berbew | 20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
Size

51KB
MD5

d7726a93e1b58127994d74020b982548
SHA1

a2cfeab6e44d7de9510e0d0f681cc7ff1269d6cb
SHA256

20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade
SHA512

02b79c89525463a1f8f3183611056279fc18ae46c69a88f6cc82db7fb9cb1e4cc249e3475443add6e92437a4171f108af2d39dca03f881e8612677c05747ec72
SSDEEP

1536:VHpVHTQzlj3YsmYJSfD8Zvr9xe93a5DAvoNUzB:9HQNFmYJyDwxe1y5Nu

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agfgqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npccpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkmdpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocalkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokieo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neplhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkkmqnck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oappcfmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ookmfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oappcfmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgbafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neplhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 55 IoCs

pid	Process
2872	Nhaikn32.exe
2864	Nmnace32.exe
2844	Niebhf32.exe
2708	Ncmfqkdj.exe
1980	Npagjpcd.exe
904	Nenobfak.exe
2180	Npccpo32.exe
2772	Neplhf32.exe
2540	Nkmdpm32.exe
2992	Odeiibdq.exe
1160	Ookmfk32.exe
2156	Onpjghhn.exe
2204	Oalfhf32.exe
2228	Oancnfoe.exe
1140	Ogkkfmml.exe
448	Oappcfmb.exe
692	Ocalkn32.exe
1364	Pngphgbf.exe
1540	Pmjqcc32.exe
1744	Pgpeal32.exe
1708	Pokieo32.exe
1432	Pgbafl32.exe
2396	Pjpnbg32.exe
1512	Pomfkndo.exe
1368	Pbkbgjcc.exe
856	Piekcd32.exe
2260	Pmccjbaf.exe
3036	Qflhbhgg.exe
2724	Qkhpkoen.exe
2680	Qodlkm32.exe
572	Qkkmqnck.exe
264	Akmjfn32.exe
1788	Anlfbi32.exe
1700	Aajbne32.exe
2096	Annbhi32.exe
2208	Agfgqo32.exe
2512	Aigchgkh.exe
2432	Ajgpbj32.exe
2060	Alhmjbhj.exe
2308	Bilmcf32.exe
1920	Bpfeppop.exe
1132	Bbdallnd.exe
2188	Bnkbam32.exe
1604	Beejng32.exe
2600	Blobjaba.exe
1544	Bbikgk32.exe
1772	Bdkgocpm.exe
1208	Bjdplm32.exe
764	Bejdiffp.exe
2812	Bdmddc32.exe
2212	Bkglameg.exe
2912	Bmeimhdj.exe
2736	Cdoajb32.exe
1248	Cfnmfn32.exe
708	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2868	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
2868	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
2872	Nhaikn32.exe
2872	Nhaikn32.exe
2864	Nmnace32.exe
2864	Nmnace32.exe
2844	Niebhf32.exe
2844	Niebhf32.exe
2708	Ncmfqkdj.exe
2708	Ncmfqkdj.exe
1980	Npagjpcd.exe
1980	Npagjpcd.exe
904	Nenobfak.exe
904	Nenobfak.exe
2180	Npccpo32.exe
2180	Npccpo32.exe
2772	Neplhf32.exe
2772	Neplhf32.exe
2540	Nkmdpm32.exe
2540	Nkmdpm32.exe
2992	Odeiibdq.exe
2992	Odeiibdq.exe
1160	Ookmfk32.exe
1160	Ookmfk32.exe
2156	Onpjghhn.exe
2156	Onpjghhn.exe
2204	Oalfhf32.exe
2204	Oalfhf32.exe
2228	Oancnfoe.exe
2228	Oancnfoe.exe
1140	Ogkkfmml.exe
1140	Ogkkfmml.exe
448	Oappcfmb.exe
448	Oappcfmb.exe
692	Ocalkn32.exe
692	Ocalkn32.exe
1364	Pngphgbf.exe
1364	Pngphgbf.exe
1540	Pmjqcc32.exe
1540	Pmjqcc32.exe
1744	Pgpeal32.exe
1744	Pgpeal32.exe
1708	Pokieo32.exe
1708	Pokieo32.exe
1432	Pgbafl32.exe
1432	Pgbafl32.exe
2396	Pjpnbg32.exe
2396	Pjpnbg32.exe
1512	Pomfkndo.exe
1512	Pomfkndo.exe
1368	Pbkbgjcc.exe
1368	Pbkbgjcc.exe
1584	Pbnoliap.exe
1584	Pbnoliap.exe
2260	Pmccjbaf.exe
2260	Pmccjbaf.exe
3036	Qflhbhgg.exe
3036	Qflhbhgg.exe
2724	Qkhpkoen.exe
2724	Qkhpkoen.exe
2680	Qodlkm32.exe
2680	Qodlkm32.exe
572	Qkkmqnck.exe
572	Qkkmqnck.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nmnace32.exe
File created	C:\Windows\SysWOW64\Oodajl32.dll	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Igciil32.dll	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Migkgb32.dll	Nkmdpm32.exe
File created	C:\Windows\SysWOW64\Ookmfk32.exe	Odeiibdq.exe
File opened for modification	C:\Windows\SysWOW64\Pgbafl32.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	Pmccjbaf.exe
File opened for modification	C:\Windows\SysWOW64\Qkkmqnck.exe	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Ogkkfmml.exe	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Agfgqo32.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Pmjqcc32.exe	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Nhaikn32.exe	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Odeiibdq.exe	Nkmdpm32.exe
File created	C:\Windows\SysWOW64\Lmpgcm32.dll	Odeiibdq.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Npccpo32.exe	Nenobfak.exe
File opened for modification	C:\Windows\SysWOW64\Pmjqcc32.exe	Pngphgbf.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Aliolp32.dll	Oalfhf32.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pjpnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Agfgqo32.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Agfgqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nmnace32.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Agfgqo32.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Diceon32.dll	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	Nhaikn32.exe
File opened for modification	C:\Windows\SysWOW64\Onpjghhn.exe	Ookmfk32.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pbkbgjcc.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfqkdj.exe	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Ncmfqkdj.exe	Niebhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocalkn32.exe	Oappcfmb.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Odeiibdq.exe	Nkmdpm32.exe
File created	C:\Windows\SysWOW64\Ifbgfk32.dll	Ocalkn32.exe
File created	C:\Windows\SysWOW64\Pmccjbaf.exe	Pbnoliap.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Ookmfk32.exe	Odeiibdq.exe
File opened for modification	C:\Windows\SysWOW64\Oappcfmb.exe	Ogkkfmml.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Ocalkn32.exe

Program crash 1 IoCs

pid	pid_target	Process
2660	708	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neplhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmccjbaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agfgqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookmfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oappcfmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odeiibdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocalkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npccpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgpeal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oalfhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onpjghhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkmdpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmfqkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkkfmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgbafl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qflhbhgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Annbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhppho32.dll"	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkkfmml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgpeal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejaekc32.dll"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agfgqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcpdm32.dll"	Neplhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpgcm32.dll"	Odeiibdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjfjb32.dll"	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedakjgc.dll"	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkmdpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmccjbaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocalkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgbafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migkgb32.dll"	Nkmdpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpdbghp.dll"	Pokieo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookmfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebghjja.dll"	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll"	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anlfbi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2872	2868	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe	30
PID 2868 wrote to memory of 2872	2868	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe	30
PID 2868 wrote to memory of 2872	2868	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe	30
PID 2868 wrote to memory of 2872	2868	20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe	30
PID 2872 wrote to memory of 2864	2872	Nhaikn32.exe	31
PID 2872 wrote to memory of 2864	2872	Nhaikn32.exe	31
PID 2872 wrote to memory of 2864	2872	Nhaikn32.exe	31
PID 2872 wrote to memory of 2864	2872	Nhaikn32.exe	31
PID 2864 wrote to memory of 2844	2864	Nmnace32.exe	32
PID 2864 wrote to memory of 2844	2864	Nmnace32.exe	32
PID 2864 wrote to memory of 2844	2864	Nmnace32.exe	32
PID 2864 wrote to memory of 2844	2864	Nmnace32.exe	32
PID 2844 wrote to memory of 2708	2844	Niebhf32.exe	33
PID 2844 wrote to memory of 2708	2844	Niebhf32.exe	33
PID 2844 wrote to memory of 2708	2844	Niebhf32.exe	33
PID 2844 wrote to memory of 2708	2844	Niebhf32.exe	33
PID 2708 wrote to memory of 1980	2708	Ncmfqkdj.exe	34
PID 2708 wrote to memory of 1980	2708	Ncmfqkdj.exe	34
PID 2708 wrote to memory of 1980	2708	Ncmfqkdj.exe	34
PID 2708 wrote to memory of 1980	2708	Ncmfqkdj.exe	34
PID 1980 wrote to memory of 904	1980	Npagjpcd.exe	35
PID 1980 wrote to memory of 904	1980	Npagjpcd.exe	35
PID 1980 wrote to memory of 904	1980	Npagjpcd.exe	35
PID 1980 wrote to memory of 904	1980	Npagjpcd.exe	35
PID 904 wrote to memory of 2180	904	Nenobfak.exe	36
PID 904 wrote to memory of 2180	904	Nenobfak.exe	36
PID 904 wrote to memory of 2180	904	Nenobfak.exe	36
PID 904 wrote to memory of 2180	904	Nenobfak.exe	36
PID 2180 wrote to memory of 2772	2180	Npccpo32.exe	37
PID 2180 wrote to memory of 2772	2180	Npccpo32.exe	37
PID 2180 wrote to memory of 2772	2180	Npccpo32.exe	37
PID 2180 wrote to memory of 2772	2180	Npccpo32.exe	37
PID 2772 wrote to memory of 2540	2772	Neplhf32.exe	38
PID 2772 wrote to memory of 2540	2772	Neplhf32.exe	38
PID 2772 wrote to memory of 2540	2772	Neplhf32.exe	38
PID 2772 wrote to memory of 2540	2772	Neplhf32.exe	38
PID 2540 wrote to memory of 2992	2540	Nkmdpm32.exe	39
PID 2540 wrote to memory of 2992	2540	Nkmdpm32.exe	39
PID 2540 wrote to memory of 2992	2540	Nkmdpm32.exe	39
PID 2540 wrote to memory of 2992	2540	Nkmdpm32.exe	39
PID 2992 wrote to memory of 1160	2992	Odeiibdq.exe	40
PID 2992 wrote to memory of 1160	2992	Odeiibdq.exe	40
PID 2992 wrote to memory of 1160	2992	Odeiibdq.exe	40
PID 2992 wrote to memory of 1160	2992	Odeiibdq.exe	40
PID 1160 wrote to memory of 2156	1160	Ookmfk32.exe	41
PID 1160 wrote to memory of 2156	1160	Ookmfk32.exe	41
PID 1160 wrote to memory of 2156	1160	Ookmfk32.exe	41
PID 1160 wrote to memory of 2156	1160	Ookmfk32.exe	41
PID 2156 wrote to memory of 2204	2156	Onpjghhn.exe	42
PID 2156 wrote to memory of 2204	2156	Onpjghhn.exe	42
PID 2156 wrote to memory of 2204	2156	Onpjghhn.exe	42
PID 2156 wrote to memory of 2204	2156	Onpjghhn.exe	42
PID 2204 wrote to memory of 2228	2204	Oalfhf32.exe	43
PID 2204 wrote to memory of 2228	2204	Oalfhf32.exe	43
PID 2204 wrote to memory of 2228	2204	Oalfhf32.exe	43
PID 2204 wrote to memory of 2228	2204	Oalfhf32.exe	43
PID 2228 wrote to memory of 1140	2228	Oancnfoe.exe	44
PID 2228 wrote to memory of 1140	2228	Oancnfoe.exe	44
PID 2228 wrote to memory of 1140	2228	Oancnfoe.exe	44
PID 2228 wrote to memory of 1140	2228	Oancnfoe.exe	44
PID 1140 wrote to memory of 448	1140	Ogkkfmml.exe	45
PID 1140 wrote to memory of 448	1140	Ogkkfmml.exe	45
PID 1140 wrote to memory of 448	1140	Ogkkfmml.exe	45
PID 1140 wrote to memory of 448	1140	Ogkkfmml.exe	45

C:\Users\Admin\AppData\Local\Temp\20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe
"C:\Users\Admin\AppData\Local\Temp\20a62706ce2e1dbff1ce8dc3b8ad6c059c38c31ceb1292624bfaedc7f852fade.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\Nhaikn32.exe
  C:\Windows\system32\Nhaikn32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\SysWOW64\Nmnace32.exe
    C:\Windows\system32\Nmnace32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Niebhf32.exe
      C:\Windows\system32\Niebhf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\Npccpo32.exe
        
        C:\Windows\system32\Npccpo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Neplhf32.exe
        
        C:\Windows\system32\Neplhf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Nkmdpm32.exe
        
        C:\Windows\system32\Nkmdpm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Odeiibdq.exe
        
        C:\Windows\system32\Odeiibdq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ookmfk32.exe
        
        C:\Windows\system32\Ookmfk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Onpjghhn.exe
        
        C:\Windows\system32\Onpjghhn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Oalfhf32.exe
        
        C:\Windows\system32\Oalfhf32.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ogkkfmml.exe
        
        C:\Windows\system32\Ogkkfmml.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Oappcfmb.exe
        
        C:\Windows\system32\Oappcfmb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Ocalkn32.exe
        
        C:\Windows\system32\Ocalkn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Pgpeal32.exe
        
        C:\Windows\system32\Pgpeal32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Pgbafl32.exe
        
        C:\Windows\system32\Pgbafl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Pmccjbaf.exe
        
        C:\Windows\system32\Pmccjbaf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Qflhbhgg.exe
        
        C:\Windows\system32\Qflhbhgg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Agfgqo32.exe
        
        C:\Windows\system32\Agfgqo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 140
        58⤵
        Program crash
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
51KB

MD5
f2cd8c6cf51137447f715c4bef9c1c87

SHA1
39201113f201220c5059c47fdad658dd79f8742d

SHA256
2012a7131bc342292ac03a65e4d4e3306add42b310932964a70562a19c0b2fdf

SHA512
2fb7490d9421d6f14f88b8e4401cf803776605e1be4749004713e742439586bbcf416bd29a05cd273313bf4ba6336f151e42ef32545c2d2985cf3434dada28b2

Download Submit
C:\Windows\SysWOW64\Agfgqo32.exe

Filesize
51KB

MD5
d650c880b7c9761f84a7dcb7492d8a8d

SHA1
368a1a507e4da4e731e6c671af377276e29c1a6c

SHA256
d3c672c35305961f110bbc64dad92a033e5d3173f71afd4577b3046e30d7f5aa

SHA512
117e9081f64d9fafeeafdc51cecbc4a134e654f3a209a722a4a52f97c7b2e91c11a8333e046972155495a1ca5cdbcd34a7a55cd830fa2b99dfff790341e2ad0a

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
51KB

MD5
6a564f39304ee330001b514db20f1e19

SHA1
37f24dc352f4775a107c3f8e958d87463af953a5

SHA256
de6b9d5e87103570fd74f644bc52f05286b9981460a319039c1dde5641b0a1ef

SHA512
61ae042762ed89e0ed64ececc7c84b7a82175a56629ff4a5ad476d1cd4d6463c15cdf6176ea67995f6e0676c75cf8118e010f3e114c6bd2f31884024fb3bee64

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
51KB

MD5
33102555914d257fb85f104e269b1d26

SHA1
d1bf09f896d5a29316ad9b0baea07785d7e2583c

SHA256
2b2f958a66bb048b89ddd5390c3ba6d4750c2455131ee848af835126b4b35db6

SHA512
fddc634ddac0998b25b64f81a5cc3d0fb98c2b2421d801e8c72135368aacaf91f35a0aa17d3292cee50a74f31404ebb3e7ad8ad6e00652031c1fb430ae28503b

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
51KB

MD5
2b233c36095ba4aad61ccf0af475f15e

SHA1
618a1142419ead97b91d17480b18072d59b0e1f1

SHA256
2b9081ab3d75872ff29aff497666791ec5da092796a87f9f7b9b4d71a78695c7

SHA512
721decb7d8450caf57b79bf6b7c94c681eb6910dc85f119cfbdbb6efeb0d1d0e31043873b0fed71be2f823b7113fb848793a0ca2dc3844ae1da126e741204b92

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
51KB

MD5
fd45f0c85c1912a2a7012b8607163ce1

SHA1
bfeb24763ef7659db724635d71865dcee2d37fc2

SHA256
182630bcf90a5b4d87159cd27b5d933f23717ef1df59ec4a0284c5a6694d4238

SHA512
ed36275eaeb46893920f3d30efd3f08c23ca65a19965f440393baa9b7b1dc43f8886c08c4f204ad35c44709a451145659f19e0863955cc2bb6925cb591598b4e

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
51KB

MD5
597ba5b414f1c5b92fd8a33b68b51f5e

SHA1
80b09c13b3664ce3db37e8b827e7bbc11ac51ba3

SHA256
4a68251b2613a0722169c3eb358a8b6ad8d78094632484ce83e9b4fe8e871cf2

SHA512
d6557fa0d2a5c8e23b7c535a4c2642b679b094415cf8399d2518bf173fed15d36577e624e868237c6f540f462976bfbfbffa9937e5f6d66806abdbf2b1dde260

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
51KB

MD5
6610f5ed38f12b0312d3ddd61c34fa28

SHA1
0c762a093bafa0603183988c852ef147eb9007ba

SHA256
aa522682241724cb56ed65cfee2b75760c995ad489477c1daf1af8a0af2c85d9

SHA512
64d08991d402f6529ee977e4e6825004a4a87c72f2f7ccb22f589dadcbd603951a56590649f74a4e511aeae568f7934cbe205d9d1a56e2599d6b0aad1caabc93

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
51KB

MD5
440df51fa0d0d535225436f52275e097

SHA1
4d914753c8fa916cc7b5a97769b979925785e7a8

SHA256
bf6d71aaf61a4b53890916a0291f9803224337ecec8d2f3b3b9d9145cd7d7645

SHA512
6f34a8ab83a163aac027a1c00f71646c99130626a1a6b22155e7e36194e7669d734f8195732fabd6118533f2d364153c047cab4d79551783b18a3f463696668f

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
51KB

MD5
b1aa05301ab96b9258dfb6b364d526c0

SHA1
e8420412953d3f4886ac58423088826c8cc68200

SHA256
a23879762706f5909b365522471b0fbac398cc4045113b07df27273e61d9704e

SHA512
cec9a7be748aa1b0b617c814473080a153fdc3ee0885af6f9ea6b870c689b93f40c241d8a1b60446c0a13d77dd7268d722594768bc5d54b6097bce2b71f188e0

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
51KB

MD5
67885efe9c5bab69072da3750f15b4c6

SHA1
911638adeac2f78e75173a1c872aa9b951233454

SHA256
52e66323ea0229630fcf3da785b9c39d53ff52ea136b2f060313f3fe96c18890

SHA512
04f9aee329e4eb62b2d43ab7cf6ba54490630ad55565cd07f5d62083833cbb7e62cbdfae84f953a281c0083401e0642f7ac3041c5e31deec9276ae4f2f8e3d22

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
51KB

MD5
612b20cd173dd3c60f07749aa0bcb74f

SHA1
5593845660342c5bf8ff7292aa6241f0f0fa01e0

SHA256
50fde664c8d2be32ba1a3db473261868c948e4736b612ece96aece00562b1554

SHA512
e2636b0f81b061f411b94a4e34fcc6345dd50791438aad4c3faec1aea8e2fa47e7bf4660056d2f66b8693c3bc13da1696991255ab8d0faebaaf38665db4ac192

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
51KB

MD5
e6643fb509d9fe74645a53b7bbad09d5

SHA1
9776b87f505586df2a69fd092ac19ae010f949c1

SHA256
e6fd3800a7efbceebeb4ec8782c2d3cfa4977663af25c583f508c547f47827fb

SHA512
f08592827dd68242195fcff1f2953fbb1d64ab2e82c9ed03e2d85b43639f8e077d27e8a357fa8615224a69a6d034a178cb47e256f0fac6f795a1ed94fa3af6aa

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
51KB

MD5
e976c1afb388f38aadfe50a7b1e1864a

SHA1
1790d792ad9df67757c3c1df82f94378077dfcc3

SHA256
036a534f2c752bef2c58f6ebb005fcf00c85fc6326a30a721b525eeab043ae5e

SHA512
6c498dced246cc1005b03fbd0f28ac9e81750d1e8090a92c6a4ecd4ae7c8ef589bf7f9c9f878b11dc57a292805d939dbe4089b07adc614ef363041205e4b8cd3

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
51KB

MD5
443b2ba1e0c1d8380a54b75fe4d1aec7

SHA1
37ffe387c860693f80a6e7b7ac41ef5d120ba66f

SHA256
7a2cfeaf91d1c5e0bff647c94df018f7e8293b915f183f78799ab3c5ba935f29

SHA512
baf361bb7cf923a7e0f04add8a80603b31d418dc4219ac50c201d52b6bf7544ea614c1a5d62fe930a55de5bfee0e2b1372d5f69dddffa57d97999cb4547b7ca1

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
51KB

MD5
399fc532b063d3903e2df2752e3bce19

SHA1
de8599cd01cb69d9736754dc6314d8344258a48d

SHA256
c7417280317c1b5e626f9ffc975d11ef1263a80a6b75a38bd043fba5b2a4d198

SHA512
55d86f7396779af74c9577c8393b1e4c6c53555f95ee27beaa8207b3f82f13f42d1bae9b212872b93906a106127b32f27506f0f3a5e3e0a29ebeb7b70b740111

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
51KB

MD5
30a2a1bc047f51a255ca2001bf222d97

SHA1
e63ae3fc36936dfb871da04f542371f932442340

SHA256
3c15bc97ae7147724bea3cd15a10e0c5f2a9645c6dea931a4b71903eabd1ae36

SHA512
5328fab21b032b1510bec7447e707a22fec0a775f4f7c86bdfb0fefcde632844e85ce51fa47f56e3f69901072342b5148e1cb9e8df823797bc17d58ebe8be031

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
51KB

MD5
15350fbc3a7854e8f6537d6f50688771

SHA1
ba87719328eb66ed4e5238395ca8663d322b8f2c

SHA256
4649efc89e52660f79ba2d7951e7bda0d4ae44ebd8e881620a65247468a92333

SHA512
5fd3deed973f1c445c0e5b90dfbd4a210fd456c3eb0c8d36038d99b98818620ed1f3ca604ad42ffdc91ae51b6e53d37ca2dbe344096419dbf1f1879a18f460cb

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
51KB

MD5
50b4f4a4856ed2906f0de976b6adad5a

SHA1
03a2c5ff607cbf8502d579706a0980f105d16d76

SHA256
db24ad77a15aaab731966015f55154eb88dbf74a1273cbd3716cf805790c19b4

SHA512
5bcb30fc811adccbf04a037c1c8c181cecac939f79739d483d78deb1218fd473f636cf0c6833561707d07834058ea994aa07888e182c5496f7355d08c7922c14

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
51KB

MD5
7788bfd8fbf146daa4a228ed80f43a14

SHA1
1c07e7ed5a240a15a0fa270c19ab68881d267a4c

SHA256
c8513f6f93bb911e4e95be19434df01cb75143d7adb28ea1d2fa9a4fcf814a59

SHA512
76a92540e55fb3c54a068730623ff2e7feb175971979c1924b744b257d007bbe62ae7f943e294d5080a2052ef8d1bb9c33e71ce54907285959def0573088a005

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
51KB

MD5
4481c843067e27e740f62c4b98eb9683

SHA1
b178443beb9797756b340c781723cddddd4017a1

SHA256
67113f00d1a337ae5a3c7e92e09faa4bba5f3a26971b7837b71e23b7d4be0732

SHA512
bcd523d9e30a20d1c62694a129030d104a3199c6341f7197f7d8895677bfc4ceb8368a7ae36ba67e89283fb48c9510af3a221f808d81f64e2136c25e31ffc98a

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
51KB

MD5
bd7a49f0e6ba591ae42c68f1fce51459

SHA1
7e1089931e46f45bffb1670038ac43c8ca5c73b7

SHA256
f10f0f6ff3de608f61ffbea5ddd343a96db7afafce213666e2a002a450f654db

SHA512
671a6d7f7181eba41418b66ff4a6eb06e4a562779594b442dd3af55d638588367703076ad26f6963758816c84a54e2a045e7b4f448bdb34ee1e6d602d611384a

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
51KB

MD5
f1937c1913577c035337ff54f4f676f0

SHA1
720f0654af899588a6cc457fd4c8f0750c448dd8

SHA256
82bb4ee7408db476d1be6f9fdd02267a05b2f6db4705d20ba7b6022502723a82

SHA512
3015a12217181b540e2713204e00b55fa592a0be4c30d116f62caab6ec8905d00e62bab1af00ad2881e641d3aae93cbc5074566b921e08b0a8e2bdafb6d02174

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
51KB

MD5
1743af467c34964bf4f7ac98d91058a6

SHA1
089d877bb0ae449f7e79801a9c57dc555448d3ee

SHA256
b043f04a5b9cb10308131041314bb2a86dca6d180ae860e570c64ccb9b2b68dc

SHA512
2cc2928d1ad4c83d8c670b4ee215940422209746fd2ad838c388a81e37f9a78aede23a23306378279850d6db1316ab7aa3aaf814b47df26145cd61b4ab21be87

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
51KB

MD5
e120fc5c274d314744a3fc79da67269b

SHA1
cd275ac82fd9354e33b89462a40f7c4ceb2cf556

SHA256
bc985540fe8d7dbc4318e2fc3757c8c2f6084ed0a15170e03390b46a5531823c

SHA512
a4aac75491e2c64e041ae9d8b5b7d9960a95f501370e136dde37ff72a7316d865e701b081c0ca4034777216818d0151becb7ced9d7b94366e98b626cc7e73b11

Download Submit
C:\Windows\SysWOW64\Ocalkn32.exe

Filesize
51KB

MD5
2f92608e92d495f28bc983ecf0fa65ac

SHA1
91c50f4b3422b7fa13128bc6353900f97aadc22a

SHA256
bda0e57f996c7772aa8e9aa9fa05761114eb4a66332fd4fbec44aa95be300c14

SHA512
df2f8ebe5e079fabadbc7acc7e8ced2591acccce56ade7c2a16ce098477ea9a653047b1d2130868abbb6697cac6f56e2ad137b3b35a01f32f7320ca4dfab1af7

Download Submit
C:\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
51KB

MD5
4b40cc5e6b6e1e117692896025e0bb8a

SHA1
b0db9d869389e1abded314d28327a950cca3e784

SHA256
2de4097a8859260bfde5c46e6752b09a3c78863f99bf3c6ba069a5ba79aa739b

SHA512
87fc70ec4392b0a5045ae0ccaa735dbe479789ddf6c661a939188cfe0c8f31b32e44443dc0f75b41dd82dbbbc3626bde59d0d03f50babc183de18a33d21303fa

Download Submit
C:\Windows\SysWOW64\Pgbafl32.exe

Filesize
51KB

MD5
b5b55f66f260f1265c094a3bf72da92d

SHA1
51226a3b2f78236f9d79b07cd72d8eb0c476e6b1

SHA256
73ae3fe8a3a21f3f1e671d2d26cc3267b28b5578d9aaaa5b63a267560308de1a

SHA512
f84d3b91f73e87f5f3239e7f31d0c3060efba42b01058ee2c9052afea1717d34615c0f0b6915824c6449a404b973cc0401a7d872554a1b096943d373a4aadc66

Download Submit
C:\Windows\SysWOW64\Pgpeal32.exe

Filesize
51KB

MD5
ef8fd89a9b7f9a0f9dcf58a1f195d0cd

SHA1
24875a2e2cd2c4907be92722bae326d678b2c919

SHA256
e332ce1d2230112d451c45c60c050f57a8f72b27ff1241450c502c8a3092d669

SHA512
ece53c65f59d09ee55ab074c82f0f80a18eb8b298da15516d43e64159be70a5a87ed06f48f60024482275d989776860f1c0b3debb85ea1a0bb8f013b4bc06479

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
51KB

MD5
00841ddde1205e5dbb5437b60635a2d6

SHA1
216307792efaef509a5d689544688732c2c6ee86

SHA256
fdd6150b3d83f7a09e1f5fb2a616fe8fdf87f15c821ceb79b032d7f05f4d177a

SHA512
5b446f3ab768eebcba9775bcf7852459873ed6711a352b52777cf3b00c16b06e229b596d45fe37f5328d6837e510146d77087d7d43d72c37470a0d46517ba307

Download Submit
C:\Windows\SysWOW64\Pjpnbg32.exe

Filesize
51KB

MD5
c2a7173adaa8fd4861c6704388697512

SHA1
f9a8ad7cf189e7a27f13bc241e91b3ac2a3e3e60

SHA256
039a2ddc93472ba157261bb119cd46b51ad8887c7b835778c7e9ec49b424ae82

SHA512
9b2e0fba05eb432f246ec330041782b9b210ffad347466dcf4a413106c9123d989089024d421e72145813a19af8c6c7f9636469e63884b34f0cba295da1799f0

Download Submit
C:\Windows\SysWOW64\Pmccjbaf.exe

Filesize
51KB

MD5
f75b0339a249051d506cca1fe45a0f2b

SHA1
1b3d858fd5e30cbb7f85e785b6911a04208387d2

SHA256
4675108381bd43ea1f2cfd585bc02323f0d45498a92f98a4f8623405dd03f685

SHA512
db7dddf8d8dbe4ca4d319fe828dec8d8df44fa8761d68fbf7e47d67b69de685ac2594fa37c129d16206e79231cbe5b0fa7e0243b6e0803ad1dd2b8af9501d272

Download Submit
C:\Windows\SysWOW64\Pmjqcc32.exe

Filesize
51KB

MD5
6c8405e01a345a156cf253b82edd34da

SHA1
218749dc157e0780f247e076f1d3714d2844dba9

SHA256
c3fd9e7d72a157b3502ac182ca375b9c35e7f9967666f15497838b3dec734a61

SHA512
d4381171ce90395ac4e00f55f84e146b00161c2a4ddc61d82fba9a18cdbcf67e9753e3780b73937cd892fe642791f15aceceb781bd3d58a55c8cef64bb0adf4d

Download Submit
C:\Windows\SysWOW64\Pngphgbf.exe

Filesize
51KB

MD5
e51fae41db0e35b768642e5c9e8d7c83

SHA1
bc4bf97e7420041c2e4d59741c9124e6f0a3a78c

SHA256
a2ea8cc015f116920d5c4cf3eeddea7e598d2aa07b335a140998134d29b2db77

SHA512
ff911837769bd93ef00fefeccc85687a0f8fda8e458972765a23a00bdccc70b1b388f00aa1dbf6e34d250e368a34f83cc7cffca32d09218b7594095f78edfdc5

Download Submit
C:\Windows\SysWOW64\Pokieo32.exe

Filesize
51KB

MD5
023c4b70e734261f53ee6889236e4aab

SHA1
47fdb7310878ab2396b6b589ac5ff1823b9884b6

SHA256
b7bd7e29e6ec16fbca01eb26fc6c4826dc68afa8ed2bad7be28aa3da8e5b714c

SHA512
285760db9be0c2af36a2620c4ef0e6f8fb5886bf83d6ee3135036678b73953ed5a8e678aa29a6b790ae9bba629bd4f5ebb3122dc6599121ef7601012d5ffb3fe

Download Submit
C:\Windows\SysWOW64\Pomfkndo.exe

Filesize
51KB

MD5
02229881d56102582896fe87f628da12

SHA1
a1287be5b12491496847eb94c7f45c3482e87e79

SHA256
7a87df2a7907712e844aee11ce4cfcef43fec3434923abde3e53a526432fd0e1

SHA512
ee5e75a4a75f4bfeca1cd8d5cc00c513107847ff067128d1134f79680f945ab58ce91b203024c9ac91adc5fd49fa366537a99807a3b3b4f0ce397e6a63d0c70b

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
51KB

MD5
7d03d58ce3a79b204a6003c0c1e84b5b

SHA1
457283950228b998672473927bf2abc9c8c441a2

SHA256
c1302d0383d6aa1d68a899b0c62ac751070a8279362bae765efb41ca1c88394f

SHA512
fcbb3b5f676687e18eea2a063ccf8e140fc508e511d7120cb265ec6cdc48edbf428a87de3c169f883248c064d28c886b7ff1f909f58549136abba4b37c3eed02

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
51KB

MD5
bbd19c7285977c10b675e264c024505d

SHA1
e8d40d00ac372ced8b0761c69637dfed1ac54843

SHA256
7f6f5cb4a82a65843ec0e9246e91b8781959e6ba806eb3155ceb88d3056f1b43

SHA512
f6a813338455660811a2d6c231a34d39e83797f61b0d5a4d50bba77747f5cd3ed95d5fe909e6faefcfc7203f8147c69ba79f69e1c809d0592c1d8cc72035903e

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
51KB

MD5
cfcf92323b5ec37ea807e708bbd22479

SHA1
50c57a468f73ad210dd30ae20b2e79611be9630a

SHA256
66664471edd3bb34445d616726c5efb03bdaaab288333783355d1f78db0625dc

SHA512
8b8223e6d746b39a5dcb2f1fab5f3b42a5232d409ef458a64a189e6a80152b0bf5e5486c0b2ac59f1c7ce1fda9614dc36fb972859f743ebd5b35ac8152ba6fc8

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
51KB

MD5
2cf0d572eb573d7c40e5b7ef2443861c

SHA1
f387c3477c1af9cf914703d61c28591be2915c81

SHA256
ecd0c6597ddc9572b5e5c746cdece3136caa68009bee8c9017e3f1de847ce319

SHA512
c0279d4721d5d4c63f078e93f0eef8a3eb1388689802a77d17009e0fdf18631b3dda4d1ff7ff791f17a356dbaa42656abaa376eedd7e822a91801af7be7cfc42

Download Submit
\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
51KB

MD5
95f7ef7fa579e50583b059f09b3222ab

SHA1
94f04e1fe0a62e177cf8a96d759bca56d137d4f4

SHA256
4c991278d4e68e0d5f62a179b65658cc4ae53c977c1cb7945d38885764df7268

SHA512
92b169f668dad41a788e408301fd48733ec57e2d01370f8e4a5036ba6e0b5e0140fdbd7322f381ebe99298206fe86343c88983188ef8758be72a186f60e72aae

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
51KB

MD5
967cf999b4b28ce7fdd646ee0bea76c1

SHA1
13733602ed561c649d3b7607cea6f520f9c02fef

SHA256
79d37d302546f3947e6c11e763e87354c190e77a7ffffc8b961b4abd03d8b272

SHA512
233ad4ffce77bff0ea15ea59c6914d29322fe5aa74451c9b492002b84090df8d84cb6703ade0ebbf179a186ee67fbb579092c6ff358a52df4306bd585604a72e

Download Submit
\Windows\SysWOW64\Neplhf32.exe

Filesize
51KB

MD5
5cf9056a83c64bc86cb887ebc34dc809

SHA1
fbd24885dc78bed10098f837ecae4231865cc41d

SHA256
adde206003b01d377ade17172156d1fe81791fc7f25e4f34d2f1dc84b142f457

SHA512
dbe7fa2afbe3470ec4c57a0626962ec6a32da6f3c185cbeacb58be9adaa40f14b872cd60877a9cea1e595e172da916a74d54e400d9bb4e560600a5c222a3fdbb

Download Submit
\Windows\SysWOW64\Niebhf32.exe

Filesize
51KB

MD5
8807cb8f989c9bc17e242241496abc0d

SHA1
e49497a6ef90fe583752a2bd10e8fbed9e10e0f3

SHA256
d64877483f7af925bb2c8481e97a7a4cfaea45e63043a1d7490417606b5857a1

SHA512
52d4be10991d994a962ef74931cabae03f1bf694258657921c1c7660695ebe66572be5ff5dc239789cc7ff60bd2cf9beade48295d0e9c16bf637d8adad9ae880

Download Submit
\Windows\SysWOW64\Nkmdpm32.exe

Filesize
51KB

MD5
8f6c4a7cc3e9971b3a09258c124de8a8

SHA1
fce6fe2502db08f44cd565b81cf9263c1c073602

SHA256
869b13adaf50a52453ce28d338f6b105d6192ca88af09779d0481b05b1255f1a

SHA512
63ccce58fb5f3c46a4d62daf9b71c01d52ecac2ccab941e4a45f3141b0e329bfad4e190d91f2bb80bacd601a1bbc496d8960508c840f3f6a6b67a8eeb920add1

Download Submit
\Windows\SysWOW64\Nmnace32.exe

Filesize
51KB

MD5
a7cee764c28b409d81464311a5c9bef8

SHA1
e8daefd2ad55f31036e1362b392d3b12c72b28b0

SHA256
31a64e68f0a304881f860e9776b90f14492a7f00f894829c077c6791a6727a4a

SHA512
f7ba1d04b4086b902210c6451bcb3afffd55742bd4eca21629b68963ddc51aa592e9df8c8e4944a53b5e65a2d85f4c4f8075515559f3c0b99bab2c2e5199d3e6

Download Submit
\Windows\SysWOW64\Npagjpcd.exe

Filesize
51KB

MD5
67664332350c2451100bb12083cef235

SHA1
a5ef6cf1c3fbe3c89d5ea2d6b7226f7909543c8c

SHA256
a8138e9ef8fe4dfce7bea0c53e84d5b76d6c63775bac9206f11dcc7fd571b11e

SHA512
598201820aa63a5f9cf29ec6e12fc42b92f3d55cb6ca600190a99e7d189c85f9ec6d47e2bf3cd40dae24f70d6299ebf2557cb54155486794a67e29d000c84dec

Download Submit
\Windows\SysWOW64\Npccpo32.exe

Filesize
51KB

MD5
928a6bd6410516c8e48861b44c405fdd

SHA1
a2093a562555f08e68418f486268691396e0b4cd

SHA256
aa88e9eabb5c03ef3ee4e98318def27a9dc8513854225f63f5a750577d71eca9

SHA512
b741fe74ca8dd0b1342e6668b2e32da6cdcc0f5be9008d55c0b5fa3fa4c03323fab27ef0b9aa1fa007ad8ec655458a2bbc739a648767f0608c2011e5b7e6c92b

Download Submit
\Windows\SysWOW64\Oalfhf32.exe

Filesize
51KB

MD5
b5265d035ed07a18222ed659dc11cabb

SHA1
0853b41189d23c4acbafdd215e76606f37017a0e

SHA256
f8dd5e06565231b983c630f0976e82d67c9ce0af36f272d9ba09e35589917ee7

SHA512
29934c67e9c94a405539488dbd49e5bb7f198c12cb41082a8885fc7a2f4d62ba32249dd4daf525a611c9dbec7cdcd77540421a7baa7d9527f96034cc2141b24f

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
51KB

MD5
31c50be97a8848e40045727719b5456b

SHA1
5a7fde16361fe4340ce2ce5d9898742bd00cd2b4

SHA256
4635406d7f7b9db96fe9b51e65802d34ddb7f1fa355a1d1ea35d7ce735079fc6

SHA512
474b58c9c714aad654de7afa68fe315ac38708e00bedb5040d18b7d5477c5dfcd7fec18dbf81f3c55dfa97d82d5f11933db221e5e0691c685da2813c55e64729

Download Submit
\Windows\SysWOW64\Oappcfmb.exe

Filesize
51KB

MD5
6b0bc12ca66ada1ee800a87ad3561228

SHA1
7aa5480d5214aff9a07977121acae0abef52b073

SHA256
590f61f055e65153751d1c9a6be088088e0ac2dcb3753dd3b87e2baa3cd602f8

SHA512
fdefc5662d9221e236491e91e4506b57bc73965e849c1a95c748f7bc0aeca35bb96286beb44b45d37d53c2ba69c55de3b04f959ffb55c00bde1d51b2e583d66b

Download Submit
\Windows\SysWOW64\Odeiibdq.exe

Filesize
51KB

MD5
262a5afcbba6d39db167f7fc2b9f8d67

SHA1
f48b7962fe1bacae185b723431e7faeb699170b9

SHA256
c9e41ef1fcc8e43d67eae317f1310df38b57f7ea6b238c24f86efe036b01288d

SHA512
d74a46bf6638000febae92da6c15f8c1f08b45245f48ba6d5cdb97e19432f7c4e9a3627f613d3ca7b4a02ba5d49d88ee27e4b65d729720da60d601248e3efd79

Download Submit
\Windows\SysWOW64\Ogkkfmml.exe

Filesize
51KB

MD5
a798048751765d3a097539b48b485d5d

SHA1
c7680ca0ba511755b42cb809407cc3a5ef60b1af

SHA256
8a4a52ab6a4aee6a309589e4f693fc4885a51ddbc94609f2ffbf300ba7d51e5e

SHA512
59eb593465570f5f60eccbd8b11c49e8c5b5c4fd7246bd49d15c5783410a6c4f6ec12946e16acce6d0f2dbdb30d6f233692dab21073376fd9eb42478ae8dcf97

Download Submit
\Windows\SysWOW64\Onpjghhn.exe

Filesize
51KB

MD5
a083d9ee84f0fc278436d6b9c638188e

SHA1
eebe56cf6f8ca86d7f7c973f48c456a9393f08f7

SHA256
7a1936d073518daac959a5c19f5a515c281582ee8f83bb6d3d5c5bf3a09c6089

SHA512
3ee11284f2663af068bd002263611e07b66c7e99b3785a724208f4d17d8fe1adeb35a8933dc1561ff10b26fddf048fa09f335d2395bda36472ec052c298858ff

Download Submit
\Windows\SysWOW64\Ookmfk32.exe

Filesize
51KB

MD5
ce83c6a3cf9a23a6f8deb91a0765b99c

SHA1
d4a82bcaebc43087cbcbf9d4ca855884705c54bc

SHA256
9a0f6a32ce54b5b8629380aa0e32ef74b190aa7a90bda2ebf9b74a930319184e

SHA512
4b305ba69487bbb5fc79927a462041ada50d1058df9c9056c444f04273ead21e85f5cfd0cd59d9b904f979f733400802f07979dd97779ab2e135f05ceb052116

Download Submit
memory/264-389-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/264-380-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/448-214-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/448-221-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/572-384-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/572-369-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/692-229-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/856-689-0x00000000779A0000-0x0000000077ABF000-memory.dmp

Filesize
1.1MB

Download
memory/856-310-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/856-690-0x00000000778A0000-0x000000007799A000-memory.dmp

Filesize
1000KB

Download
memory/856-311-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/856-312-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/904-410-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/904-87-0x0000000001F30000-0x0000000001F62000-memory.dmp

Filesize
200KB

Download
memory/1132-499-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1132-505-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/1160-476-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1364-234-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1364-243-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/1368-309-0x00000000002D0000-0x0000000000302000-memory.dmp

Filesize
200KB

Download
memory/1368-308-0x00000000002D0000-0x0000000000302000-memory.dmp

Filesize
200KB

Download
memory/1432-279-0x0000000000290000-0x00000000002C2000-memory.dmp

Filesize
200KB

Download
memory/1432-271-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1512-295-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/1512-299-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/1512-289-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1540-247-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1540-250-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/1584-317-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1584-322-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/1700-400-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1700-409-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/1744-262-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/1788-388-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1788-395-0x00000000002E0000-0x0000000000312000-memory.dmp

Filesize
200KB

Download
memory/1920-488-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/1920-479-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1920-490-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/1980-399-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1980-75-0x00000000005D0000-0x0000000000602000-memory.dmp

Filesize
200KB

Download
memory/2060-457-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2096-411-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2096-420-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2156-160-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2156-489-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2156-167-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2156-173-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2180-94-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-429-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2188-500-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2188-511-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2204-507-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2204-175-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2208-432-0x0000000000300000-0x0000000000332000-memory.dmp

Filesize
200KB

Download
memory/2208-431-0x0000000000300000-0x0000000000332000-memory.dmp

Filesize
200KB

Download
memory/2208-430-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2228-196-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2228-188-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-324-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2308-478-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/2308-477-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/2308-467-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2432-446-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2432-455-0x0000000001F30000-0x0000000001F62000-memory.dmp

Filesize
200KB

Download
memory/2432-454-0x0000000001F30000-0x0000000001F62000-memory.dmp

Filesize
200KB

Download
memory/2512-440-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/2512-434-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2540-121-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2540-129-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2540-444-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2680-366-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/2680-357-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2708-368-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2708-61-0x00000000002F0000-0x0000000000322000-memory.dmp

Filesize
200KB

Download
memory/2724-344-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2724-356-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2724-351-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2772-107-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2772-115-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2772-433-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2844-367-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2844-48-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2844-53-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2864-355-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2864-35-0x00000000002D0000-0x0000000000302000-memory.dmp

Filesize
200KB

Download
memory/2868-13-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2868-323-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2868-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2868-12-0x0000000000250000-0x0000000000282000-memory.dmp

Filesize
200KB

Download
memory/2872-333-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2872-21-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/2872-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2872-349-0x0000000000280000-0x00000000002B2000-memory.dmp

Filesize
200KB

Download
memory/2992-141-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/2992-456-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2992-466-0x0000000000440000-0x0000000000472000-memory.dmp

Filesize
200KB

Download
memory/3036-343-0x00000000002E0000-0x0000000000312000-memory.dmp

Filesize
200KB

Download
memory/3036-339-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads