhdga.exe

Filesize
101KB

MD5
b8577921e95a109c92dbe9cc9af47dee

SHA1
d115a72ce0c06757a3693ea1505fb1d4b5ee393e

SHA256
aea991b77710bd305982c5062451d378bf7b833cdda2bed9c6fb2474881931da

SHA512
86dceddf6e1a4357e4d0582778967ad190098972a20cc91efa16eb5b81314f7d46b1992def71cdaebcedc923ca43952bc8bb806f9765f3fd68125ede576513c6

Download Submit
\Windows\SysWOW64\Npccpo32.exe

Filesize
101KB

MD5
a2286ce9c8f4b93560cb70dfb0564366

SHA1
6cbfae2e5bb17de50a41ed73de738673acc0139d

SHA256
5e2b170b7c8b5a48d719a48e66adb1c9b26d3d31b1e9924ae39a685895039fb7

SHA512
811368aa88cfc3b1f5754d80a35481b4cdf1277735b2d4977b2815e556c2bf063f6dfb03315336a730101756b9ce9c81ab6146ca36236ba5bfb80cc97df08a6c

Download Submit
\Windows\SysWOW64\Oaiibg32.exe

Filesize
101KB

MD5
b5a2a0db6a640f995421023f43c4d10e

SHA1
6495bd9db64092403325143d834212f068320c2d

SHA256
a04a127bc791989e3895eb65c51e5fa069cc3287906ed09cc81d506da9a82df2

SHA512
0dae72f51c853aa29e1e0c6190b8cd3bbb34a4c641c1f481ade9789d98104de2d253deac0f7d2851c231b1cda817c3de02fa089c2c6b0b312c691093f3d41fde

Download Submit
\Windows\SysWOW64\Ocdmaj32.exe

Filesize
101KB

MD5
c9374ff563f5d439e7d0eb38e5a0f1b5

SHA1
14a212c93f0a19669a79313badab609cfa6a3824

SHA256
4f084de78040759b2d3063bf70a3d35767855edfda8bfbbfa5eeedccfa1aad55

SHA512
f45f36208e6abf15198a1f0110b0a946d1cf87e97d4fb85c2fe54d2a84c892f3a70e9ae5962f77162cc36ecc139d781034341a0e9e55ec60d5f3528fdaa0d55e

Download Submit
\Windows\SysWOW64\Odjbdb32.exe

Filesize
101KB

MD5
7b92bab4b17229633c29ca30e5e01dec

SHA1
98d09299fef1e3831a58c827f7091e50c5f54fc0

SHA256
ec38c3d297fc34747eeb63b55e696adc25c95ef795901827508670ed1bbe3954

SHA512
1398219e31f30ac781182dc46231d4f5149ead8260c4ad60fb1dd7deaa59a06cfb2f3e45b8da0c2451e27c5277d73da5dcf53027ee81307dfe3c5abcf10c7d74

Download Submit
\Windows\SysWOW64\Ohaeia32.exe

Filesize
101KB

MD5
9c29af095abc1ebbc82a34ce1290ee92

SHA1
72c48bf90251f4c232f464985723d2bbdfbddaa7

SHA256
7e62cf33adf8255cb055dab926a6a378ef773631b73569bdb39664df5c4a8772

SHA512
d53eae8ddbb4c63d8d834c8226710040a7a90b12b9476782c0d4175dba254782d8c64a66b84579e8dec27729966e62fd434c053253fbab4bec54f513179e1b3c

Download Submit
\Windows\SysWOW64\Ohhkjp32.exe

Filesize
101KB

MD5
b91dc1f91d671f038f5460ebaa0ef9e5

SHA1
f1d0e3386fcbd0e8e9b442531e2f01fad73c811e

SHA256
6eb409ebda06f9245a583f2487f94ffc31540fa072059cc3d608dd5eb72d3242

SHA512
aca7558910b3a3a673f2bb97f2d3f05d71d0057264ddc5626f08d17d48041c82b4c45c9313d46b0f3f0c941e218bac1dc5d0ce7db39dcd44ea0734457d0caa04

Download Submit
\Windows\SysWOW64\Ojigbhlp.exe

Filesize
101KB

MD5
ff8f438331c0c141c2fccb43c7deeef9

SHA1
f052214f40aba1cf3ac848c15ab0721cc9159064

SHA256
f7297f8df520ba0170efeb6b69044f68e56cdbf8e581f9d68705cf551ad83d93

SHA512
328fe048ea648cae919cb9fd4acea3a05f25a7558a51bcf5f456dd86f5be9f729c0681075791b5df3120a91c52b1f6bb0ef032b7e301df2a19b1b053b5886478

Download Submit
\Windows\SysWOW64\Okanklik.exe

Filesize
101KB

MD5
4527094686bf99584b9bbfbb3a3fa3e6

SHA1
cc9b444f0ceb651a6c28bf86463df1e268f3ca14

SHA256
ce421e3f3579fabfb5f67352c39abd6712712f1f753ecc0a4cfc7c0d20434985

SHA512
9f46250c2541fbc627f6e1e025fd3e9628b21217a4e4dd39eb38c5fd6393bdee5bac06c3615de328bfab42218c2f35b1ffa803e2a0e57ce60a7ed2ebffdd1fec

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
101KB

MD5
c9fda3ff0a1faf758d08816938cd27a8

SHA1
ba9df76c5482145158cd381ab2feac5251e5f839

SHA256
efe2d9704e9b9c6813611bf6bc16c91ee4ca60d76c24480d31b70f38de14faa4

SHA512
5c035f787913ceb78c794e71de3042eb72e057449fda60906e7d74a6926c70c8ecf35f13a6ef4a4f8579e2dab61694769d43be4f04f7236897f56a5b5d0ce207

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
101KB

MD5
c52cc8d1844ce255eb7b04888d4ff482

SHA1
2f9246244113e84897f958439300b87e14c578a3

SHA256
e78a091eaa9da580c2c223e1a26fff74ffdc2cb765179b83fbc6f29f6a3aea14

SHA512
d7872d1dd17086aeac254893e9888cb124a024343d071fe151d1084674548caa53eb806590bc1cb11f2baab9869d1e5bb8b6ee08346f9bafe63c979383a5ff64

Download Submit
memory/380-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/572-360-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/604-280-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/604-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/684-377-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/684-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/684-381-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/840-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-235-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/856-657-0x00000000778A0000-0x000000007799A000-memory.dmp

Filesize
1000KB

Download
memory/856-656-0x00000000779A0000-0x0000000077ABF000-memory.dmp

Filesize
1.1MB

Download
memory/1044-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-87-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1044-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-217-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1388-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1424-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-505-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1512-292-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1512-293-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1568-321-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1568-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-325-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1612-527-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1612-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-525-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1740-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-262-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1916-435-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1916-436-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1916-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-256-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2172-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-514-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2268-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-492-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2276-482-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-303-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2404-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-465-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2404-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2404-169-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2432-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-470-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2432-471-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2448-192-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2448-494-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2448-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-447-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2584-448-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2608-392-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2608-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-413-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2656-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-357-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2680-348-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-61-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2708-370-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2708-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-139-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2716-131-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-34-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2864-358-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2868-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2868-13-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2872-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-337-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2936-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-310-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2936-314-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3068-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-424-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads