berbew | 1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe
Size

128KB
MD5

f10f7b87a3c2c5e9121aa4c638156940
SHA1

b012f82c75f6f84f3e76287d7483e753637c994e
SHA256

1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4
SHA512

417822fa006822c3891dee500fd93adafbd70dcacb3ae4d2ced2455b65bd3c486f0025368ee47413f812ebf2cda682f2338b40b4494e9baa3e3a8d2c3dea65c5
SSDEEP

3072:oZGJEXy7CmUCgFReCUIyuEE/ZqiJzGYJpD9r8XxrYnQ0:EfXvCs7EEAipGyZ6Yl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmlcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oemgplgo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neknki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkcbnanl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neknki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiffkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olebgfao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahgofi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmlcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiffkkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgfjhcge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplelf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omioekbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkcbnanl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oippjl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoojnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nabopjmj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padhdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Padhdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhjlli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cebeem32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 59 IoCs

pid	Process
532	Nnmlcp32.exe
2140	Nefdpjkl.exe
2640	Ngealejo.exe
3012	Neknki32.exe
1928	Nabopjmj.exe
1032	Omioekbo.exe
2548	Oippjl32.exe
2148	Obhdcanc.exe
2760	Oplelf32.exe
1636	Oidiekdn.exe
1392	Oiffkkbk.exe
1336	Olebgfao.exe
2976	Oemgplgo.exe
2384	Padhdm32.exe
2492	Pljlbf32.exe
1484	Pebpkk32.exe
2952	Paiaplin.exe
1324	Pgfjhcge.exe
1564	Pidfdofi.exe
580	Pkcbnanl.exe
2208	Qgjccb32.exe
3060	Qndkpmkm.exe
1056	Qpbglhjq.exe
784	Qcachc32.exe
1796	Apedah32.exe
1952	Accqnc32.exe
2244	Acfmcc32.exe
2852	Afdiondb.exe
2204	Akabgebj.exe
2736	Ahebaiac.exe
2524	Aoojnc32.exe
2224	Aficjnpm.exe
2360	Ahgofi32.exe
1620	Bhjlli32.exe
2836	Bnfddp32.exe
2356	Bgoime32.exe
2872	Bniajoic.exe
2920	Bgaebe32.exe
2924	Boljgg32.exe
804	Bieopm32.exe
1828	Bmpkqklh.exe
1696	Bjdkjpkb.exe
1540	Coacbfii.exe
2432	Cfkloq32.exe
348	Ckhdggom.exe
344	Cfmhdpnc.exe
1488	Cileqlmg.exe
1516	Ckjamgmk.exe
1304	Cebeem32.exe
2808	Ckmnbg32.exe
2688	Cnkjnb32.exe
2860	Caifjn32.exe
2916	Cchbgi32.exe
976	Clojhf32.exe
1596	Cmpgpond.exe
376	Ccjoli32.exe
2768	Cfhkhd32.exe
2972	Dmbcen32.exe
2080	Dpapaj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1976	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe
1976	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe
532	Nnmlcp32.exe
532	Nnmlcp32.exe
2140	Nefdpjkl.exe
2140	Nefdpjkl.exe
2640	Ngealejo.exe
2640	Ngealejo.exe
3012	Neknki32.exe
3012	Neknki32.exe
1928	Nabopjmj.exe
1928	Nabopjmj.exe
1032	Omioekbo.exe
1032	Omioekbo.exe
2548	Oippjl32.exe
2548	Oippjl32.exe
2148	Obhdcanc.exe
2148	Obhdcanc.exe
2760	Oplelf32.exe
2760	Oplelf32.exe
1636	Oidiekdn.exe
1636	Oidiekdn.exe
1392	Oiffkkbk.exe
1392	Oiffkkbk.exe
1336	Olebgfao.exe
1336	Olebgfao.exe
2976	Oemgplgo.exe
2976	Oemgplgo.exe
2384	Padhdm32.exe
2384	Padhdm32.exe
2492	Pljlbf32.exe
2492	Pljlbf32.exe
1484	Pebpkk32.exe
1484	Pebpkk32.exe
2952	Paiaplin.exe
2952	Paiaplin.exe
1324	Pgfjhcge.exe
1324	Pgfjhcge.exe
1564	Pidfdofi.exe
1564	Pidfdofi.exe
580	Pkcbnanl.exe
580	Pkcbnanl.exe
2208	Qgjccb32.exe
2208	Qgjccb32.exe
3060	Qndkpmkm.exe
3060	Qndkpmkm.exe
1056	Qpbglhjq.exe
1056	Qpbglhjq.exe
784	Qcachc32.exe
784	Qcachc32.exe
1796	Apedah32.exe
1796	Apedah32.exe
1952	Accqnc32.exe
1952	Accqnc32.exe
2244	Acfmcc32.exe
2244	Acfmcc32.exe
2852	Afdiondb.exe
2852	Afdiondb.exe
2204	Akabgebj.exe
2204	Akabgebj.exe
2736	Ahebaiac.exe
2736	Ahebaiac.exe
2524	Aoojnc32.exe
2524	Aoojnc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cebeem32.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Naejdn32.dll	Neknki32.exe
File created	C:\Windows\SysWOW64\Olebgfao.exe	Oiffkkbk.exe
File opened for modification	C:\Windows\SysWOW64\Padhdm32.exe	Oemgplgo.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Pgfjhcge.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qcachc32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Paiaplin.exe	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Pfqgfg32.dll	Qgjccb32.exe
File created	C:\Windows\SysWOW64\Qpbglhjq.exe	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Jendoajo.dll	Akabgebj.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Ahgofi32.exe	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Oippjl32.exe	Omioekbo.exe
File created	C:\Windows\SysWOW64\Pqbolhmg.dll	Oplelf32.exe
File created	C:\Windows\SysWOW64\Padhdm32.exe	Oemgplgo.exe
File opened for modification	C:\Windows\SysWOW64\Qgjccb32.exe	Pkcbnanl.exe
File created	C:\Windows\SysWOW64\Dfqnol32.dll	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Obhdcanc.exe	Oippjl32.exe
File created	C:\Windows\SysWOW64\Qgjccb32.exe	Pkcbnanl.exe
File opened for modification	C:\Windows\SysWOW64\Acfmcc32.exe	Accqnc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Nabopjmj.exe	Neknki32.exe
File created	C:\Windows\SysWOW64\Jfkgbapp.dll	Nabopjmj.exe
File created	C:\Windows\SysWOW64\Paiaplin.exe	Pebpkk32.exe
File created	C:\Windows\SysWOW64\Ckmcef32.dll	Qndkpmkm.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Nnmlcp32.exe	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe
File created	C:\Windows\SysWOW64\Qcachc32.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Akabgebj.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Cofdbf32.dll	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Apedah32.exe
File created	C:\Windows\SysWOW64\Aficjnpm.exe	Aoojnc32.exe
File created	C:\Windows\SysWOW64\Hpqnnmcd.dll	Ahgofi32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Oiffkkbk.exe	Oidiekdn.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Nfcakjoj.dll	Nefdpjkl.exe
File opened for modification	C:\Windows\SysWOW64\Neknki32.exe	Ngealejo.exe
File created	C:\Windows\SysWOW64\Bbnnnbbh.dll	Oippjl32.exe
File created	C:\Windows\SysWOW64\Oplelf32.exe	Obhdcanc.exe
File created	C:\Windows\SysWOW64\Pljlbf32.exe	Padhdm32.exe
File created	C:\Windows\SysWOW64\Cebeem32.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Eoobfoke.dll	Aficjnpm.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cmpgpond.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2980	2080	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahgofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akabgebj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neknki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgjccb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pljlbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnmlcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acfmcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahebaiac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aficjnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjlli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngealejo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcachc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pebpkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebeem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obhdcanc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oidiekdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfddp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiffkkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oemgplgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkcbnanl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padhdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qndkpmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdpjkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omioekbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paiaplin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nabopjmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olebgfao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoojnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oippjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgfjhcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bniajoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Neknki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll"	Padhdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aficjnpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll"	Pebpkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll"	Acfmcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicjoa32.dll"	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll"	Pljlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahebaiac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll"	Nnmlcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfkgbapp.dll"	Nabopjmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obhdcanc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oplelf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pebpkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oippjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqliblhd.dll"	Obhdcanc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgjccb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bnfddp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcakjoj.dll"	Nefdpjkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omioekbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Paiaplin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnnnbbh.dll"	Oippjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgfjhcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqbolhmg.dll"	Oplelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Padhdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acfmcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qndkpmkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akabgebj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbklamb.dll"	Ahebaiac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nabopjmj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 532	1976	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe	31
PID 1976 wrote to memory of 532	1976	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe	31
PID 1976 wrote to memory of 532	1976	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe	31
PID 1976 wrote to memory of 532	1976	1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe	31
PID 532 wrote to memory of 2140	532	Nnmlcp32.exe	32
PID 532 wrote to memory of 2140	532	Nnmlcp32.exe	32
PID 532 wrote to memory of 2140	532	Nnmlcp32.exe	32
PID 532 wrote to memory of 2140	532	Nnmlcp32.exe	32
PID 2140 wrote to memory of 2640	2140	Nefdpjkl.exe	33
PID 2140 wrote to memory of 2640	2140	Nefdpjkl.exe	33
PID 2140 wrote to memory of 2640	2140	Nefdpjkl.exe	33
PID 2140 wrote to memory of 2640	2140	Nefdpjkl.exe	33
PID 2640 wrote to memory of 3012	2640	Ngealejo.exe	34
PID 2640 wrote to memory of 3012	2640	Ngealejo.exe	34
PID 2640 wrote to memory of 3012	2640	Ngealejo.exe	34
PID 2640 wrote to memory of 3012	2640	Ngealejo.exe	34
PID 3012 wrote to memory of 1928	3012	Neknki32.exe	35
PID 3012 wrote to memory of 1928	3012	Neknki32.exe	35
PID 3012 wrote to memory of 1928	3012	Neknki32.exe	35
PID 3012 wrote to memory of 1928	3012	Neknki32.exe	35
PID 1928 wrote to memory of 1032	1928	Nabopjmj.exe	36
PID 1928 wrote to memory of 1032	1928	Nabopjmj.exe	36
PID 1928 wrote to memory of 1032	1928	Nabopjmj.exe	36
PID 1928 wrote to memory of 1032	1928	Nabopjmj.exe	36
PID 1032 wrote to memory of 2548	1032	Omioekbo.exe	37
PID 1032 wrote to memory of 2548	1032	Omioekbo.exe	37
PID 1032 wrote to memory of 2548	1032	Omioekbo.exe	37
PID 1032 wrote to memory of 2548	1032	Omioekbo.exe	37
PID 2548 wrote to memory of 2148	2548	Oippjl32.exe	38
PID 2548 wrote to memory of 2148	2548	Oippjl32.exe	38
PID 2548 wrote to memory of 2148	2548	Oippjl32.exe	38
PID 2548 wrote to memory of 2148	2548	Oippjl32.exe	38
PID 2148 wrote to memory of 2760	2148	Obhdcanc.exe	39
PID 2148 wrote to memory of 2760	2148	Obhdcanc.exe	39
PID 2148 wrote to memory of 2760	2148	Obhdcanc.exe	39
PID 2148 wrote to memory of 2760	2148	Obhdcanc.exe	39
PID 2760 wrote to memory of 1636	2760	Oplelf32.exe	40
PID 2760 wrote to memory of 1636	2760	Oplelf32.exe	40
PID 2760 wrote to memory of 1636	2760	Oplelf32.exe	40
PID 2760 wrote to memory of 1636	2760	Oplelf32.exe	40
PID 1636 wrote to memory of 1392	1636	Oidiekdn.exe	41
PID 1636 wrote to memory of 1392	1636	Oidiekdn.exe	41
PID 1636 wrote to memory of 1392	1636	Oidiekdn.exe	41
PID 1636 wrote to memory of 1392	1636	Oidiekdn.exe	41
PID 1392 wrote to memory of 1336	1392	Oiffkkbk.exe	42
PID 1392 wrote to memory of 1336	1392	Oiffkkbk.exe	42
PID 1392 wrote to memory of 1336	1392	Oiffkkbk.exe	42
PID 1392 wrote to memory of 1336	1392	Oiffkkbk.exe	42
PID 1336 wrote to memory of 2976	1336	Olebgfao.exe	43
PID 1336 wrote to memory of 2976	1336	Olebgfao.exe	43
PID 1336 wrote to memory of 2976	1336	Olebgfao.exe	43
PID 1336 wrote to memory of 2976	1336	Olebgfao.exe	43
PID 2976 wrote to memory of 2384	2976	Oemgplgo.exe	44
PID 2976 wrote to memory of 2384	2976	Oemgplgo.exe	44
PID 2976 wrote to memory of 2384	2976	Oemgplgo.exe	44
PID 2976 wrote to memory of 2384	2976	Oemgplgo.exe	44
PID 2384 wrote to memory of 2492	2384	Padhdm32.exe	45
PID 2384 wrote to memory of 2492	2384	Padhdm32.exe	45
PID 2384 wrote to memory of 2492	2384	Padhdm32.exe	45
PID 2384 wrote to memory of 2492	2384	Padhdm32.exe	45
PID 2492 wrote to memory of 1484	2492	Pljlbf32.exe	46
PID 2492 wrote to memory of 1484	2492	Pljlbf32.exe	46
PID 2492 wrote to memory of 1484	2492	Pljlbf32.exe	46
PID 2492 wrote to memory of 1484	2492	Pljlbf32.exe	46

C:\Users\Admin\AppData\Local\Temp\1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe
"C:\Users\Admin\AppData\Local\Temp\1e9fed35fe3bf0cbd990a8038d89d6d29eae817b795bba76563ae2fdcde0ddc4N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\Nnmlcp32.exe
  C:\Windows\system32\Nnmlcp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\SysWOW64\Nefdpjkl.exe
    C:\Windows\system32\Nefdpjkl.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\Ngealejo.exe
      C:\Windows\system32\Ngealejo.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Neknki32.exe
        
        C:\Windows\system32\Neknki32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\Nabopjmj.exe
        
        C:\Windows\system32\Nabopjmj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Omioekbo.exe
        
        C:\Windows\system32\Omioekbo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Oippjl32.exe
        
        C:\Windows\system32\Oippjl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Obhdcanc.exe
        
        C:\Windows\system32\Obhdcanc.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Oplelf32.exe
        
        C:\Windows\system32\Oplelf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Oidiekdn.exe
        
        C:\Windows\system32\Oidiekdn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Oiffkkbk.exe
        
        C:\Windows\system32\Oiffkkbk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Olebgfao.exe
        
        C:\Windows\system32\Olebgfao.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Oemgplgo.exe
        
        C:\Windows\system32\Oemgplgo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Padhdm32.exe
        
        C:\Windows\system32\Padhdm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Pljlbf32.exe
        
        C:\Windows\system32\Pljlbf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Pebpkk32.exe
        
        C:\Windows\system32\Pebpkk32.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Paiaplin.exe
        
        C:\Windows\system32\Paiaplin.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Pgfjhcge.exe
        
        C:\Windows\system32\Pgfjhcge.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Pkcbnanl.exe
        
        C:\Windows\system32\Pkcbnanl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\Qgjccb32.exe
        
        C:\Windows\system32\Qgjccb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Qndkpmkm.exe
        
        C:\Windows\system32\Qndkpmkm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Qcachc32.exe
        
        C:\Windows\system32\Qcachc32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Acfmcc32.exe
        
        C:\Windows\system32\Acfmcc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Akabgebj.exe
        
        C:\Windows\system32\Akabgebj.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Ahebaiac.exe
        
        C:\Windows\system32\Ahebaiac.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Aoojnc32.exe
        
        C:\Windows\system32\Aoojnc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Aficjnpm.exe
        
        C:\Windows\system32\Aficjnpm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Ahgofi32.exe
        
        C:\Windows\system32\Ahgofi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Bhjlli32.exe
        
        C:\Windows\system32\Bhjlli32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Bnfddp32.exe
        
        C:\Windows\system32\Bnfddp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Bgoime32.exe
        
        C:\Windows\system32\Bgoime32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Bieopm32.exe
        
        C:\Windows\system32\Bieopm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:344
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 144
        61⤵
        Program crash
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accqnc32.exe

Filesize
128KB

MD5
1925b31ed2120ae78267ea6a6c58c5e8

SHA1
dd70feee9c20993e486196e341adfbefd65e0487

SHA256
41843dffdfb0a79eb4907ffe48eccd2a94279ccefb0d0a444d481edd1f1a6ae5

SHA512
be88a613fd3563864d0c19ad0104c1176f92c3038bb6cba6182f9bf3f8b8500f1ae34ab40e2ebf696eaffbc0f770bec8b08fd9117eba425aa47280a3cbeb3c30

Download Submit
C:\Windows\SysWOW64\Acfmcc32.exe

Filesize
128KB

MD5
dbcc0bfeb6794205b7443fab499bbaec

SHA1
b4b5c5b28bc2332da420f052142c836cea85dffe

SHA256
c7e2c00e414fa5da4f42636f7aa200dceaa5ac726da5258b278e62ab731a518e

SHA512
c5ab70e0e20b56aee755216309c7f6afcee3f74acce11cbbf87ca6afc5c083a0f8d9964b6ed8afd3ff577c8d2ffdd310f8e5a9bfd6fcf78ee61005a05504608c

Download Submit
C:\Windows\SysWOW64\Afdiondb.exe

Filesize
128KB

MD5
d3f97d0a4885f49ccce5ccf7c8a2bf1e

SHA1
ac559467a14b269fc3c06477f8f0e822de622600

SHA256
012b39d7e31c4d8273e4fbf43cdfda51e38635b9e594d006fa51a09183a3d05a

SHA512
77d8142974b02f7c03791bfd138349432bf745d3be44211661a09af7383a759339f43fae08a602efbccaa073c6376e47557fbd346534e71022499a5f208c001b

Download Submit
C:\Windows\SysWOW64\Aficjnpm.exe

Filesize
128KB

MD5
4dbce4c24957f27bd62485a8d3472574

SHA1
f722871a540e6e40e194199061afe8493c5e20d6

SHA256
0335e0c220d2acf51fd671bd87964965cdf7f87bcb70093e05b0211b87b3439e

SHA512
feb6352ae67ed6d95ff4bcba409751ea4f3a55cc16e34fc628bf7454d3a7faec5f2740dbac7831c7bc2a8d7805b9f1d3bfaa3cd5d8d98d7f777ccc4774921e56

Download Submit
C:\Windows\SysWOW64\Ahebaiac.exe

Filesize
128KB

MD5
673fbb8268dc36b453a1d01ad0f5635e

SHA1
21a85fe1f6fdf64db16f6ddd4f3bd690120d7e0e

SHA256
edccb1bb290ab1d590dc3a057b68ee92db5d6c768c5391f81e7e4b879094d211

SHA512
8eeb23cc9bd464641e5d0a8cb20be81e735aeede27dd916e2de6e4301857301843071b2ec7fe5673e7b1aca0f30b9df50e59a4334045e27fc143cbd09c11cef5

Download Submit
C:\Windows\SysWOW64\Ahgofi32.exe

Filesize
128KB

MD5
83baacf3c71c766ddabb5e384aaee450

SHA1
e1ef7c4ed7012bca51ecc067ed93d3dd127efd08

SHA256
0aa83f1535337ee46097c28bee783e7d437edd0fa1527367042830dc3f04c52e

SHA512
00a596d4d9123b730a201f1b41268e43f229a8fb637b5589971799392455cd304ab7cfe3cfe9b657a53b564d588d3994b1b9f42592ad5e4b9a9093e6943e1881

Download Submit
C:\Windows\SysWOW64\Akabgebj.exe

Filesize
128KB

MD5
4f780cdbfcc6f43b57d4182f516abac9

SHA1
4794c704a85e552db43974885a78e74a0efbf453

SHA256
9f27fa3ae34880dbeb58b5866e550bf95e25c8194bdeae66f383cdc4acffa64d

SHA512
ebd93b6f128348a2efd8d5418e1eaa640e20cba11a969c5c0e4c2725d19f41105100ba1881e5d16e59434fd35df19d336e495cab024785e5d0d01f0d2b794828

Download Submit
C:\Windows\SysWOW64\Aoojnc32.exe

Filesize
128KB

MD5
acd057272be57473dda85cd50f03aa45

SHA1
9d5b1d5f395a97f35ddb87330c6bc56179b7539f

SHA256
428cb609eeea997ba074bd13042654ca47bd9fca6d51cb67baf14512ce70bfa7

SHA512
3b2d90e452df8b0eaf7590ea7f09c3f24905b71441cf65eb9fc91875795b5973cd59cd99c43d971fd69e86bb6bdabe00772c044024c7fa4c9c29a66bc74e52ab

Download Submit
C:\Windows\SysWOW64\Apedah32.exe

Filesize
128KB

MD5
5770c2d29ff2ceedabebb5fa600ddc27

SHA1
21b08f389992dbccae21f4377e3ce564ed9d55a7

SHA256
67a7271a808d42cca990857c5e807122f00a73017eb7d3b76c4413d094437ed1

SHA512
a629daf1b64421cb39c99d482ea873f0ecd944cf517dfc72063333ffd225decdda6838f98a4095309972a0877df99381352f0aa0e75ba299f2a455ce1305bef0

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
128KB

MD5
508de38de48e5d37d8339df6c2f13310

SHA1
832f0b9642064131c175d845effde2d49c575bac

SHA256
32da9a7de5036ce042c0b391ab6284b71fa976f770e59f43f3b450d4d89546ee

SHA512
910fb147785c1427f8c939cbba84214c4eeba763f934633235f0c5f4f109de280e96bd7b55efef09996cf2ace1d85b073d084ef72ad6030dc149cdb0b437236a

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
128KB

MD5
6e6e14481d7c94f9b413fc0f1c266356

SHA1
1f9e42596dfd48d7dfc40d2347fc66eceb879d11

SHA256
fa2e0d777f0351311fc6257db3a038e18713a479eade860f9fe180ce5654eb0e

SHA512
6868a35e3dd0c6a0fa620adc4997d0f159f00f1877bbe0458012b4c1fb3b0d96b9c386cb0affca1b323e7dd8f647a87acb7fde5e51d1dcf0443e9662863a0140

Download Submit
C:\Windows\SysWOW64\Bhjlli32.exe

Filesize
128KB

MD5
7687a311382256da88d8d9d04347456a

SHA1
16a18150904781519d3ebecfc74dded71bf84c75

SHA256
e93196df3dd2ff8384cee74dc9ecf255fef3f6d3b3bbcb4457a2a361deccec72

SHA512
fa7087660e23c5c45cd63e1614404d2026b63a50e670f5f6d60ca92044cfda7b54e76f364241164549bb9de0998410d5b76d80d590562c0262b2cff85ab22f38

Download Submit
C:\Windows\SysWOW64\Bieopm32.exe

Filesize
128KB

MD5
e1d4dcb5df8ec961b1460bdf717c312b

SHA1
b2c2a1b4d4201e02eca2936877e8d84488162950

SHA256
3b977ed96114bfd0aab96fe4b208c380ac45bced8fe03598f0f74fb2c9d98774

SHA512
ce4e39c3e1bdc9713cc1a36b4aa3897a50b2cf054f8373641805f8352eb49abbc3270332066b572a5f226c37495f986de7468239ddf2d8d3c5e6cc302855d6a4

Download Submit
C:\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
128KB

MD5
385cf75450ed17f1b7c241f712016ed5

SHA1
68dc412a4d5e9565cf6982b01820b78634119279

SHA256
fabaae62f95aed182e50c0e4c5f6de09c640b4ddbb8d4886b271dea4dd251793

SHA512
3d5f5845de0f8563f5c738678694e1748ae0f8e0552c01b2ee8bebc839ac540aa9715941ea66cbd020bd6e26152c312e59d0b6aa747bc4038d3f00621153b572

Download Submit
C:\Windows\SysWOW64\Bmpkqklh.exe

Filesize
128KB

MD5
85408e066eca8b0e20efba02319c44a7

SHA1
61214d65d82fcfcad14a0a348aa51cd70e4beff2

SHA256
ee2394224a523ad07925f44ee3d7e55f31e7f43d4620e03e54697d5307fdfac1

SHA512
5123e9f88888f03897a43551336bdc56094c49f1d5f54fcaf613446b220911b661d9eb7495a25704ae7c02a8ec5529afc11d77f62dfad988f96311432582a2c2

Download Submit
C:\Windows\SysWOW64\Bnfddp32.exe

Filesize
128KB

MD5
b87275ae84327b74315e7f01e078946f

SHA1
81d98c067b8c8560b951113dc5f9c653cd75c988

SHA256
e22f11788608ac46c0d70604215e5d034e0f975658fd545f2d751c74e2838310

SHA512
a6cc3fcf052784f93571dda4a79f23c70e6968397904ddadbde66910dd460a7207d58b7bc9bb05d5710c62efe722013a97e5556247d8d160b6fa9ffb1b1618bf

Download Submit
C:\Windows\SysWOW64\Bniajoic.exe

Filesize
128KB

MD5
2e1abc713e909bf8cf2e197a0ff3d48b

SHA1
bb0f3397a4cff615db0ca41f1ac7522d790782d0

SHA256
d7bae938ac59d365991e9d1e6be6ccc368c4684fb2c3e51508793bd71e2f0c2e

SHA512
110967a435a015f687c5f6151335229df43a5278adcc32194d08b9f71dadc761e8da16c36bc316604a50c714adb22c18349e0151db7bcee72e33943c607159ea

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
128KB

MD5
963100bbf7ffe2265db06fa17ceddb24

SHA1
bb98a8da4258122c2d448deab149f409afcb7037

SHA256
382535027918e92a78b5db4fc499812b830e1976443f847697b3362a4bf04c43

SHA512
edf19508f924b8e38dc2bf6ecf509bd1fe73d4363fd753926394036d935d74107eb146d7969a6aca1277ccc25eb0ed7201f1c126e9e66e258346691ebcb40a54

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
128KB

MD5
1249baeaff27a0600499e21482fb1400

SHA1
85e2eef6eb7cabb89431b80d9b65a69d8c26f95f

SHA256
e4b26aa07d41d93608679f7fb4316d5b5d1c8bcc43c655a180fdd12a95b653bf

SHA512
59d6e4c683f02fe2ebe3013e253e4a9cb409c8495090c4290eef26b9b19cb842415d394c86644bf44bc7913fcbab88bca5d4e758f919a78bde02a451c16f35b7

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
128KB

MD5
d0d91da56ca5526a9acfb48767f91fcf

SHA1
079821b00747cd6f147e43d45c3756009cd61b24

SHA256
62056ee10eb4b2a79e77a29c7bb9d385203ed37713b5f578d1d87de196cdda47

SHA512
c589772d577525d11ea224b945f8922c194001c1f93d16ac3f1e226b456abbec7daed95e8314c9c826205de082d13621bdfc09e95719a773b438a43d6a748d51

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
128KB

MD5
0c822a547b22d762f1141bc9997b352d

SHA1
05144864537097d94530bd587a387c9cc8185a90

SHA256
4693c080b8630f31b791a5df07371e3af92f2672191c26046b730081f309b261

SHA512
a1e0d05b513903fb102e7187804a754fa760d37a2c0c28f7080a20fa431bc662f6a28d77cb5540577ddd80783e1c38a6363667acf45ff004b2d4bcd46642af36

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
128KB

MD5
da22e6bd2db4cf1899bae6be5f0223c1

SHA1
309feb77f1bd45df2bf99abe0ba6ce558534db0c

SHA256
565a8ab917b5fb4760480263d1eb80c104fdec90f4007417cea8e0265c5f2d8a

SHA512
a64b48155227af4d2ebff2b9bbae6e368307a95b6164744b7fa97f5eb6a3c2cc6064f671a19a6e03fd99ae2ff846480837ce21d433a883ae97e79e2a17100b86

Download Submit
C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
128KB

MD5
505b43a524c186b998ff5d24037a6887

SHA1
5c6ea19a894f93c40ad55d59b8bf860f8d52b26e

SHA256
b2998dcac33a240465e519227a1a2951c5c4551deca889b252ee2b96fd379601

SHA512
c8b362a52ceedac01efafd49605798353b668c10cde33765073351b7be81ecde36c3aad790020317840b3bd8bac62af92705e2f8c0fdb1bcbca5c75d32e63d3b

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
128KB

MD5
c1f205e94fea8abf93742b6ed2533c41

SHA1
3d55e69bd3d99d1aedcf73ef2cc5573d08f3ebae

SHA256
ce18eadf5ba43286a496b23991f03ed74d53b634193e933ea974bb3fefacb205

SHA512
9d14a38644bcf8307c6df4702c83d7cb92770233feacfa60c86082c70ccce8cf183aa7a584b5ec99cbeefbc4da4e911555caa742c2e95b36b491d579e8069ab9

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
128KB

MD5
078c10c89366df51b165c699a5b33236

SHA1
435591f9d25c52e918ec03689eda6abf50b5b626

SHA256
ef8c9e467dd19f8e905f67c72103238b13d7a0de248c4e57adb9e86836805989

SHA512
281007688992de2a4e09825af14d68ade49b8c26ad3a1a543457a5b40601c149d952d042ac270e05b4e417a8ca528229a9c097edb62ac50b1eb1348ee27d2388

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
128KB

MD5
fec7efb8391a6ba6c1c7bf6fa6eb268a

SHA1
379f717901ceff3dd9293eafa20dadd230c0a399

SHA256
0157781d4792b60ccf73dfb16c6d4cae59b23aaf1f73865f567def16fdc99fa4

SHA512
144c0c905ddb5a976d1a3c9aa202b72798ae0980559fbff17aa933c0ee87b3128aa4ef4d98d2c8e4e500e1ebd288071560b5f90c31814e2a95161b4531fd755e

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
128KB

MD5
b265ec3d0b3ebaf4502824005e81cf7a

SHA1
cca44e2b9499dd1d8b7baf90eba3e83fb9dbe707

SHA256
2c5c4fef90411b73a27447a2479dec37536995420a33fb39b42fb0846bb9d174

SHA512
360a91a24b58c0d830ca1cfb4d75dfcc279a7e301efaf8f3ef4361456192ac3d1618c86725c82d9e1e7b15575e16e348b02d099959e3bc34bc98fb75faedc1aa

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
128KB

MD5
bd2f71c2dd0f50924c0be05d0d9f800d

SHA1
cf120357e4817f03eb21e13aa85ae7b9de7e151e

SHA256
d99824b926df7854670694b5dbe645b04ec27b681477f7cd74fa245b5431a60d

SHA512
1fad41d43b7f654bcfe07f649933a71c059654d53afd01d72db09f413cc0aa8f1f8195ec6bb314fa4d28e080e0469d1a57f2dc8ca5409f29ef783de3d48179f7

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
128KB

MD5
5a8cacfdb0bed7621ebfeb63efba0618

SHA1
18e7b165d0bc80f0ab07da6d4ddc3307e3d8c17d

SHA256
f54cb8eaca3ca77184435c2c11804861e6e4c19e9ba5d0d5154f26d81a6d7c76

SHA512
c184c7d370d79a87247ed4b26d641612642d70c3b863ff4c01b5971fc86c03180f1a1d2af6917d0587f97258a1a60d9dbcfd751e71232b0e16c7dcdb0720940a

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
128KB

MD5
ac28eb73d5379b637a4323cd823eaef9

SHA1
8702413bd94903664b5854973ec57ee5a26f3a0f

SHA256
7d336e94cf8d3f1a1661057a42c4fa71c096844688d9ff959932af16c7e5cc8d

SHA512
08e2592a078c3703ec3b68bdc83c75b28696e1dfb3f3d36460c8e7d31b6523f7c171130b8c9f4631f1b8c9854724f5827e46e79b96cd7749f12a41ae9d84caca

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
128KB

MD5
1742eafcf7e7e1e00065d59c2859fb4a

SHA1
b0cd0cc0654576de180259307c7aa61ab8cc96b0

SHA256
78c9abda0ab76e3a48b257dc2fd9eb36baf36c8fde46d04f0fb6d3b06b191e5e

SHA512
3869c619b3c059bccc44832d2370df533d0311d3d74aab4008e4902e61f6c4a6be176b86fca2409462896dfe9d5934f0da06388e1bcb058158484f0217a44635

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
128KB

MD5
7c8ff1773942b36337d2a10d47b3f579

SHA1
d9b5d6b5f83d21168a1ec1ca82d3993ff0c20c4f

SHA256
884639a7508185b7b712cb0b5667f6bf53ab6d78f6ea455c276bbf4ec522b430

SHA512
f47822e349a975bec59bc6ee22883db7a0ae634d18de8d1c913a35b5c2573e2260b791491e804e815a7aac56e14683b3f77ff81edc7f932e95878c87fe71c8c1

Download Submit
C:\Windows\SysWOW64\Coacbfii.exe

Filesize
128KB

MD5
f246ffa939d86d2219930c59e6dbd146

SHA1
ae6672ebec9c43c82b646af2bf33253f224686a8

SHA256
b8010750430e58295b29c99d601166755a01a40edbd9474a3e1a60c97ea77ae1

SHA512
556ab900f275c9d4d1cf525652d77558a4e0e4ef49ed79ae33b670fa565f79dc69980814be879b8fae42952d3c33d4acd4467882bbc4aa135db5e3cb0cdb03e0

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
128KB

MD5
6c343460e0c1f453f273bcd1da983392

SHA1
966d65b81e1d35c820758418ad752bcdf2a22915

SHA256
e251c231132958fbd40282a5a1fc7083bfa80c617c855abb5163f8a61ff31215

SHA512
c53cbe6fcfd4d8c5a3e057b75c77a68da49876716fffd57818ed88b49ab1a8d96ac648b0c4a5762d6ab4eb9a8184e958422a662305e8b188383a789f6bbc4c5a

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
128KB

MD5
4849df977dff54e3f49e189cbd6ac6ca

SHA1
a6e6ea1a0e83a87b6c6f2068685eb693212c0e93

SHA256
9d58d756a985b91e93ead38596be13508ddf8b4a68d7c9526f2dde205d391ff0

SHA512
e87949d46f5954f830bb02d3fd2f3dcd87e23977a1022eec746386b3ab9136dc8a01bf658ac6dec289f7775b2d958fc975d48e10fd2d898a4f1becc59efbb429

Download Submit
C:\Windows\SysWOW64\Naejdn32.dll

Filesize
7KB

MD5
c7fa987e2b81942f6969fbe7632e98a4

SHA1
69222b456de94a18424ee4985f3c1bef01b40d27

SHA256
beb2940b1acc10cc242236864966883452a668088ae69fedd8c9f564c5e4fc05

SHA512
e4b1c846576643baae15cf651c97a65961e8cb1bce1e274e784c87ba4dd6223ce6b63f53ac7d09d9fabbb32911133dc9e3ac5f2d32a39da1c7f662c2eeba7e07

Download Submit
C:\Windows\SysWOW64\Nefdpjkl.exe

Filesize
128KB

MD5
51a43b3bd1a5c5daafb1b40d70f61cb5

SHA1
14be8f6bcca9daa69ace07dab0cb441a07407696

SHA256
680c4fd7abde32c8cef4699573b7e41141892a719acf02ad7a87960bd760f066

SHA512
5a2113b415dc6073e8b5f6f75cbff937ac8f9858173f178194b7deea646e199ce3c02d2df2ebd70f3b3853529698ce71de70ff7a4b6d4a380f2e4a1341b0298b

Download Submit
C:\Windows\SysWOW64\Olebgfao.exe

Filesize
128KB

MD5
de17ba618832e5a599d3a2606ef6d80f

SHA1
94a965fffe3987f6455f4b31ac4d232d8d50eb7b

SHA256
6f4c5c0c00ac58ca2437704b9c6c9448d008b5b660ff31fbf1d9c87b3d0518c7

SHA512
a5e2de5041beefecdf3678db6aef34fe44de2fd1a9a8898f3921789e68ca319ac816ff6c5462e4de0b7a44474242045e77961e6b87ffb2e0b740b4c5becb94d4

Download Submit
C:\Windows\SysWOW64\Omioekbo.exe

Filesize
128KB

MD5
7cf1b35a811f7bc353155d7898aa38b5

SHA1
e9caca217dc3da8390f073af507e72ac8fc01ed2

SHA256
c8f1d0343cdd8c0793583de1d8a49022c695892f15ab613a0ffe91d47bf3197e

SHA512
d153a566c151be400806cf9e7c6c4b25530ccfbdc268d8a4f51d7eda83d9a6a215fce5e23a616033954cf49a7147b340b0c828205fe8d85a70e5a9b008ff8189

Download Submit
C:\Windows\SysWOW64\Paiaplin.exe

Filesize
128KB

MD5
8b8c5cd70600afcd01b38702f65e3f1b

SHA1
801aecb2bdc45f9879412f9de779ce76473860cc

SHA256
820b88b0b8afe518d08cbf374447e1306d4459311c7a72b0e4c2e96541fca327

SHA512
6c2175974bc0a5df391fd4f17607696e0da8aef88ef7a89cef1c928fbf7dc7eb3d349642da599cd079e1e748ddf0896840902ff3b9e255f1d1a9eda93cfc28d8

Download Submit
C:\Windows\SysWOW64\Pgfjhcge.exe

Filesize
128KB

MD5
183a3f7d6d87ef9b8bcd10876731259f

SHA1
16be845b0d85b834179a0add2dbf316b3737fc1f

SHA256
ffcb2e30e8185f6e522393bc920dbeef630ff9fd81dc6a96413b72dac2104b9d

SHA512
66467813bd121c3e3ba5d225566078f8baa22db0cd881c3c4fd843ff2f147fcff2e0bdb07c77e308aee212f292be596fce4881caf25bbe9235a1bea60b3adbc6

Download Submit
C:\Windows\SysWOW64\Pidfdofi.exe

Filesize
128KB

MD5
31cc311fdc8110b8a1b7b8ef14fe981a

SHA1
4c852e368c2461de1a9146a0e2161f4bfe90e4e0

SHA256
70b4a77332b30190e52d038a9f0c59f5a48372add0501613012e105bd395baec

SHA512
a2fc2dcac79935569d4a83e67faa2a38c721ee93eddad5fb3f786ab16e0b3b1c7daca64fa3c481ee1c25a61372774fc708b5b9a225e7f4f217fb731e78715283

Download Submit
C:\Windows\SysWOW64\Pkcbnanl.exe

Filesize
128KB

MD5
f2c4d5c58591ff8aff270e1f4c225023

SHA1
aac5a912e3db40fe4a907eb93adf51308e19caaf

SHA256
4a0fc08afb010337410fa58047753a9ffd5623f354e7cc774dfce4ef27a20416

SHA512
ffd2536e9a8e203defa260e7e0997f9dfd954c76b30013ecb82574473241a09c059035a8ed3bffdd12cd312ec806329e827e21500b2cf018765d2839f9e757ba

Download Submit
C:\Windows\SysWOW64\Qcachc32.exe

Filesize
128KB

MD5
54f343d2b5956e738a69faa87b20fc5e

SHA1
0f0eb47e78527a24e78be827b7fe51dabc2288d7

SHA256
60f76fee956641129ed0c7e1f656a531dcd92e343b2e5d1493b9172ed881b1de

SHA512
036a264f4b426dc3817e205bbc0222161a4111266e9023d134a5ea427c08e24c9f3b1f54b76235abaccbd449659d1e387421153bf9cc60065b51420db8e85225

Download Submit
C:\Windows\SysWOW64\Qgjccb32.exe

Filesize
128KB

MD5
e07dc0a6c9d92685daad94091b88a07c

SHA1
2c966e4c77c73c056438e9be769540661c8c2c35

SHA256
a2be116819972a6d3e964de2208ada8de30e6c44f7f10d2b1b3edccfe90f7f1c

SHA512
c18cb2a8d0a12c19468f9855260e787d0fe3ad861f28ce397e5178ae183de3975423f05693d95e1d6bea8d9b0f02d8255dea1525c775a49d77548c33f9e7e98f

Download Submit
C:\Windows\SysWOW64\Qndkpmkm.exe

Filesize
128KB

MD5
609ffa66db139e466a739bb319b39c28

SHA1
96a6a7364960e344ca376eec25e567a164885e8d

SHA256
970804661d08a3440b6d63c5105fa3c0232d9530110cf1005311d0a419c29793

SHA512
aae1d0efd69c381bd3890e0dcdcce03b37ebb7150dd714e764bb8204ce954b6cb3631977a4ebe0ee1ba3d116c3b8d386d02b5340fbed6c1f75d57b08b7de3cbb

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
128KB

MD5
b64e605af9a0b8b4eda8e2c5e8e75d4d

SHA1
88ee1a9008ec38e24109359231082be1158fd5d3

SHA256
f4e3495d3210bdcfba7a9d0b9a4bfbf3146704706a6d19c49c5a09237059b0a3

SHA512
886b44c108227d59b732a2a9f9a11f13c1eb939314fb0d6e49ea2d35ed6c6fe152ee7de3f0a4aa5d2bf68adc27eff15e5a1c3cd60accc57a75a92a6175ad4644

Download Submit
\Windows\SysWOW64\Nabopjmj.exe

Filesize
128KB

MD5
df7a493e8a8ce8e34d50adf9fc172203

SHA1
2d95fc385a8d687493623e10b67bcd08dbbe2f00

SHA256
cf391c14ecaaf398fc146c1f930f00d3cb3e20dc8f834bd26ebd1db458890d7b

SHA512
699daf62b536252e82e56d9cbf3a5e300174f6b2010f2f2aae01c696c7253bf4d8295596ae7b23105b43d6a2afe2c0348cddbe1244d9ecbde6eafd71d03aa2d1

Download Submit
\Windows\SysWOW64\Neknki32.exe

Filesize
128KB

MD5
860bcc30957b2544015a2e12bfafb73f

SHA1
67ece0baec8a19417383df4583cd44ec262208b5

SHA256
838753c9a8120b3a3a6fbe1975ae9b3cd1563750eb5fb89908cae022555aa842

SHA512
c54ac7cea512bcd676d47f2451718b20365fdc01b20c37587e8f2bfb91a57506ee96f05352e23fed808439800283577f440dcab8d7dadc3fcc1b7e7329beea9c

Download Submit
\Windows\SysWOW64\Ngealejo.exe

Filesize
128KB

MD5
f2a1a752a8a6e87401a92eab43bc4699

SHA1
267f070fbf15ab93ebfddaa73a233e9105372d10

SHA256
88e67b16b3b64813b02a33c31dbde539d029aafd7d1d2f7dfb12bb070dee29e6

SHA512
824ebf474ecef7c52177571e47ccaf639b17871ee0c8f884558dc9d6bee560f31ff153e7f97354727c1a3b1f134dedec7317001e35673b961adfc43fc4bd637b

Download Submit
\Windows\SysWOW64\Nnmlcp32.exe

Filesize
128KB

MD5
bdfc3a2ecd4c53490efffc61703b87ac

SHA1
e4574019d20e1a1edff34109e0e8d91976753f1d

SHA256
b4b9ea0226feb79ec0692338762bf2ac5278dc65dfc1ef6ddfb3d247d7300613

SHA512
1d1ce580e1edce3b22d9f76d4e3ef9c3300676df445c3a3861b375dce8a3098d64afe4fcb879d8ff66f7fb57675f1e4736b36903d5463e5258e13510997a8676

Download Submit
\Windows\SysWOW64\Obhdcanc.exe

Filesize
128KB

MD5
b06b92f34867b26fc12d4e1259864e34

SHA1
bf27c42990924221ed5874a5674c270d9339ce45

SHA256
5e32213b6912b42d3d61fce2d25987848326a660ede8d9d1148f1269677666c8

SHA512
eaf2fed38f4c4db6d648c47362c54fcbab233a41648b93ce51c32c5744722e2e3b0f9f7efebea11fa3c1580956dc02d7607b4cf33e6f2531ef80897b5d14496c

Download Submit
\Windows\SysWOW64\Oemgplgo.exe

Filesize
128KB

MD5
c48217ece4cc5affbbcdd2aee50f87be

SHA1
7c417c93783340bc63bb58d892171a230fe5d6bd

SHA256
34a00dc38f1c0b2ae8fdcf985fbc0a32e45408d0a73ede6d2be227c72261b902

SHA512
f0b6ad7e92ae09c29723d7d065321755b6bbf7658ecfda9e2f6f02342ec68d60c2d099796c43db17714afe3f773cc963941c825df15b05cfa7f31617911bf105

Download Submit
\Windows\SysWOW64\Oidiekdn.exe

Filesize
128KB

MD5
db0eb2ad79c91c0f272af1de513745c8

SHA1
5e7b5545d47125edec34e2a80fce67ff8dde40db

SHA256
9a6f5d0905ce113d57ef91f19bce241a2fd6f6c572f6321ae34cd24d8798611a

SHA512
83cd6b53754b6a751ed179b68922fc04a11cfb59c7101b1758e06770e1084fb7ec2ae9e9cf0915e83a7a551b55d2716ef9960b03a6824bb4d62ae0149c9ac90f

Download Submit
\Windows\SysWOW64\Oiffkkbk.exe

Filesize
128KB

MD5
aabae90f1d63916dc7c23da782ac3995

SHA1
6b31513cdd08bd14958a21658fe914093793e485

SHA256
403964ddf388928aa899c9f5913a17655821da8b6ba317cb7be72b906b06790c

SHA512
324c8bdd50970e88c9486d3fa9fa1e0109f5e21e6e044c7df930fb01ddf1b5e611a4519133bad0b05f00b5276ce7be84f925192f705d8fa37f9c397b8275d7ba

Download Submit
\Windows\SysWOW64\Oippjl32.exe

Filesize
128KB

MD5
b267bf63eacfb326e8afea8c5e9e0e44

SHA1
9460210f3d0f57e5df99d41b635481124e6912ed

SHA256
61c9ebb5ecfbd7584867ff772d53bb05c9f88e7fdd6097d17a52d3fa3026f093

SHA512
758aadc31592fd9a660f480d80c6a58d7e770ffb3d503c455bc530bf4bbef166bc55a0a8c60239452cfa2f6ac3a483dbb8ed917e1367551e9ca8fb86b43158f0

Download Submit
\Windows\SysWOW64\Oplelf32.exe

Filesize
128KB

MD5
661749cf0c3371e8a7a39701f4ac51ca

SHA1
5add785d2a6eec7f32ae7f82dd719d1f6351ae45

SHA256
9cf7a8a4f301069e8a050db011fd0c47d6a485d46da67c32fb959a81be3bd939

SHA512
09dc7f66fb7a315519536ecc152335ea7b8c1b5691de28263bdc569b01e232b974ac2cef986a767486b54fa2c3382fef181fa8e4975396a579f07cdc63be078b

Download Submit
\Windows\SysWOW64\Padhdm32.exe

Filesize
128KB

MD5
62904d95b59af4b5ed5da3e2ae4cbbe8

SHA1
4a8d044f77ff53c0e2b4278811cffbab3896c9ac

SHA256
12c8b546349d133fe27193b9f86c0b3a3aa5820926ab6814913f431fc93d4067

SHA512
14a1be49fd49b17353f46b91367dec292815e55c25501745b55e043c72d017d53e00f54fc88124ac868fa8be5e04cfee8cf7383d743d714eb1587281db0714f3

Download Submit
\Windows\SysWOW64\Pebpkk32.exe

Filesize
128KB

MD5
31bf4eaf5be30743ed3f0adcfee93d4b

SHA1
16a0b4e330365c8431ee5d3741d2deffa871baaa

SHA256
c670de3e836c70f5ad1ed67e86cc4131f3cf544b2d32790a82ab57f0b82c4dcb

SHA512
0f68d6b154d564d306a8602a1da30c8e62661b4fe272fa37bc620b9f963cb5bba045c98feb2ec46af1f34d1914bd41447557dbfb5fd127e0ff1abe67cdac1347

Download Submit
\Windows\SysWOW64\Pljlbf32.exe

Filesize
128KB

MD5
b71c921c7e367b8b295c4b020973602b

SHA1
d6c15e7e4029f302eb9e7cde17e5c28b45e96780

SHA256
0850375340fc4ca825e6b779a21d2df83f8ad77965ae3db419e20e272d2bdcd9

SHA512
647aa4f7ecbff4a8b0caa68fc5430eabaa6ab3f4626bec2ee95df62b9379d8d572fa18e2150fc4e839f351c490c7706c46c4a42f95f93549f544b27a882f3546

Download Submit
memory/532-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/580-263-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/784-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-303-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/784-302-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/804-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1032-89-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1032-423-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1056-292-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1056-291-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1056-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1324-239-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/1324-244-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/1336-490-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1336-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-170-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1336-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-161-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1392-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-224-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1540-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-251-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1620-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-474-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/1636-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-146-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/1696-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-313-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1796-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-314-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1828-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-491-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1928-79-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1928-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-403-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1952-325-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1952-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-324-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1976-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-13-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1976-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-12-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2140-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-366-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2140-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-35-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2148-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-114-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2204-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-336-0x0000000001F80000-0x0000000001FB4000-memory.dmp

Filesize
208KB

Download
memory/2244-335-0x0000000001F80000-0x0000000001FB4000-memory.dmp

Filesize
208KB

Download
memory/2356-434-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2356-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2384-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-384-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2548-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-379-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2640-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-48-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2736-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-132-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2760-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-348-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2852-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-349-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2872-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-446-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2872-445-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2920-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-454-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2924-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-468-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2952-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-234-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2976-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-392-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3012-65-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3012-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-281-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads