berbew | f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Size

337KB
MD5

8a9e6d4e64909c9096b7003b4e2e344d
SHA1

2b690ba1c59fa12f88666d15812087f6e7ee38ae
SHA256

f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455
SHA512

31c6b6206734c21a1cb0bf970bd0919feece2d45c8b7e1bc5cd8b539910c0e8a541444d5e52d1c92c08b92fdc1fe1481c58e96935fbc3d032eb6b087e9f41778
SSDEEP

3072:OkBHm60oi+GnF6G7gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:XHmPoqF6G71+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdipnqn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaiibg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okanklik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdjkogm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npccpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Poocpnbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgmdjp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 58 IoCs

pid	Process
2852	Npccpo32.exe
2596	Neplhf32.exe
2588	Ohaeia32.exe
2616	Oaiibg32.exe
344	Okanklik.exe
2672	Oegbheiq.exe
1804	Onbgmg32.exe
2276	Ogkkfmml.exe
1304	Oqcpob32.exe
2640	Ogmhkmki.exe
2268	Pcdipnqn.exe
300	Pnimnfpc.exe
2032	Pfdabino.exe
2388	Pmojocel.exe
2464	Pjbjhgde.exe
1868	Poocpnbm.exe
1744	Pihgic32.exe
1932	Qbplbi32.exe
952	Qgmdjp32.exe
1644	Qngmgjeb.exe
2412	Qqeicede.exe
2956	Qiladcdh.exe
2676	Aniimjbo.exe
2212	Aaheie32.exe
1576	Akmjfn32.exe
2884	Anlfbi32.exe
2816	Aajbne32.exe
2624	Agdjkogm.exe
2220	Amqccfed.exe
2748	Apoooa32.exe
1260	Apalea32.exe
2556	Abphal32.exe
2964	Ajgpbj32.exe
1340	Apdhjq32.exe
2904	Afnagk32.exe
1420	Blkioa32.exe
1800	Bbdallnd.exe
1688	Biojif32.exe
2440	Bphbeplm.exe
1684	Beejng32.exe
2316	Bhdgjb32.exe
1544	Bjbcfn32.exe
880	Balkchpi.exe
2512	Bdkgocpm.exe
960	Boplllob.exe
1816	Bejdiffp.exe
2292	Bhhpeafc.exe
2828	Bkglameg.exe
2792	Bobhal32.exe
2144	Cpceidcn.exe
776	Cdoajb32.exe
528	Cilibi32.exe
1628	Cmgechbh.exe
2264	Cbdnko32.exe
1248	Cgpjlnhh.exe
2804	Clmbddgp.exe
2000	Cbgjqo32.exe
1844	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
2720	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
2720	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
2852	Npccpo32.exe
2852	Npccpo32.exe
2596	Neplhf32.exe
2596	Neplhf32.exe
2588	Ohaeia32.exe
2588	Ohaeia32.exe
2616	Oaiibg32.exe
2616	Oaiibg32.exe
344	Okanklik.exe
344	Okanklik.exe
2672	Oegbheiq.exe
2672	Oegbheiq.exe
1804	Onbgmg32.exe
1804	Onbgmg32.exe
2276	Ogkkfmml.exe
2276	Ogkkfmml.exe
1304	Oqcpob32.exe
1304	Oqcpob32.exe
2640	Ogmhkmki.exe
2640	Ogmhkmki.exe
2268	Pcdipnqn.exe
2268	Pcdipnqn.exe
300	Pnimnfpc.exe
300	Pnimnfpc.exe
2032	Pfdabino.exe
2032	Pfdabino.exe
2388	Pmojocel.exe
2388	Pmojocel.exe
2464	Pjbjhgde.exe
2464	Pjbjhgde.exe
1868	Poocpnbm.exe
1868	Poocpnbm.exe
1744	Pihgic32.exe
1744	Pihgic32.exe
1932	Qbplbi32.exe
1932	Qbplbi32.exe
952	Qgmdjp32.exe
952	Qgmdjp32.exe
1644	Qngmgjeb.exe
1644	Qngmgjeb.exe
2412	Qqeicede.exe
2412	Qqeicede.exe
2956	Qiladcdh.exe
2956	Qiladcdh.exe
2676	Aniimjbo.exe
2676	Aniimjbo.exe
2212	Aaheie32.exe
2212	Aaheie32.exe
1576	Akmjfn32.exe
1576	Akmjfn32.exe
2884	Anlfbi32.exe
2884	Anlfbi32.exe
2816	Aajbne32.exe
2816	Aajbne32.exe
2624	Agdjkogm.exe
2624	Agdjkogm.exe
2220	Amqccfed.exe
2220	Amqccfed.exe
2748	Apoooa32.exe
2748	Apoooa32.exe
1260	Apalea32.exe
1260	Apalea32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Pfdabino.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Fpbche32.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Agdjkogm.exe	Aajbne32.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Kedakjgc.dll	Onbgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Poocpnbm.exe
File created	C:\Windows\SysWOW64\Doojhgfa.dll	Qbplbi32.exe
File opened for modification	C:\Windows\SysWOW64\Blkioa32.exe	Afnagk32.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ogkkfmml.exe	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Pfdabino.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cilibi32.exe
File opened for modification	C:\Windows\SysWOW64\Clmbddgp.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Poocpnbm.exe	Pjbjhgde.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Agdjkogm.exe
File opened for modification	C:\Windows\SysWOW64\Ajgpbj32.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Ohaeia32.exe	Neplhf32.exe
File created	C:\Windows\SysWOW64\Pmojocel.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Cmelgapq.dll	Qgmdjp32.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bphbeplm.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Jbbpnl32.dll	Ogkkfmml.exe
File created	C:\Windows\SysWOW64\Nmqalo32.dll	Pcdipnqn.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Beejng32.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Oqcpob32.exe	Ogkkfmml.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Amqccfed.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Cdblnn32.dll	Amqccfed.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Apalea32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Npccpo32.exe	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
File created	C:\Windows\SysWOW64\Ogkkfmml.exe	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Qiladcdh.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Aniimjbo.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Blkioa32.exe	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Bfbdiclb.dll	Ogmhkmki.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Apoooa32.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Ajgpbj32.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Bbdallnd.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Hhppho32.dll	Npccpo32.exe
File created	C:\Windows\SysWOW64\Okanklik.exe	Oaiibg32.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Apalea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1952	1844	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okanklik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdipnqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogmhkmki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poocpnbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npccpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkkfmml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgpbj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohaeia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgmdjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaiibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neplhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegbheiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apoooa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neplhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll"	Pfdabino.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpbche32.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npccpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neplhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmcmdd32.dll"	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgmdjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Pcdipnqn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajgpbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apalea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajgpbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdqqjhl.dll"	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedakjgc.dll"	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkkfmml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oackeakj.dll"	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2852	2720	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe	30
PID 2720 wrote to memory of 2852	2720	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe	30
PID 2720 wrote to memory of 2852	2720	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe	30
PID 2720 wrote to memory of 2852	2720	f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe	30
PID 2852 wrote to memory of 2596	2852	Npccpo32.exe	31
PID 2852 wrote to memory of 2596	2852	Npccpo32.exe	31
PID 2852 wrote to memory of 2596	2852	Npccpo32.exe	31
PID 2852 wrote to memory of 2596	2852	Npccpo32.exe	31
PID 2596 wrote to memory of 2588	2596	Neplhf32.exe	32
PID 2596 wrote to memory of 2588	2596	Neplhf32.exe	32
PID 2596 wrote to memory of 2588	2596	Neplhf32.exe	32
PID 2596 wrote to memory of 2588	2596	Neplhf32.exe	32
PID 2588 wrote to memory of 2616	2588	Ohaeia32.exe	33
PID 2588 wrote to memory of 2616	2588	Ohaeia32.exe	33
PID 2588 wrote to memory of 2616	2588	Ohaeia32.exe	33
PID 2588 wrote to memory of 2616	2588	Ohaeia32.exe	33
PID 2616 wrote to memory of 344	2616	Oaiibg32.exe	34
PID 2616 wrote to memory of 344	2616	Oaiibg32.exe	34
PID 2616 wrote to memory of 344	2616	Oaiibg32.exe	34
PID 2616 wrote to memory of 344	2616	Oaiibg32.exe	34
PID 344 wrote to memory of 2672	344	Okanklik.exe	35
PID 344 wrote to memory of 2672	344	Okanklik.exe	35
PID 344 wrote to memory of 2672	344	Okanklik.exe	35
PID 344 wrote to memory of 2672	344	Okanklik.exe	35
PID 2672 wrote to memory of 1804	2672	Oegbheiq.exe	36
PID 2672 wrote to memory of 1804	2672	Oegbheiq.exe	36
PID 2672 wrote to memory of 1804	2672	Oegbheiq.exe	36
PID 2672 wrote to memory of 1804	2672	Oegbheiq.exe	36
PID 1804 wrote to memory of 2276	1804	Onbgmg32.exe	37
PID 1804 wrote to memory of 2276	1804	Onbgmg32.exe	37
PID 1804 wrote to memory of 2276	1804	Onbgmg32.exe	37
PID 1804 wrote to memory of 2276	1804	Onbgmg32.exe	37
PID 2276 wrote to memory of 1304	2276	Ogkkfmml.exe	38
PID 2276 wrote to memory of 1304	2276	Ogkkfmml.exe	38
PID 2276 wrote to memory of 1304	2276	Ogkkfmml.exe	38
PID 2276 wrote to memory of 1304	2276	Ogkkfmml.exe	38
PID 1304 wrote to memory of 2640	1304	Oqcpob32.exe	39
PID 1304 wrote to memory of 2640	1304	Oqcpob32.exe	39
PID 1304 wrote to memory of 2640	1304	Oqcpob32.exe	39
PID 1304 wrote to memory of 2640	1304	Oqcpob32.exe	39
PID 2640 wrote to memory of 2268	2640	Ogmhkmki.exe	40
PID 2640 wrote to memory of 2268	2640	Ogmhkmki.exe	40
PID 2640 wrote to memory of 2268	2640	Ogmhkmki.exe	40
PID 2640 wrote to memory of 2268	2640	Ogmhkmki.exe	40
PID 2268 wrote to memory of 300	2268	Pcdipnqn.exe	41
PID 2268 wrote to memory of 300	2268	Pcdipnqn.exe	41
PID 2268 wrote to memory of 300	2268	Pcdipnqn.exe	41
PID 2268 wrote to memory of 300	2268	Pcdipnqn.exe	41
PID 300 wrote to memory of 2032	300	Pnimnfpc.exe	42
PID 300 wrote to memory of 2032	300	Pnimnfpc.exe	42
PID 300 wrote to memory of 2032	300	Pnimnfpc.exe	42
PID 300 wrote to memory of 2032	300	Pnimnfpc.exe	42
PID 2032 wrote to memory of 2388	2032	Pfdabino.exe	43
PID 2032 wrote to memory of 2388	2032	Pfdabino.exe	43
PID 2032 wrote to memory of 2388	2032	Pfdabino.exe	43
PID 2032 wrote to memory of 2388	2032	Pfdabino.exe	43
PID 2388 wrote to memory of 2464	2388	Pmojocel.exe	44
PID 2388 wrote to memory of 2464	2388	Pmojocel.exe	44
PID 2388 wrote to memory of 2464	2388	Pmojocel.exe	44
PID 2388 wrote to memory of 2464	2388	Pmojocel.exe	44
PID 2464 wrote to memory of 1868	2464	Pjbjhgde.exe	45
PID 2464 wrote to memory of 1868	2464	Pjbjhgde.exe	45
PID 2464 wrote to memory of 1868	2464	Pjbjhgde.exe	45
PID 2464 wrote to memory of 1868	2464	Pjbjhgde.exe	45

C:\Users\Admin\AppData\Local\Temp\f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe
"C:\Users\Admin\AppData\Local\Temp\f8418608a4638b26ae1d810e02129fccd422aaedd08c762ed93171df5a6c6455.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\Npccpo32.exe
  C:\Windows\system32\Npccpo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\Neplhf32.exe
    C:\Windows\system32\Neplhf32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Ohaeia32.exe
      C:\Windows\system32\Ohaeia32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Oaiibg32.exe
        
        C:\Windows\system32\Oaiibg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\Okanklik.exe
        
        C:\Windows\system32\Okanklik.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\Oegbheiq.exe
        
        C:\Windows\system32\Oegbheiq.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Ogkkfmml.exe
        
        C:\Windows\system32\Ogkkfmml.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Ogmhkmki.exe
        
        C:\Windows\system32\Ogmhkmki.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Pcdipnqn.exe
        
        C:\Windows\system32\Pcdipnqn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Poocpnbm.exe
        
        C:\Windows\system32\Poocpnbm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Qgmdjp32.exe
        
        C:\Windows\system32\Qgmdjp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Ajgpbj32.exe
        
        C:\Windows\system32\Ajgpbj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 140
        60⤵
        Program crash
        
        PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
337KB

MD5
8ea5cbaf02b5355137024c588d50ab09

SHA1
9113dbdb013fd80924f0944417a241bad7af6c17

SHA256
4e7791a1390e1afe9c29f2219159b198508925db7713704145257ff89fc9b636

SHA512
a77e1fe2ff7951af375623d7cad154c83e5faca073d45702be47a337639cb56aea96407fba09be90f07a0111dea58e529c050f40408fdc3aa5ee078667422660

Download Submit
C:\Windows\SysWOW64\Aajbne32.exe

Filesize
337KB

MD5
435c1e23506957b147170da59093699e

SHA1
694c3e522a207b3b9552fa0d1cb00e105ce452ac

SHA256
95b2d1b0c22c5ecac72b8463d0baee02a7317d286a865e303e7597a1882af0f4

SHA512
3914442c2dd30fe5832e43f697c23c5e9a3c69216bb295a0e4d47ecd0daf45867e98b6036a8a2d0a01e5e2e694f37654e99a0f07adcdeefb5c3473ae971396c5

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
337KB

MD5
84ead222bf5b78b943330a716ac451a1

SHA1
369eb9bb8c27a9a84fcedfac8a7d60877fbed354

SHA256
4a89efd01eaf445dd752c68f174c22414d379442194e75596b77770818726f09

SHA512
f3ee7834da3ecba00706f84d9ccc456cc8f7df6b506007c0f33db7c51ba87ca8124010c96894c40b9b768c777cdce480bcbc9922a6587b9dcfed459ed9f1afe4

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
337KB

MD5
f162449d04ca797ac1e827902b2659d5

SHA1
0b57f352fb56572e7af07cc9e3a924378d4d818f

SHA256
25809db568c2b38cdc04dac91d810990a8bef718e852c72d06cd9a04696412c3

SHA512
1b239b5f46a4c51d4ea129e46b2fa8673a3622a73feb1006772761f8393aee0112a09d7b5de0d9346df81a8ee2960368e2ed3e736819e866a84e8c79343ca791

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
337KB

MD5
494cebeb1815456eb1b49f48b8d320a2

SHA1
7ba2d348cb5cdcf2e12b10025103d3e367ce7328

SHA256
8eb2c863c40a4989faa9862883637db4a36e7fa7a52d39b1cfa0a654d727e856

SHA512
96d1ff0f4ff8a3810fb929f4702ae7c404d6125f119413c1cdc1c5ffa847771202060f65414398cd1591fcb3499c42ecb43749718cc62d4d0f829539e098ceb5

Download Submit
C:\Windows\SysWOW64\Ajgpbj32.exe

Filesize
337KB

MD5
2d579717a062180ab134f3b434b79640

SHA1
306dc403a3f2d3b6c8f37b469879ddd7a4cd1ad3

SHA256
50de0b11177a751a104e11c3ae9ed255a3206b35bcae26dc94ddcc25b47979b2

SHA512
16f93fa55783c26b99a98848ecbf9c3c42c2417699877835f1c2f050dbe658b8a3a359db46688bf849c632185e53789a6f722651086fd90bbea9d26ee86ce8cf

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
337KB

MD5
05615173584fee8f82d12c9e29b38c6e

SHA1
723fb33633a3c64a6c1057f4b6fc3cba82723f91

SHA256
859525b00902ea208e828185164f13dfbed0563f6e176f059ac259fc4ac3291e

SHA512
de1090939ed38b8a7edc1bc59a4ece16ddd81e4b519d0334262d0de7a5c68d3c677143e55c9a1bc55fb3395c37cb3016b845e1f501822aa0269b1def9ce3d273

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
337KB

MD5
39b41198c2cb81ed84177aabed1b3e10

SHA1
3a67cc4c1445f735f02f77c3643e5ad1c2243e4a

SHA256
1cef213050b0502b5200ae93914aeeca7b8ccfb19d32a26e784105fbf7e09e54

SHA512
5741bdb9dccc5f5253654d4776b9cf114b57e64eff5b68f7d22bac8f60829f3fc9f98ac7c86a11e87515be52862da817e00bc33c9422ef8d9678279888b2d860

Download Submit
C:\Windows\SysWOW64\Aniimjbo.exe

Filesize
337KB

MD5
82e483f364d2b94f12cbf80f17d79b72

SHA1
d8df0a52eb342d2f4422bffe30ce10de5c6f6b02

SHA256
7f163ee9d867ab6394681e91e9f4fe0be58b39e390fa3c6cae194d060f8eaaf8

SHA512
f91f5b833c65644d789ea2243adac905ed56d619f729662a11d7bba5fae730a9f6707a71b8d7310280adfdedb07cd15c63528753c304a2e6893e3538b9be55b9

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
337KB

MD5
a38ee2b0bbf27e54370de82221a83e0b

SHA1
87e3bec6c9e6669d5adb6c4623d69677c80915c0

SHA256
df94b45dcc3bbfcd6fd683c067aff1606b321abbdaea408be6cba5b52379e7f4

SHA512
d9fdcd5381da73e2b7ac42dcd329785db799043345fd3e0b3cdcb59d9494fe16dc44f7c4dd8bf888ade4bf4388de540119e437f2abc30c0808c2a9621f6cfff3

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
337KB

MD5
e6dcf06cfa70fbcc3041c093540e4a05

SHA1
7d6f0f960c88784186de7b0f3d9eaca3d1be4b8a

SHA256
2aab98804315fe6dde378bc80c50067f11346741fb32b3c6c160e05bf0ba3fcb

SHA512
c56b9664ea12f5421bca47e8b9b1ae9589825d18f4ed92001cb1d2bdf4d3db2a79c8d97daaa435820ebf5c1ae200e6fe481169421fd5f1b06e76544ce1136a34

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
337KB

MD5
66c4c76fefb6c59916f783e4a903535e

SHA1
26860e5a4b9b5128671c7a15e9538b31d2572f38

SHA256
908a6feb3c1ac452c3c301b4b0d7a7326ba3e89a720540506a6da9869def7f83

SHA512
369dc367fa4ebaea6c9e7daae6447f31cf11579eb3db7f1d9a0acae0fec98dfa0803f041e93b407a739306058d2632d7e80a6424c3578c9fa774c7d55ab48060

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
337KB

MD5
66ea1f64aa47b66285a80e5aee00a99e

SHA1
d2187e474c579b77cccb2d53fefd755059e3b613

SHA256
b31b61dd95cdf65526dea31d4bb07772b89c98ca125eaa000af60b99bc6a5f70

SHA512
dfda6d3f13940df80f02d7f872aa48ad4169e39ac71141d1af6569073f2713f87b7eeefa8a8e9530d7eb46a726f55f81f985fadaf7133f06df338a4e1aada7f6

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
337KB

MD5
fe15e6de0c6841911d9883afe93c1176

SHA1
6ddbe37a717b7950d650354f871a9f7df39cf7d4

SHA256
0a73d30294bbb12a930c57172c5bd829163c866f6131cffa02098467233ef3c4

SHA512
83c852ac83f5f7ef606fdcb575734d733e6b8f134f2140c386c24651d4e4f82f625a3827f74112c0080d68d5e41f913251d3f372a4edda69d7b59653d30f12b1

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
337KB

MD5
298047ec4385d936cbba993525fc44b8

SHA1
d2d2a86b12d9281f1aa69c6b41ad44e91c8af09f

SHA256
e571d44869e6efaa36fa880656b08fbd1f2ec6ce0bcdafbdee71dcf21732adb2

SHA512
77c0d2cde88a6094afdf3a0a4717b084573c731c4d3e955dc6e8f355dada2b4a11b5c74ddef38d36d4d42199c47a20962a72d88b01c27dda3ce88fd7d21eb6f4

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
337KB

MD5
d80795c03bb005254bccd0f1b4340087

SHA1
9be940f2f529f2343a7379c76b05667ba6c8a786

SHA256
4e0ecace2f350639b82bcf7d5484f948c69ab0710a52c2556b5e2a7f1aadccae

SHA512
e3b787ec2b0fee21400e4606de49891c8c15c8df5f8350e5fc5939613943c600c9e2ae46782019bfd6b7d1d8bc465a4c1d047fb7cc3309433a303265a97f4d2c

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
337KB

MD5
3f4005a6af867e2ad1435b0d89039686

SHA1
48368358995df4159bb658b2b233e7f9c564f7e5

SHA256
8b771c0538140703967615e3acdffb7636b4f74da8c98d3ad3e4c5bc52acd0db

SHA512
008bd584fcd7f6e2af9b828fdb3f553201b1889e967901d2d817c2cabed7b8b8cf0d55edbd5bdf52a1a96d0c1bff72dd5d36e056305431568fa8c649be4fa59e

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
337KB

MD5
cec9db72ef956b76bbc4e4d5ffe20b37

SHA1
991a619dd551dbe42da23d0161aa02d2dda56744

SHA256
498061dd3f20162d138bcbb186b742fb86ae67158d2aac37371d78c3bdeb35c3

SHA512
32b18f32e7a097b2f5d6637dbfad82248e3c8736af7de6a1b437c9fc09e96281287881e0a9bd66e66e7734dcabcafa34971d80d4ef224953f5f6d2325570995a

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
337KB

MD5
3a7b17482fd1bbf92910562bdfa3626d

SHA1
7aa26efe1fd6404b87e4a1f252edd9bce4903463

SHA256
b8a1dc521f2d6bdb9aa2a69a8fb12653d74f09d1b29890a0f3f232731750a15c

SHA512
d6e58ef02cff73ac4d6c1cfb956eaf32381a84d217e0471b2f526e433f48d086bdc7aa4f72bedcae21d8ff1d34353a8c83352c9aea3cf729263e40b6f510fb4f

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
337KB

MD5
3f41935334fd6f9e5f6d11d80bee7356

SHA1
af91a57afc1a15214d31f4f97988b970800b096f

SHA256
f77bd79116c677a63414d6800ad3708e65af4e407cfcc0591dac7aabdcfc54e8

SHA512
dccaf8ffa8c2747d64969dab7012c1a882c4fe48de8e44b8777a07be5aab967ff65440b98c1f8b06f3d5f6bf4ed4a074de67c96cf1d4015883684c38cf06434e

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
337KB

MD5
ee6660657d401721ee9278ce028e58ca

SHA1
e2fadf4fd15be18a8882ccd2080019cd074acc34

SHA256
e0e62c85436584677527cd597949bc8b51108c6a3c072f174e7bcd8d1ac9767f

SHA512
8f77a9303942eb33cd86734160943c2631c92ac33af551457c33bae1cccb361d5406c682c0c4346d0a7694d18af383c8fdd37daeec275c8c68d75fa97d82cbf0

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
337KB

MD5
c5b0f0daa1929b6830fe9b51e4c34c38

SHA1
2955eb7773157dfcc45fffa6448ac2c36a089f65

SHA256
598a9a4c6dc1d5fa6f80e67a92087f7cb6035dd40f0753e36dd3630db36129ab

SHA512
af5a43f130a448fbc3931fd0223d97154b333278754939f767abd572815f2d9de90dc1e63827acdff3c4674f26afd17db5f2c76f1b7dbf648d4231d036eb0ae3

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
337KB

MD5
2190f62d5a19070c28733ee84deabbc1

SHA1
9ca1e72e855c59b6e4a1f029a7fc92e7331dd5f6

SHA256
5e729d0d30b94d2fde0fedcd73583c73f8882d786f2d8e7fbe0e4640f2342ba3

SHA512
3e954165d900dd0be43cc2a10d9ffd8734bbaf28175ff59a92838593bef20500389949fa0aadc774716710cc58713205acc5a3a9c28d1bf269c695003f5c176d

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
337KB

MD5
1a9d4376417f6963afda8c18a06eb95e

SHA1
4a0e7650e9b42ed953cc75f302bf6c4920c331cd

SHA256
443c25efa7de7def2940b7c6d79422be3106d8084ef3277cebf0534faabd5bd5

SHA512
a5d0584db08d4fdf6094b214c68051fc61a9ab6378a52d77590ff1dea914bab8faed63fd6cb713f844a832dc850b6a1b5a8e64fcb72f29b61aee8f6cdfacb980

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
337KB

MD5
307ce77acbb7b7e121f6b6c5995b6e84

SHA1
99416f5d4d3fd75bba8fb8ceda1b60079095cfa1

SHA256
9e23b08dd9cacd7055cdd867e29f0495acba7bfb2a5d017761d23b384ebc17a7

SHA512
5a62a06c437b6ed91c2ce21a87732b8edcc35b1e312d5d1c6f2fa7f16b2001c8674d00395da8c791de795a8db51a7006fe02aaa3b44cfd0aa416ac5cf4e00d74

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
337KB

MD5
e1e2b99ba4446a050a3a46ab4c9a4116

SHA1
7a15a1c87f415f1dbbe889ee0fb384c355d8ad39

SHA256
9a015c7dd08ccc47e98bf9edbd6b380f4272a44e7a10cd1627b38b6fc3966c5b

SHA512
4e2d4b17794b6fa5e6c2a651fa1472375bbb025fcfd2aff26eac3ea7361db48f1d6fedf015c5fa47a07e88d970764ef034fe4f6e5fe5c888b10c2cbc69389d3c

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
337KB

MD5
56f9a3981136bc601a793743e59b6178

SHA1
410c4695b166cd4bcadb46a9b135eac1b4b0df3e

SHA256
f69c575d46d08978917f92400cf522528c8e7aa0f6a137d57cb4e1ee2c2cbddc

SHA512
70d1d769d05797b4d43a669a7b8ee086b5bd49396593ef8583d1e1fb51b17d691c24feec94db69eb8e62dabfc11c9e9e728263b80ddc21dd0d687aeaffcad8fd

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
337KB

MD5
8a884f721d4421964e3269ba19613df1

SHA1
c8c30f345ff34a5afb200a54c5c891783ae26025

SHA256
0d5b2ea90d710c4f5a9bd0f231a3dc56b4ac85f8c5daa5e76531ac346c5a42dc

SHA512
bfc4b7fd46fd33bccd85469b3f5df9544bd1f991e7a5b2152326c1dbe8ce0188ff756b49ae2bf2ade4b44b252b89c247c51a742f9c014dd0e7d1e804126fcee9

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
337KB

MD5
6efc705358e410d1be62bc9d34cb4b17

SHA1
6e95efc6f717196f4f6d6148102de30b0a007a7b

SHA256
da018eeb7cd530e833250f2b25b3abb7472b947373d4520a7f7662ac6de1e9e4

SHA512
6f8bb4afecbfe9893c1ba90985558ec260681ff0bcb005a1b0987650eda74bf6e59df7a7d0a0e5827678a4f5b016426ce77b560eee9405a30ff152ba8f81d6cd

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
337KB

MD5
abaf54b5b43912e48ad0e8709195a41f

SHA1
e2c2706ea007c248d75ac9a6d407652e119311b3

SHA256
fc9b680d85635df1cb0456c75e75a90ce1d51d95ba957e211fc9de8c0d54b2c4

SHA512
e69e62b8c93de54ed3373516f36372e5eadfa956824aaeb462717b1eeb8a6b31b9c57256ef63290d048139a43a60415ea4bf686b91bedd1397339124aab119a3

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
337KB

MD5
db920fb1320fdc156438696a348b2b45

SHA1
114c5d5e05d9fdeacb7b6bac54275d3b7443bab3

SHA256
2b1136a849745e107995e5c376b759c76b94c11ebc9aa1f0c1c9ead9569e4c51

SHA512
e123c2b3e21891555fb161a950a0922b3cf5eafb8a313de5b9d6f742067d4d149a140c7384928cffbca8021bb95c26702fa2f10644c384d75847f8b194bc0cf5

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
337KB

MD5
85918482d1529327714d363e0eea72b6

SHA1
6f20945c3ece2f7120717ae069488fe2c61f311b

SHA256
64b8a027fded0c85a0564f90c83b8af5a5b16d1807e0ee18d2875d0487d1910c

SHA512
848573d3e1554274243813c753b74f90e760c2069b7dc99acf43fb5a67f22f3b749d7b6b41a5bf28645e7bcc367ae3cebfa85b5646d8a7de045da225004eadbd

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
337KB

MD5
a73ca8ac66e65ff30d1592893fa2642f

SHA1
7f893361631aab7279a3ab9394f88de3d0273ad7

SHA256
9ad1e0a8118c5903a08db5b6b595a236b9d36180bbe337d3f9bae596dedfaed2

SHA512
e22ae37e5a1e19ae0da7fcfb9e0386ad0e58b2de2717b9594d986c316000631cfdb73559ffbcd1c320b2a096345cf2669766abf734093d8f4a7a248db2d4c7ae

Download Submit
C:\Windows\SysWOW64\Clmbddgp.exe

Filesize
337KB

MD5
b59d7b6fc520b340e4d02e7f360a1574

SHA1
04eb60014cb933e9cba8361b856485f13acb9830

SHA256
b83bb2bb9d9d30185155a303ec0add42a84c53a88eaea325882effb15f670032

SHA512
f58cd448ad04f86762e579b4a62f8ffdc59196de0c1480c30b7ac2a17bc8279d24b3990708962dfdbd885921f97a8ed3c1467ee6fcd33c526eb872e642477164

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
337KB

MD5
c9c272565b17affe33ea4892f56dcfd4

SHA1
ce204951cd56f5ead056fd1b58c9182d1c288622

SHA256
22e348e11c56b55846ee5886ac59c96c5c0fae648c1ec05ef80d684ed4fbf440

SHA512
857eb4f136f7c7b5f6a11b95e8b27dcd54666c8d323f6b91d93365b2745ef85db72ca2b4f6643ac84182c7d9fa7dd905554658a1f61e04e150a9ca806c87d856

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
337KB

MD5
05f08206648249f21568b8fb8facf34c

SHA1
4921314d92c0694df7f24b77bbadf313176dfa9c

SHA256
3b7bace8c61c25de2796366430740b39ead0d7eceb7e0d652b280158a114af66

SHA512
099ffe8f7d5535df60153227ba7d8561261595cbaeabb010cbf4bb1170af9daf778b080013371a4dce4e2b63d23bc5990c11cc7777299551412b56a8a05337d0

Download Submit
C:\Windows\SysWOW64\Neplhf32.exe

Filesize
337KB

MD5
a9bc568e45e5a589b4dcf8658e6f8cb6

SHA1
ee2ae22d1ccfd2ad52be7f10d665a366c21a9083

SHA256
a3cb9473753c6fb796b6065b0aaff4029e72882813c6b74964d356f77c0bb44b

SHA512
eda9ff0e4ac44c059a3ef36e1806fb65feb10b3e2ca03e001ba974f2121f2422051284a0e921a2d49725bc0ba9a0452ab926a4fb19171217bc1a2b54d2c96b46

Download Submit
C:\Windows\SysWOW64\Ogmhkmki.exe

Filesize
337KB

MD5
bdbc7fa364dac5a17236bacf813e0fcd

SHA1
281e04dbf212d4a047d42e534fc8d0c11806c9ca

SHA256
8f88a873bce432648ace1523c4f22a0511688325960b6d0f3730273993391922

SHA512
ac36e5a2d1b007b8e2e62d06fc47df07b494c910044053c01837b94b0271d8bfb42593ccb7b4baec4ec0a76863c5c4dbdf18ce955d0a0b6d0d2f9f16a9f7780e

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
337KB

MD5
613ea1ae7b9a8e34466022cd054c57a5

SHA1
c3047749d51ba2a771d704f2cb356d03ca14df7b

SHA256
a5c45e759f811d6e304076ce80234c4f551d187c9f07509b4182fb82446a20ab

SHA512
3c1637f5aa31da10350f7315a440d20b6381c093376d9c3ac363df8b8e9f62b42be4d42f22ee57197d35c35f3adc619c47c7ec935f31d9be918faf51a9938036

Download Submit
C:\Windows\SysWOW64\Poocpnbm.exe

Filesize
337KB

MD5
600779187c232788c9ba0df2bbb5f331

SHA1
e600f2303e99768194c77653dab4144ba38b08a1

SHA256
0d662512994547f4151abec590af0a7f9d5041375f47b806c90e45f7e732485d

SHA512
0d512098835f373512b5e06d76f99a4d70ae75785d24e4f4a051607aff5808f8d643fcf25a4dfdfb62f4d82c190f3e2506986c826496064ae3e33f5ab2a6c8b4

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
337KB

MD5
7c34ad7835c0f42340b2f9dea66dc31e

SHA1
266ce08043e33f40d3fccd5e50c0b518cef1976f

SHA256
8615e181b3c085bb20d882553789baadbc0d3c8f8a9bf45941bcd6327fa779ec

SHA512
9d584db3774b277fa9a3bd2be4390434691aec5d71ffe2dd29df0cf9dc2c856a1e22a873f9176afc5bcaa2d549766d9fed72694211172245d6d86b0064efe7bf

Download Submit
C:\Windows\SysWOW64\Qgmdjp32.exe

Filesize
337KB

MD5
c49c922cff43019e46da2aec44029b96

SHA1
1c888c0633a7925716343baa7a4f823056bb010b

SHA256
1d5d7a1e1135790522b5845aae81406ff3442ff445e48412fbde997b6f896a9b

SHA512
fb0d243eeed51850efb13243d2f1c836052b9ecbfa5e1289149a433da0152a6ce49ba5d7acb4bdf9a38da94ffc83cd4fd7035fc0644e29f57434e6f874176879

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
337KB

MD5
c1bcc55bfb1bdc9c2ed7a6f97415f306

SHA1
aa1d19f0d4bed855062ef552cf66cac4ba3b790a

SHA256
0fde5b057cc3e3361d78ebb53eaa906506991732d7f77d1f78f2c154da025322

SHA512
6db7e6c32cacd59b7d18ebb25a4cd4e5c60ff86c9a9c315cda6cbf9dd8241f0dc66d9c13f3ab579c329a168588a05fdd0d7d47936a0705c2b8eb0796de11c4eb

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
337KB

MD5
2ecab9a025af8a859aa94fc093e254cb

SHA1
a34eb356f76a280dc3b50ec0f6002c82f478459f

SHA256
1f9cb9751647ee54b7ef7a0ff0bbdb978de5d7ef66a6b63f2338884710c38406

SHA512
cb8d47f61e3435eec47e9142addc7634c66a66896ab06d60e04f0dd6e2ee4848ac71a21f76fde3ba67ec7dd2b61ffc597bf2a04c8bc3fc165a27e662037ffaf3

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
337KB

MD5
b8a3326a9cdc5664be57ffc6e032ef46

SHA1
5b9f8d423e7fc87815fd51cef4830a21b94f1711

SHA256
fc3a50b01ba45fce97eed1e84d27345c82ba40dd31f709d931d9f2f18c178241

SHA512
3c0f1772ceecf218e6503870b4a81bfdad0fd17318430693da6c5663a678cf5bb88c7d867c3d199b80f6e153cf8725beba8206bfc6aa016838839ad7f68290bf

Download Submit
\Windows\SysWOW64\Npccpo32.exe

Filesize
337KB

MD5
1858fc728e41801ce288205132024476

SHA1
2ebc3772e56396ac8347947901ce2676f2783501

SHA256
f668bf893c1ce485921cd82fe94df2afc2d12247ac9059ff0206f0cd42046338

SHA512
908c9f8980ca8a7630655fe11d8b4601f4f6995e498f6f67a1e9f9641752441b93f02bb31df3295111614879149d98a37da1205b4691d5480aef27f15235ac93

Download Submit
\Windows\SysWOW64\Oaiibg32.exe

Filesize
337KB

MD5
75e8b7f4d91aa9d1c90154f203f8a7a2

SHA1
00c1287902c3b06dc8a37454d8a3257a045ead3c

SHA256
0e56487b670e34e5ba59bf6d811026c9c87b4732b5fc37d9160c6d8c604d1b1d

SHA512
04221667ffaecd44a2a9a510d36756e0a2e95a3f582976c955dac63536d02f1724383244d2f05e78a26f825d270ff9920ed8c65d1b0c3c83a2d45eb52bbd6ea1

Download Submit
\Windows\SysWOW64\Oegbheiq.exe

Filesize
337KB

MD5
628e1c777c9dc8ebded8fef5a0d89639

SHA1
06a7fd140c46181e16bb67653628955d2f9ce306

SHA256
af111d140557a23deb62255874d20c5488d70196167d9ff5f8dc39fde0a78817

SHA512
93d8c80c36e9633ae0d110e7ee9282c764c30784f0d614024d03ae19d6ce7f37858f546bfb5b4007229836cef597000bc66e1e06a3ba60572213a7bf92ffbe91

Download Submit
\Windows\SysWOW64\Ogkkfmml.exe

Filesize
337KB

MD5
4ec4f9148cc7e10a33700585c3e0879e

SHA1
b418b27ef9ca590bc6e315e4809c94dfb7d44844

SHA256
1c9e1c3ecc3ebdd52e18bb4ed1a1894e6ff6cfa1d370e90c0258396bfa50ccb0

SHA512
a920bb5bfe26206e06338a07fcc09af40f4c611c26ceacd69f01c1d19c58327a2bb9e9bcd50e57d9ae7d8c0921c8cf20dcc79cb866fb30fcc101cf0d47cafc84

Download Submit
\Windows\SysWOW64\Ohaeia32.exe

Filesize
337KB

MD5
881d6c571be7e90b560ce06edd6af09b

SHA1
151685cee1b56d333462fc99411b4f0d92948aa4

SHA256
c223311428043ce10f3835e454f2b5b995a94af7f9a1ff406be36b3c12cb7731

SHA512
2256b2278b16679df5ab40d613bf302fd3d3113a88e0678ab4eb4361c141fc228af80777f654254d8310601bde0bf75f3b745a79e38b2a5d5130ca78323ce158

Download Submit
\Windows\SysWOW64\Okanklik.exe

Filesize
337KB

MD5
c15e56670312b020b739565e59257662

SHA1
05cf34f82eef6af02c8fcb733c0d6eba19123539

SHA256
dfe31733b2e51cc32db68d814fd6a1b829c0f988db33f5b49f6dbafab6ed4977

SHA512
a69848663efa19174e9f9cf57f9ffb41a6d67872c06145b92fbec5992d84e9029192725a47b2bc8d4c07bc7cf5ddd60e18011234a908d60d9fe23082fba891fe

Download Submit
\Windows\SysWOW64\Onbgmg32.exe

Filesize
337KB

MD5
243c6b652ae81f4a82669fd9aff6ad3d

SHA1
69cf4d6f7b56ab3ce203e26b35034227be79f14b

SHA256
93a7604481103727e75ab5a9dcf74876f7d516c9889a36d9c5e8459815d178d4

SHA512
0397f30b00328056fcc08c1418d875d13a0af4430d55776936986c211208ac9c035df262a83d9026d5bbccf3d5f9107928eff1a9db48c556ec51d0fd0f353356

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
337KB

MD5
82fcd14bee9b526693f39c98ecbd00bc

SHA1
eb4353ca64f5e499a53fcdf37e2bb1cd955751d2

SHA256
85fe7a1da84dcd805f01a6a2ebf0284b3db3650fcd58426295263d34672b7f39

SHA512
ec8d56e2e2a499236e2281dadfb2b0b460c1fe6f24b09b1f3d23a4076e1a3edd1ae9fb69b6ec8821b22d272f5dc2f49e928aaac4925f40af67fcec30ceca1901

Download Submit
\Windows\SysWOW64\Pcdipnqn.exe

Filesize
337KB

MD5
7ab3ae37a675459e1798d074135919f9

SHA1
2bd82ce7bed84acb8752226644b721a9e73f1cb6

SHA256
bb42d0e295ed926bbf6093557780835e07a234469a2d427f2ef96ebcd4e3da70

SHA512
4149c1a5398732e272f734e082670e7ec0beeb6a922d5290aef59b2a53149f36b13f38122f31dc75693a8409d6df92863b0379e0e6164f2cd541ac277eb0b5dd

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
337KB

MD5
658099c057fa498868e537aa84d3b4b7

SHA1
640c83b206b81bc77666b268d4ca1fe60736864e

SHA256
0a0ccc5bdcef37bc73bf552cf9d32014e2b9a07e382d7d5c8ce1505d96fb82be

SHA512
4137f7b6c56f7b4ed6562eed5b8f53589d3d9b0a58fd54e87bd35024d7d220ce2d4121727ff163412dd587d53b452d48e7e5407d7fbec08c682b69188ce78c6c

Download Submit
\Windows\SysWOW64\Pjbjhgde.exe

Filesize
337KB

MD5
6eaa317e887a8a0169c7a1d3617841d8

SHA1
cd55d43050ff0c3aaa9ac410996a65526033f8a4

SHA256
fd6348febc04a9c6a728c3f39feccc3c28faaa0faea144d87fd889a01802469b

SHA512
937961fd8755695346be5386d1fb445f9e42a2c3f2cc147e7cf0339aec66e4f877651a95d8088dfe201ae3aa01e369c4a5c181be23eba17569d99f4591360bbd

Download Submit
\Windows\SysWOW64\Pmojocel.exe

Filesize
337KB

MD5
137636ab7b046a92b726f8ff096296b5

SHA1
3d1fe2c44bf057c6066a454f7ee1ef986a7849db

SHA256
2b5947e29257afe897fa5aa64bfb2bc77f6e50d3b27fbbba63486144be266f37

SHA512
9c0c53f319ba87dc825d3b3c44fc2fd93ef1adcebd13afa314e4d0708215d2e8b51f1e6f32d9a075697698cce6d2149109cf66a25a312dec0fc7b34e8d1f81f0

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
337KB

MD5
2c05489a7dc53eb52f2c7f294e28880b

SHA1
e18cf5ad17ad5148457567b9fa8a97b2828fae64

SHA256
8a348447167cf6251e42310101895d2fd457876d1f4591dc76d34d90d67d0a28

SHA512
e01f5701685a110423ca7efce4fd56ec42f1399aedd1259f123287791beb016df7fc5ff576505d60c9803afe01126d52330c6bbd3d72f732c13a51124a1e1d19

Download Submit
memory/300-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/300-175-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/300-176-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/344-406-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/344-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/344-74-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/952-256-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1260-389-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1260-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-133-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1304-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-424-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1340-425-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1340-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-318-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1576-317-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1644-265-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1688-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-239-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1744-240-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1800-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-458-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1804-105-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1804-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-436-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1868-230-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1868-226-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1868-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-247-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1932-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2032-189-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2212-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-304-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2212-308-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2220-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-363-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2220-364-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2268-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-161-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2268-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-479-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2276-451-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2276-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-114-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2388-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-199-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2412-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-275-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2440-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-218-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2464-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-399-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2556-400-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2588-48-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2588-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-366-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2596-34-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2596-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-61-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2616-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-350-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2624-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-351-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2640-142-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2640-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-88-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2672-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-297-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2676-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-7-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2720-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-378-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2748-373-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2816-339-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2816-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-353-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-24-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-25-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-329-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2884-325-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2884-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-730-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-287-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2964-413-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2964-412-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2964-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads