berbew | bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad

Analysis

max time kernel
31s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe
Size

64KB
MD5

c44e61534c1461849004658f3ea2be96
SHA1

3203c4e65af6d699f026a1c6e1229045a7b98f41
SHA256

bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad
SHA512

d1a09199f554dfd89f5b5cc82e9f41df7884da77d474955dbcffed5d19383f5eaf9743b1993b98a82ed0380d7074143797791ab83b8e0534e78f7b6da21f2bad
SSDEEP

768:YCmpD5aVwAZZGuktBEqgKPNnRVMfTOVu5c5/xV6VM2p/1H5Y7Xdnh0Usb0DWBm:YCSD5a6AZUvtB/ZRVq+Aq2LO5rDWBm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oalfhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfigjlp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogmhkmki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohqqlei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okoafmkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljddpfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdabino.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljddpfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogmhkmki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeqabgoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nadpgggp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 58 IoCs

pid	Process
2720	Nhllob32.exe
2708	Nadpgggp.exe
2872	Nljddpfe.exe
2576	Oohqqlei.exe
3008	Okoafmkm.exe
776	Ocfigjlp.exe
2236	Oalfhf32.exe
2196	Oopfakpa.exe
2328	Onbgmg32.exe
1760	Oqcpob32.exe
2892	Ogmhkmki.exe
2344	Pnimnfpc.exe
2556	Pfdabino.exe
768	Pqjfoa32.exe
1624	Piekcd32.exe
780	Pdlkiepd.exe
3048	Qeohnd32.exe
1684	Qqeicede.exe
2488	Qiladcdh.exe
2976	Aecaidjl.exe
2920	Akmjfn32.exe
2680	Agdjkogm.exe
2692	Ajbggjfq.exe
2852	Aigchgkh.exe
2776	Apalea32.exe
2608	Abphal32.exe
2056	Aijpnfif.exe
1076	Apdhjq32.exe
2188	Acpdko32.exe
2268	Afnagk32.exe
2180	Aeqabgoj.exe
1440	Bmhideol.exe
2864	Bpfeppop.exe
1860	Bbdallnd.exe
2140	Becnhgmg.exe
1972	Biojif32.exe
2952	Blmfea32.exe
2296	Bajomhbl.exe
1880	Biafnecn.exe
820	Bjbcfn32.exe
328	Bbikgk32.exe
2024	Bdkgocpm.exe
2520	Bjdplm32.exe
2516	Baohhgnf.exe
2500	Bdmddc32.exe
2468	Bfkpqn32.exe
2788	Bobhal32.exe
2896	Cpceidcn.exe
2688	Chkmkacq.exe
2592	Cfnmfn32.exe
572	Cmgechbh.exe
1652	Cpfaocal.exe
2672	Cbdnko32.exe
1832	Cklfll32.exe
2664	Cinfhigl.exe
1416	Cmjbhh32.exe
2880	Cphndc32.exe
2004	Ceegmj32.exe

Loads dropped DLL 64 IoCs

pid	Process
1748	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe
1748	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe
2720	Nhllob32.exe
2720	Nhllob32.exe
2708	Nadpgggp.exe
2708	Nadpgggp.exe
2872	Nljddpfe.exe
2872	Nljddpfe.exe
2576	Oohqqlei.exe
2576	Oohqqlei.exe
3008	Okoafmkm.exe
3008	Okoafmkm.exe
776	Ocfigjlp.exe
776	Ocfigjlp.exe
2236	Oalfhf32.exe
2236	Oalfhf32.exe
2196	Oopfakpa.exe
2196	Oopfakpa.exe
2328	Onbgmg32.exe
2328	Onbgmg32.exe
1760	Oqcpob32.exe
1760	Oqcpob32.exe
2892	Ogmhkmki.exe
2892	Ogmhkmki.exe
2344	Pnimnfpc.exe
2344	Pnimnfpc.exe
2556	Pfdabino.exe
2556	Pfdabino.exe
768	Pqjfoa32.exe
768	Pqjfoa32.exe
1624	Piekcd32.exe
1624	Piekcd32.exe
780	Pdlkiepd.exe
780	Pdlkiepd.exe
3048	Qeohnd32.exe
3048	Qeohnd32.exe
1684	Qqeicede.exe
1684	Qqeicede.exe
2488	Qiladcdh.exe
2488	Qiladcdh.exe
2976	Aecaidjl.exe
2976	Aecaidjl.exe
2920	Akmjfn32.exe
2920	Akmjfn32.exe
2680	Agdjkogm.exe
2680	Agdjkogm.exe
2692	Ajbggjfq.exe
2692	Ajbggjfq.exe
2852	Aigchgkh.exe
2852	Aigchgkh.exe
2776	Apalea32.exe
2776	Apalea32.exe
2608	Abphal32.exe
2608	Abphal32.exe
2056	Aijpnfif.exe
2056	Aijpnfif.exe
1076	Apdhjq32.exe
1076	Apdhjq32.exe
2188	Acpdko32.exe
2188	Acpdko32.exe
2268	Afnagk32.exe
2268	Afnagk32.exe
2180	Aeqabgoj.exe
2180	Aeqabgoj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Hbappj32.dll	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Pqfjpj32.dll	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Dhbkakib.dll	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Pqjfoa32.exe	Pfdabino.exe
File created	C:\Windows\SysWOW64\Oqcpob32.exe	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Eioojl32.dll	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Acpdko32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Oohqqlei.exe	Nljddpfe.exe
File created	C:\Windows\SysWOW64\Dcnilecc.dll	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Qiladcdh.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Ogmhkmki.exe	Oqcpob32.exe
File created	C:\Windows\SysWOW64\Fpbche32.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Hanedg32.dll	Nljddpfe.exe
File created	C:\Windows\SysWOW64\Lcnaga32.dll	Okoafmkm.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Agdjkogm.exe	Akmjfn32.exe
File opened for modification	C:\Windows\SysWOW64\Apalea32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Blmfea32.exe
File created	C:\Windows\SysWOW64\Blkahecm.dll	Piekcd32.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Pnimnfpc.exe	Ogmhkmki.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Nhllob32.exe	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe
File created	C:\Windows\SysWOW64\Ibafdk32.dll	Nhllob32.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Aeqabgoj.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Aeqabgoj.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Ihlfga32.dll	Oqcpob32.exe
File opened for modification	C:\Windows\SysWOW64\Pfdabino.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cklfll32.exe
File created	C:\Windows\SysWOW64\Oalfhf32.exe	Ocfigjlp.exe
File created	C:\Windows\SysWOW64\Bqjfjb32.dll	Ocfigjlp.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cmjbhh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2424	2004	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okoafmkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeqabgoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljddpfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfigjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadpgggp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oalfhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogmhkmki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdjkogm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimnfpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohqqlei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhllob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oalfhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeqabgoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecjdib32.dll"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljddpfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqjfjb32.dll"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbkakib.dll"	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfga32.dll"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oohqqlei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oopfakpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napoohch.dll"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okoafmkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbpnl32.dll"	Onbgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akmjfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfjpj32.dll"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll"	Oalfhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oalfhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdjkogm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgechbh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2720	1748	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe	30
PID 1748 wrote to memory of 2720	1748	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe	30
PID 1748 wrote to memory of 2720	1748	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe	30
PID 1748 wrote to memory of 2720	1748	bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe	30
PID 2720 wrote to memory of 2708	2720	Nhllob32.exe	31
PID 2720 wrote to memory of 2708	2720	Nhllob32.exe	31
PID 2720 wrote to memory of 2708	2720	Nhllob32.exe	31
PID 2720 wrote to memory of 2708	2720	Nhllob32.exe	31
PID 2708 wrote to memory of 2872	2708	Nadpgggp.exe	32
PID 2708 wrote to memory of 2872	2708	Nadpgggp.exe	32
PID 2708 wrote to memory of 2872	2708	Nadpgggp.exe	32
PID 2708 wrote to memory of 2872	2708	Nadpgggp.exe	32
PID 2872 wrote to memory of 2576	2872	Nljddpfe.exe	33
PID 2872 wrote to memory of 2576	2872	Nljddpfe.exe	33
PID 2872 wrote to memory of 2576	2872	Nljddpfe.exe	33
PID 2872 wrote to memory of 2576	2872	Nljddpfe.exe	33
PID 2576 wrote to memory of 3008	2576	Oohqqlei.exe	34
PID 2576 wrote to memory of 3008	2576	Oohqqlei.exe	34
PID 2576 wrote to memory of 3008	2576	Oohqqlei.exe	34
PID 2576 wrote to memory of 3008	2576	Oohqqlei.exe	34
PID 3008 wrote to memory of 776	3008	Okoafmkm.exe	35
PID 3008 wrote to memory of 776	3008	Okoafmkm.exe	35
PID 3008 wrote to memory of 776	3008	Okoafmkm.exe	35
PID 3008 wrote to memory of 776	3008	Okoafmkm.exe	35
PID 776 wrote to memory of 2236	776	Ocfigjlp.exe	36
PID 776 wrote to memory of 2236	776	Ocfigjlp.exe	36
PID 776 wrote to memory of 2236	776	Ocfigjlp.exe	36
PID 776 wrote to memory of 2236	776	Ocfigjlp.exe	36
PID 2236 wrote to memory of 2196	2236	Oalfhf32.exe	37
PID 2236 wrote to memory of 2196	2236	Oalfhf32.exe	37
PID 2236 wrote to memory of 2196	2236	Oalfhf32.exe	37
PID 2236 wrote to memory of 2196	2236	Oalfhf32.exe	37
PID 2196 wrote to memory of 2328	2196	Oopfakpa.exe	38
PID 2196 wrote to memory of 2328	2196	Oopfakpa.exe	38
PID 2196 wrote to memory of 2328	2196	Oopfakpa.exe	38
PID 2196 wrote to memory of 2328	2196	Oopfakpa.exe	38
PID 2328 wrote to memory of 1760	2328	Onbgmg32.exe	39
PID 2328 wrote to memory of 1760	2328	Onbgmg32.exe	39
PID 2328 wrote to memory of 1760	2328	Onbgmg32.exe	39
PID 2328 wrote to memory of 1760	2328	Onbgmg32.exe	39
PID 1760 wrote to memory of 2892	1760	Oqcpob32.exe	40
PID 1760 wrote to memory of 2892	1760	Oqcpob32.exe	40
PID 1760 wrote to memory of 2892	1760	Oqcpob32.exe	40
PID 1760 wrote to memory of 2892	1760	Oqcpob32.exe	40
PID 2892 wrote to memory of 2344	2892	Ogmhkmki.exe	41
PID 2892 wrote to memory of 2344	2892	Ogmhkmki.exe	41
PID 2892 wrote to memory of 2344	2892	Ogmhkmki.exe	41
PID 2892 wrote to memory of 2344	2892	Ogmhkmki.exe	41
PID 2344 wrote to memory of 2556	2344	Pnimnfpc.exe	42
PID 2344 wrote to memory of 2556	2344	Pnimnfpc.exe	42
PID 2344 wrote to memory of 2556	2344	Pnimnfpc.exe	42
PID 2344 wrote to memory of 2556	2344	Pnimnfpc.exe	42
PID 2556 wrote to memory of 768	2556	Pfdabino.exe	43
PID 2556 wrote to memory of 768	2556	Pfdabino.exe	43
PID 2556 wrote to memory of 768	2556	Pfdabino.exe	43
PID 2556 wrote to memory of 768	2556	Pfdabino.exe	43
PID 768 wrote to memory of 1624	768	Pqjfoa32.exe	44
PID 768 wrote to memory of 1624	768	Pqjfoa32.exe	44
PID 768 wrote to memory of 1624	768	Pqjfoa32.exe	44
PID 768 wrote to memory of 1624	768	Pqjfoa32.exe	44
PID 1624 wrote to memory of 780	1624	Piekcd32.exe	45
PID 1624 wrote to memory of 780	1624	Piekcd32.exe	45
PID 1624 wrote to memory of 780	1624	Piekcd32.exe	45
PID 1624 wrote to memory of 780	1624	Piekcd32.exe	45

C:\Users\Admin\AppData\Local\Temp\bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe
"C:\Users\Admin\AppData\Local\Temp\bc31cdeefd2e0be0145db539b2dad56509daf1b36165d2a15924a9522e3bf4ad.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\Nhllob32.exe
  C:\Windows\system32\Nhllob32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\Nadpgggp.exe
    C:\Windows\system32\Nadpgggp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Nljddpfe.exe
      C:\Windows\system32\Nljddpfe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\Oohqqlei.exe
        
        C:\Windows\system32\Oohqqlei.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Okoafmkm.exe
        
        C:\Windows\system32\Okoafmkm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Oalfhf32.exe
        
        C:\Windows\system32\Oalfhf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Oopfakpa.exe
        
        C:\Windows\system32\Oopfakpa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Ogmhkmki.exe
        
        C:\Windows\system32\Ogmhkmki.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Pnimnfpc.exe
        
        C:\Windows\system32\Pnimnfpc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Agdjkogm.exe
        
        C:\Windows\system32\Agdjkogm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Aeqabgoj.exe
        
        C:\Windows\system32\Aeqabgoj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 140
        60⤵
        Program crash
        
        PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abphal32.exe

Filesize
64KB

MD5
79015a46a5a12d9f8827d5ee4ec99af0

SHA1
d1caf396d4af1526cf79540d80e4bf7f2419c287

SHA256
aa1d4858d6eae0ec835e67d78f4444bdc8cf723342a6ebbc386f27fa9bae7010

SHA512
3f91f77c8f5ce1d018d689af8060458f9efd56839044eb145e756b02314d9d00dc63ee266cbbfbb7163e57efa3a516399ab21dfeb223b734fc7003c2acbf832a

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
64KB

MD5
5805abc66120c842f37e6432b5ed70be

SHA1
6797b33752029a5fb4a396c6b4ed6d13fe2e7471

SHA256
0ca4b4c3726b5fc62e921dc5201d814db893bf3848577b708d9aeb8e59e5a404

SHA512
a737af79a492aa4e8fd29dcd5d8280ae35f64048ec089fd6a43e9f872d66a25dec6543cecc181b1fe9e22dd98ae26a7f6ef4a45401cd44efed7d10f6e2103b66

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
64KB

MD5
c735650b15179fddced83bbcbe71dc58

SHA1
1c47e123c3f62eafbaacefbab59f4e49dba4c969

SHA256
10cd587824bf040d83c6efd2f6d927f12e0676b204cc06a6a0fe77f10d84cb2e

SHA512
8fc569eeb79541646480a4fb8b7ca30e065982d0c874fe6dbf5dea3fbbce753e067736c26574d4de7823f7f7b9e5634e24235f4aace78253d6a677be7adaa3b1

Download Submit
C:\Windows\SysWOW64\Aeqabgoj.exe

Filesize
64KB

MD5
47397b530087b7ac92a34699c0d9ea30

SHA1
157a395adc8ad61e1dc177362994468a392b64ae

SHA256
88a111ff978958f07723d0908ab15c419e0e17e0f1349fd7b0bd8a1e4ec43839

SHA512
393a21495137674600603ffc8940347b20b3c2cb4714f535e9256e3a56d94c61bf2a493319aa1196239ac0f7755dbd1242b4889471caf8e1a3ea48a4f57dd1bf

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
64KB

MD5
678f7e907cb0d30e4c40d3f872796dfa

SHA1
efbedf5b568bdccca25b532ca94774bc8725da72

SHA256
d50edf6bb193c324075a5d501b184c0aba104c293a7af16ee676f468b08425e2

SHA512
85464bcaacb5e5608d2cc58c28baf748982ab77f3d33890470dbeb59fbfe338964db854cec2cfe9a75cef345715e862c3a7c571499fd96250df9703622c084ec

Download Submit
C:\Windows\SysWOW64\Agdjkogm.exe

Filesize
64KB

MD5
170f579f03ba830a9563569a244be046

SHA1
b426f1377664355c613bdb3b68dda209bb70a57a

SHA256
9372703bdb7d3dfd0071949efe9eefec9ff297103bf60f006288b62f6fb33002

SHA512
e4e55c783f95164c041bda11305a5be90c0f48ec64d49c19da359ecdd89c52ed95a22108e787b10fefac0dec3eee1480ae494a51d3b04f3c21a5fc338895a0fc

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
64KB

MD5
bf9f0dc4cca2ae122120d60a00f5fe71

SHA1
6d5a99714d8c728a5be292e72276616a664116a3

SHA256
c0547137204c4f582b8921fde6e53ff5182a8574d2512c5ebf956e004fce15a5

SHA512
5fd9595bca50fe7252f8dc9acf9c36120ce98da9bbc1d30ca5430e520e44ac8140f94f931cecade23be3b8ae2c8e4e9d39a4f6d775ae75149685d89f9e17cf78

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
64KB

MD5
08eca89d8b57873719d86b2ab93dcb47

SHA1
369364490337a4889628ac97a15f5a148e1647c3

SHA256
e846dd1a40b1a219995a1e64b9aad711dcde4210882143d9ccfe042f53b13891

SHA512
1a9882bfe53abda3c99fbd89a585aa22aa8c70ecb4d4e039e7cd68ee32ff350eea35ff4af8d61a6fc04802f6cfea8a68a8eda3aa12ae66529296ecfa2a11210c

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
64KB

MD5
e5c371e95512cb5f45cd1b282e5b5756

SHA1
c2708567f2d98ffbf938c98a2403da5c97474b6b

SHA256
703a8ba65a14443bd1daa1b5b5e32a793afcf279666449c589f95f48928c86ac

SHA512
ebf077e69e1620a824469e5b814c149728926a3af8185c76e1d2bb8c151be56c4221fb697f5fa46007e8c11fdca032b285c33c3d0da302200a205c45ae43ed39

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
64KB

MD5
6976715d7fbcfd73be7e0b6c5a643dc5

SHA1
46792dc0ba31ae5ecb08bd21b922b2c12f4dbd5b

SHA256
34a240b8ea85d9f5c587c17ceea70501d600a83b98507f2577cb1316f55a9f8f

SHA512
acd769490b38368d0d1a772a9e1087f6a563952113046c2beb97bfdfaa69fc950dbe6021372f24d6f63abea41f24fa5af3d4216a382fad6ac3b5baa568559572

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
64KB

MD5
689c9faee843fec8a99a519fbbb39664

SHA1
e32669ffcfc9f3351ffe1d42c821103c34ed1dd0

SHA256
1b309f453e4828b02c726b9bddd0b5248b5bdefc63e0022614a721aeac06ee8d

SHA512
9a0fd42d3fe794b59556e4f0397e8b3da073b3735e6bb625a5a489f112b2cf41459a1b4709cfedc229c1251446164dbabb4643574dd10e9fdfdb8383d96e39a6

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
64KB

MD5
f03987a5e60980301c494dbd3ef0506c

SHA1
5f76dc199948460d0236c9bd026a86bfe8906483

SHA256
2e9d1cdb773577d6b9e37d410214f43ef145f7e0d44a6b7f694938dfa62f02c3

SHA512
584a926497e101a49f404443ffae95eb611d1dcf41599b37eb20f94643825e12cf04e6e1d4afc175df85fc4d992da9aaf8829b54fdb8141e8b829c763727e66e

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
64KB

MD5
14d8f95fba492a56575890a1d4834431

SHA1
d9497398a5cf7e12dbb3388dc02f5c009926a331

SHA256
adf39ac31ef5dbc1dc5ecc3c9ba02423a88de1b35b30c69ec7c4275aba44b48f

SHA512
0413337b12fc9b04a91764517f41388afa48d3f00d399430ba224fc179f61072263e0f54b1feee0b38661bfeb3da74cdad9422748cc5cbf8c269e2cab780d75b

Download Submit
C:\Windows\SysWOW64\Baohhgnf.exe

Filesize
64KB

MD5
b30e6d95d6991d4bd458ec45a3780ace

SHA1
76024e9ae09d3ef356cd8705df1f6ef2e03a6338

SHA256
00b58f806432813c86ac5da7ff1c7a4db105d7ce59263cad384f066453ff204d

SHA512
853ac294cfd21a94cd86970a7d11f010fdee1aaaf2742e18f4d25137416bb376a6c34adb590c85ce93190614de3913c88cd9f74ede08a0ce894bacf02a4dfa39

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
64KB

MD5
a00484ac619f62201d75d08929a5a79c

SHA1
f602e9902c433cb8f4fa2fa1a6520aeffe8d3a94

SHA256
8d40f8d99d6a06fd5214f3dd1a61a1cd28c20d9b75bb2839038595a54c855e83

SHA512
89fb85abafb83cbc45190069fe54c0b19d6f127e669849f45f5ad272a3b697496fad95af3ab3c2f1a52f3768786d017dd69c0545fa11215c58ca37c051a12776

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
64KB

MD5
16d0891d8497e4d2872fd9bbe6037f25

SHA1
d1c15798f19a5fd4c2839c61ec8de057329dd2d5

SHA256
63c411c9f465578d9212de488d1e3009b7384e6d77cf09b107431d5a423ab303

SHA512
83f83cc1e484e68edc8850b67f7194a35fdb2a3b90fb38a12145c1979d0c86e7a2e3994900559a7d4cef1f0bffc4ee17b29cacaa562f5aa0032980ff76fbb668

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
64KB

MD5
076801c0a1db32726fd94d212f46661e

SHA1
2966f48e24eede90893cfc09fa8f75b52702f0b7

SHA256
dc8ed6e0a48d6dcc38f7286f515ba886aeadd0bbe259f63dad4cb5196a7c315b

SHA512
e34e75317b55bcbe2084dabd08d4dfeb21bd4755a44afe206bda91cdcf92b48fc5a26f774ac7673fae426ca8871ba19ea48462f3102e5e445f701ca30d99bc69

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
64KB

MD5
b4380e780cfb32f699e6dca788a98ea7

SHA1
ed5f29d2114d0da6b5ca8bb7b332f8194c022e80

SHA256
edfd6b9808658df9e0797c806f989c30474ab941ce4037e6ec8197df207acfa0

SHA512
ec793ee5d21dfd9d913f04bc2a4779248c9d321fa43d1964ce2a5d2749c36c0a5d120080e50f180e5b30ec458b7790cb284e8fdb35c6ff9743202d84172dc0d7

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
64KB

MD5
ad3be92bd7ba8230292a58c1ca97b65c

SHA1
2e8d9e335059f76666d19c731f461c364a8949af

SHA256
3e5b2264eda0b40cc8450eff39b648e841aeacc04b8e88f58624509c20b96cc1

SHA512
1ea8fab08beef6ee7cdff7e031720037f48e30f5cc82741f7e735761f86141d88a7050eec516a10fb3460d7a152709f5133066696b3e8fa61b29b8770ec1710b

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
64KB

MD5
9b6e0a5b838d63c6024c9b70f6ef9ef2

SHA1
e85bab848308c60425e1a464948402fbd778f50f

SHA256
e4d55681054ad301765d663080dfe4bbf4f8bf0b766893f871ffbc56c9c2432e

SHA512
321bd5ff3841c098e6c23ee9e24632b6d524f84f80be54ec7ba5b046110ed5d8104b499028876e0cfff2047c45c9c2c9809286d03e0909838f3338bfac287139

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
64KB

MD5
e435b6efb72c14c92b120f632227b72a

SHA1
336e6397daa043cd497382e687e32502d5026e73

SHA256
445900780de9bef2eab65d0fa8d68a65a29c404a6a0cb9264a61a16ff4f98894

SHA512
e7064d3a96aeb092426e0c3d58707db7413e2acb9da1ec83e93da113db01c025d041a1bd783e85792918d265616b41b2f0c6620c491626d015fbe26f2de3d29d

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
64KB

MD5
fd124e774cdc0f16f3142fecc544bda7

SHA1
b83fe06d7bcdb548931d99cb8d2f13eedef695ca

SHA256
8f3c3122f3ea309983a7d0b3cf18de873ba82b423688aed4ac923256a330c624

SHA512
737b3e01decebff577fc10480246c293d3524efdf769c13092bb13170bc3010ce09a1bb149e5d5a8a768d7228934aeb03f5fb73435e94b88322cf591477b10fa

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
64KB

MD5
c1fe54cdc5279354fe37546271c50518

SHA1
13f5054b194e0d0b0ace3ee5442156bd09db5533

SHA256
d480685ebe6ed22de532a8dc8e2257eaad97e36dd5498d779a9106f7654b1c88

SHA512
e890b2218312eaf68f90c88689fdd6770ffa714b376785f5ad5b735d2c156ed2ba0a54a21e73a317226030109ad0ad2078455096241340eb2f4ab1aff9bf08d8

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
64KB

MD5
3af7b2c21bf76958f5141e68e62a7fbc

SHA1
a3a80e6435d49492640a8dab3f876507469e6798

SHA256
6faabdaa2b0c5042b707109b9b251227b65828c0af29f7ee193d55bd88416862

SHA512
20d77415671cad7fb254aab5a01fb805c68a936e411ea8c9840043eec661b3f552598a14e564f5c7cdda0e8ae6f2c076af81c6e9b1790bbe5cb7b18bb666b357

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
64KB

MD5
1952d7c80a6c78d8fb0d8bcd6f897083

SHA1
961f5d23908d6b65fcb4b6a01cfd7f9c7b1a0b99

SHA256
5efbde28c8f94cac67c048ece074f6f791ee4758363a48fd5340931e2d1edbdd

SHA512
176e2fa82f49697f95a5b5ce9355d0cba898be492643f0fd9e9490bd66532b6aa560d82b450d4e915c834aa1796ef6fbbddfa21bcb07184f66be663e90f00d0d

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
64KB

MD5
0b6fe988353a41f7bc19c12c32836184

SHA1
a35ca89bc323e6ba830040a45b49c99ad85a4791

SHA256
495f41db8661a9ae86834cd0bb703f9fb7fbb3d5d62528f274fe7ab89a700bcf

SHA512
4a07a2f67604c0a672126c34c968d20562c8dc95bce0dcc4c8b0f5ec9e5656511f1270f2068165ee3a8693571af3ba7a5f8cb613171d789748bc26b24753a38e

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
64KB

MD5
b70df97409f315d204da3275c9845b7f

SHA1
69787c94959c1e98a6b6ffc6f3d7e9e84fb5bae3

SHA256
15400d17d2f1de92b03ee6cb9ee6af545e77b44ef941e686c69ceefa4a5c9ea7

SHA512
203e840a6f7e8b06a276f6d4ead588ba3bc98f787b489e738f8d93dd2650eaae92d6555a0a8d684a4381b0b142bf2132e04a2c1eba9b445257694cea3aca65f9

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
64KB

MD5
2310d639787e22ae4e98c8655274f16d

SHA1
4bcb083f2597a53d6de67931e668eb6a2511b2b4

SHA256
5152e325b220010181a6403dfb01d4c878879df85a7a8ced7f6923dd5f7908fd

SHA512
09b93ac613d277d4b4c469be180060d4e3fca0199ef0f65af6f1d2a4b23e0dfd3cbd16470775033901bede2070838e5dd204a034c2255d4319d4bf7c4cbf35ff

Download Submit
C:\Windows\SysWOW64\Cbdnko32.exe

Filesize
64KB

MD5
b1a88d3118d0096d30090d576bb33ec4

SHA1
eb5542c8919cd267ba8af3ad7cef6789f7d24a9a

SHA256
f50d24474ee4b8e5aed9bb622c450d0f4da0e4a0672b6836f6f1c9100c1f55e2

SHA512
128caa3bb7ebd1699ca5f60ba0c03c252dfe278c6f67ac4a4611c2e56ea2f10fbda2460db05b1b27a93f875397663539bc7bba98fe94a1272cc1fa00f96440ab

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
64KB

MD5
e4efde82bec045d2bea79ffea393ea9d

SHA1
578f7a9e2df807f227e6bf4357b27d8710e8071e

SHA256
ecb6c353f963b3e5a2b03af5a26cd962ce0bf0c50bd7e13717843be837200b2b

SHA512
cf98b8683a354db89461851bbfe2f9612375cb9911c73606c18b403e088876bd181fd910f13e5bfd603711782a6ca270629911ccecf09ff6a2ad04c350ea4254

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
64KB

MD5
e378acadaa141483f84638be780c3960

SHA1
aef92579c58fbf46709f6e76228f6d708dc33655

SHA256
49ca86fedd1d4456411c5087fc82ae1f22be5095acdc67ef95f5dee71878c552

SHA512
5cc084711355365382107f8562996ba269ac4cad9ea284f9f0d0506d75fecafcc2d600e1ab5949e7c3892d060ab7218b3d8cd2a3e790a4408d47bfdbebb1e85e

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
64KB

MD5
f2bbd9210334021f35e6c719ed85400b

SHA1
d8bad2e13d2a58ff265f76debee5296128336870

SHA256
062b213208654b9a6c0a9d7bb87703b85cea18d23a587234487afa9ab804ebbd

SHA512
dd09496d4608911c3ef1b2881846ad6429b1994f4bdc56c3252a092393ef52857349658154a7760c26cbac46612e43fd2d6fb6eba3537da9f22cb4cfd2111a1b

Download Submit
C:\Windows\SysWOW64\Cinfhigl.exe

Filesize
64KB

MD5
3ccc3d7a4eda432c388531fbfbb98cd6

SHA1
43d4aba379c0368b26e5192b91cf9f079e8bbc66

SHA256
6bbc09c0267e952b45ab0ccc7b88198c538f6bfc8bd142699d7e4b65d1bfa65c

SHA512
95712380e8f2b50de44df79bf96a7d69c497ed8c72088afb8191e2bf9e6556c5c51675cef876a33dd277b3f234e58fbe9b8f638fc897c9df8e46d9ec0804a30a

Download Submit
C:\Windows\SysWOW64\Cklfll32.exe

Filesize
64KB

MD5
c5dc503ef76722df7fae9430fd8cf971

SHA1
d290a7a870d44a4391cd3828269e371afea6005f

SHA256
9b88cbb40af84b434618f13484a6dc36b5815516d658610feff132e1848e6b53

SHA512
bca412fde19bdca123e74c4325151dc0848340cdb9e20205eeee352ca2da721c1f1a60011c7671378e73f7d079f3e9a2e5ce89d683cc3dec5d76221895a2eac8

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
64KB

MD5
488a0be18099a241a76e64bdb9a5a57a

SHA1
4ccf12568f466c81accc8caf6a3f8462109c7bb1

SHA256
7814b2e54b87f9465e55166966181eddff6c4ec0440f1b9db4b97c736fab51e2

SHA512
0c96824f97aa90b05f121d8b97c6c9d690c87d58d55ad66949e4ebac3cceaec51d077cae61ab7b2262e29ac87c26a66da1e824197e5ff7fbaeb4c24844ee9ee1

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
64KB

MD5
4bc2851016c0a7be40fcff76c34d80ad

SHA1
ac377e428b505bdabea9f9afe3fef2fc233f4972

SHA256
36b87cc6ac54a9ca6f54185c3da2162f7195355b273503a7329ea81840a2c75f

SHA512
1f37bb5673598922a7be69074f848b5a2862015504559bbdc0297ecc0e5c0d33ef08ce724a9daea66e67ffe4638c6a767d968cf6b19b0a7062075b4760e4b4eb

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
64KB

MD5
b83b45d9925fd3ab9a3cc0d543c0c623

SHA1
e85208745a847292935f00386a51f0de890bf2f2

SHA256
2c0890eba15f2e83213939c74bd40265a45c1e44f79a58d821fcd4ce4c182657

SHA512
b8c7fd336779ebdf6ece6941372245b0b1d76de82148133bb6393fa4fdcd4bd28011b7538412f90bd7d71bf830a9d66ae1f4f2ba35f078f409d1349501f55c92

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
64KB

MD5
c7aba255bff8fe25181a7ab05fa880fa

SHA1
3f20649c8750a241db6547c94c9e570da93a21f4

SHA256
e34dc9b749e9a6b1c9a26b8980988d0cdefef535ded3d9cc54f99ce1bb156636

SHA512
64c33a15844f53f647f0b69d726e8ee58fd5f63813f1fca5a68ee3696b506b1dd2080cc20206e22875a38e6113f5f5e7703de194b5b7d0a49c216b91d4136cc1

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
64KB

MD5
e4f2131fcd1f8384b19f8b65c1e211a2

SHA1
ebdf22d4dd9641c89d27a635059e5d311db045cc

SHA256
84ee698e994cb99e03913c42c7a5f07f69d15e7c7b4b0edb0842ff3a256797c4

SHA512
62579a4bdf2b18ea39010a7c22166e9394f324009ddfe4d97e7d7d5dc4cd3eff081c9770e188757a6598473eefce96a82651f2a4cd8074315c4aaa5775bcf111

Download Submit
C:\Windows\SysWOW64\Nadpgggp.exe

Filesize
64KB

MD5
d96ea4d8663a97f63bcdc831bb659860

SHA1
4e6f4ea1eb136076cb280be38eeb394ad694f1d3

SHA256
ec748b842d69705f1505ad16b326389d94653e013f28ce74705f97c913240562

SHA512
522417553cd3485be286e96ea8a61bc84166c9efad734930090da173dd5d9af65c56e347815533cc2a7bfb220e4cc34fcf411eebca6f003995bda37df80fa2fe

Download Submit
C:\Windows\SysWOW64\Nljddpfe.exe

Filesize
64KB

MD5
655a1723437fe47258bdf255e82435c7

SHA1
a627b7b92b007b8a9ecf10540b28d1b16c7dbafa

SHA256
b1916b8e493ca59b369dd76308f6af9f7bb1e345a0699ea34c53d8bc7231066f

SHA512
e9d951c941225907801408ea4521904d0325e63e43bae6a2264ebc657c4b77f36e20f72f5f7ac36ccc83dac0faecb67b9646d4e7d0571cb4c250a2f11dcfe66a

Download Submit
C:\Windows\SysWOW64\Ogmhkmki.exe

Filesize
64KB

MD5
5df40bf7f1b7424a225f0d2a01bd83a9

SHA1
46d4ff9d35ef7d3fee6d4b19c127d60d3fe62a1a

SHA256
f016607e9fbceec1a98472633b0a236507077aa590984a1a77b5aac9dbf9369a

SHA512
33a90d5df6499aa5bb5d033be6e9ef1f3e33a6820f022134331fd20a37a4300a94c70e65aa42795d1ab43d5c4cfe871c31f536a82509d9a30cbe4ced3760ef2a

Download Submit
C:\Windows\SysWOW64\Qeohnd32.exe

Filesize
64KB

MD5
95bbe2383fd1e99e50a435b946f83f68

SHA1
f868b0c2b11c17488bdc24d463762814a6383ff6

SHA256
02466ee7725884cd4f555796e86f581a3c8f038f1ebedb02f341e2839ea0452d

SHA512
849bbba738752d5af613351b7599d99bed655a83f21eecd31de4c8e609f0ac262ba7237e8ab2c35c4db4ae0732bf2c996d2ea2ae5223f1bdc17b05bf2f5510d7

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
64KB

MD5
dc4c88b7062089ca7f0561a21ac7a824

SHA1
5ee06d0c1458adc2146e6e29ab93363a034bce05

SHA256
6d43926ef94772a94d9b6bca960aa4098b7b6a0feb7f68b4a094f14787e05ef0

SHA512
b4533b697c8bf56d3c3a6bf2e18d09c5ddf3d138232c3e2650cd434a36120dd46d9bf536ec6f34e0ee95176f625b973fe1464f554e088c8c3eda9d0123247ac3

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
64KB

MD5
21ee7674dfafdd42bff1058177a4ffc1

SHA1
b24f3b3c5940d9142a819ed0b5f602e341e41f6d

SHA256
469194add3843166415a089e118f46509ee7246ca5ab23bab1be1b420d592e49

SHA512
0d1baee3b06d426eb0d5c112064be7eb80c7d7f5f35052ec761cc17ece090554ac8965f789bada64aea91d23623795ae92d0b5327beb234f1e11b5ffff864991

Download Submit
\Windows\SysWOW64\Nhllob32.exe

Filesize
64KB

MD5
a116ecfa8f224691a1391c81d2ba863a

SHA1
4523cfcc982d6390e3f656f1afd4d021593c0c49

SHA256
9eed0f6b48062c3fbde648a523dec3233aa91ce47bfd414468a7d041010dfae8

SHA512
512a82e00f0c9f7ea095351c407d87fa978eeff0e8e79e30a1ba58a5d47da77e9e5563ff50fb33e8ca52480956e8dd55c0bf4daaf136bf30345127c35c54abfc

Download Submit
\Windows\SysWOW64\Oalfhf32.exe

Filesize
64KB

MD5
be7d7cdfd821a0737253b73703dd4753

SHA1
ddb4d9434df8333c3d8427719fe4805cdb2481b4

SHA256
a596c99727b000b4455b572b08612eeee525c0efd89bdf3da519163b90534aab

SHA512
a45b9d9db68162aca95b82c711322eeb58c3a34cf2b5cabfeeab77f3c513a8538f2ade3d14a8ffdeb4c11c24cf2c567bf290aa5563264856fd7ed989fede6dc2

Download Submit
\Windows\SysWOW64\Ocfigjlp.exe

Filesize
64KB

MD5
37ec5eeed262e893b974bf019d0c7916

SHA1
a7f9318b507afe9b6309a274d8adeb5971393211

SHA256
eab55219c05d0efdbcd0f7ed75ae369d19243286922b08fe307b590e1588ddce

SHA512
f898110f097f2c5588be49130cc61a6b726e8255f7ebb9122cce8e5eae8782b0ae4c4c0e1485136575393521ad6f1215cbd97803274604f76fc5e092e03800df

Download Submit
\Windows\SysWOW64\Okoafmkm.exe

Filesize
64KB

MD5
b8166bca5135c407a70e5d8a11e93bac

SHA1
36a80e8678c6bfd4fd63ffa6a6c10e8e624bf3f5

SHA256
f846bf7fa1a40c2db756c494ec8584df18afc438b305c7db3ba8aa9b7839f7ee

SHA512
414f36f58390bac8594b70e47bdb480fe43d13ecc40f8c6b57bcfe51fd7ee24567f3b797749452d35d1c2355a094cb3cd5dddb71d7751ee84d400bdd4e33c4b3

Download Submit
\Windows\SysWOW64\Onbgmg32.exe

Filesize
64KB

MD5
836070e88d252fc337e2a46c3a30a239

SHA1
276abdccf0d0d074f98866ac114218bd4727d69b

SHA256
888c9c5d49ed9a5cb21e168f0b62ead2283cfef2dd8f0c3817733498f704cc1a

SHA512
cb5a3079f52dc1971d9002d1daa371f0eab9f3bdcc2f2b05c88c56f8bdc1fac6a7bcd2f33abbf369b3fe44bc6ca6fd2e6aab3481c115b7b3bd2e25f64cee44f2

Download Submit
\Windows\SysWOW64\Oohqqlei.exe

Filesize
64KB

MD5
1667ce5207d0fd2ecbc47c7078dc6b4e

SHA1
39b51187e22dbf142cd66b89a6917f094df871fc

SHA256
b93db55c44531d94fe719b0ceb5eb1ae21ecdd7c9e2a66a3ab5a190f31450f0b

SHA512
197eeca19ca6148379ae4272c88470299b8b3199cd99f077dfca57ae513b4af66ba9643dd3b1c2b2cad1f566a6f6285c7bdaec69e86cd1acc39ebecbbc0fac94

Download Submit
\Windows\SysWOW64\Oopfakpa.exe

Filesize
64KB

MD5
d9c8aadc0bfa6625bc3745365726719d

SHA1
f1ef2b7b405355a79c8f1cc4b2356042e67c9ddd

SHA256
82b2e164d2f2ed1b1a87ab14bf70634cd419bef4c55039ce9cf92d0fa2905954

SHA512
eba44cf1e3d1d941dd2463e06830443cbee4fb696c7a56d54de8caaf7fe4d41df56ef28e1345948cc6b307b6959d0459f8dfa88b1569fa7d6a0671435905996f

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
64KB

MD5
9d3f12402d3db3a91e95d7a40c04fae4

SHA1
4ef1f7dec929511a37e3b51c6691353bf7badf1f

SHA256
f1dab8dd40c921f4ffe0dd9873ee18e08f7957a3f8d884499db7b51dac26d575

SHA512
adee261dc7c22b1883d0233b728ecbfb727e3848bbcd42f22179459d76fd2612a0d37f8ef36b9762fd5f0db11c21053e77f7333d85a36f3cfa2a73679a034337

Download Submit
\Windows\SysWOW64\Pdlkiepd.exe

Filesize
64KB

MD5
58dd1e50933480e348e8688ca43d7b7d

SHA1
bf9945943d85b459c146077447ca276d4760ec2c

SHA256
d1d79d3bc417d6b486b142eccd34657772ce4372753d211118ce1bfab4af4675

SHA512
7cbdada402e4d044f2467fa84eed27ffd6918deed6e60070941629af6f5b8789b3c7c7406ff330c5db4a56cff5335e9e9d9903d94fc7b0073fc7dd091997b14c

Download Submit
\Windows\SysWOW64\Pfdabino.exe

Filesize
64KB

MD5
94999455985d35d96a2f550d36d7379f

SHA1
724cc952152fb18fe2fb64616f7716d9aa57149c

SHA256
4c3f0960855409d03e9ad497c8179aba9c434f0ae2122af4d175bd5f922c5dfd

SHA512
b1a7bbc8261d8a34f1fa28ca0ed579bd45747e3ada9ec1f87740883cdaa39946ce072e1ff4e04249a257543d4d5655c2a79ff6e95e98a66e39c24c9339800f80

Download Submit
\Windows\SysWOW64\Piekcd32.exe

Filesize
64KB

MD5
770c41bf34e5ec3924c948d710322b68

SHA1
1509d433f3114868651d8b12f186650c89cddab8

SHA256
52f6162642f48844af1229e0fac1777799c46f4fd24d828993fb009d15080e54

SHA512
39885843464fa2e0af2643748b07e1b2f0b1987e1997e164b2f4e05c4b0e81773e4059c660ff628867271b94ff9c2fb0561f67c995c9854fde60bec0b8e6e10d

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
64KB

MD5
f6b35548a1b00b98e5af999cafc23c54

SHA1
dcbd807cb4d81a62552785d3a17cd160748bd937

SHA256
f6369d819cbb4ad9b382be4586ac82df40cf59a3b8470e411c7bd3822fb36db9

SHA512
27a4d838510fe2f1ee80144dea7e0f35b0a63b65a61d612ef14d706c26cf68cb0b65360f2bf561f4d31779ab30ffec7c2aec9908a5444d0362ed3795c704771f

Download Submit
\Windows\SysWOW64\Pqjfoa32.exe

Filesize
64KB

MD5
878da3a219514790732cf4f031361a65

SHA1
47496f3093f30a503d105469b94a49ac35d7c097

SHA256
241db5bca5196953c613670a71efe53b01ac466a942d910588a0eff3e88a0e00

SHA512
500fe3ff9c74fe063ab98880853636f3471b09efd7fcf5cc3fb7ee1b9a2a5f9253e052be65727eb38b5137c26e8954829b1452cfe981f5bf7c90e2e521a8e409

Download Submit
memory/768-234-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/768-276-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/768-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-279-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/768-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-102-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/776-153-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/776-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-262-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1624-299-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1624-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-246-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1684-324-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1684-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-289-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1684-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-72-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1748-12-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1748-73-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1748-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-13-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1760-170-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1760-169-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1760-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-232-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2196-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-188-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2196-136-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2196-131-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2236-117-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2236-172-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2236-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-118-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2236-184-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2236-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-215-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2328-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-152-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2344-253-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2344-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-260-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2344-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-300-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2488-342-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2488-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-216-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2556-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-217-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-70-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-121-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-335-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2680-336-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2692-343-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2692-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-47-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2708-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-27-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2720-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-86-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2720-28-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2776-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-55-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2872-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-103-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2892-185-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2892-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-236-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2892-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-245-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2920-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-323-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/2920-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-88-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/3008-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-138-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/3048-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-321-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/3048-272-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/3048-277-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads