berbew | 159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
Size

3.2MB
MD5

0a49ad8d47f7ee2d7e83688c438de6c5
SHA1

e1e5038764feedf30ebb8bb253aa793b42eab45b
SHA256

159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113
SHA512

331982d79486fe9862f44599c73bba57f1b7d24a0961b18566d95156fc9e49a1106d7c16a9a40beed5f37d1b21f5ad8b642c1d8f17a2a9541d73768b2d2c3af2
SSDEEP

98304:SXlBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NT/YUugy:YlBFLPj3JStuv40ar7zrbDlsa2VIlPWH

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okanklik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkidlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmagdbci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akmjfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdmaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okanklik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odoloalf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odlojanh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onecbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqjfoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbbhgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onecbg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 52 IoCs

pid	Process
2852	Nofdklgl.exe
2612	Ocdmaj32.exe
2588	Okanklik.exe
2220	Odjbdb32.exe
864	Okdkal32.exe
1516	Onbgmg32.exe
2120	Odlojanh.exe
2260	Onecbg32.exe
1720	Odoloalf.exe
2660	Pkidlk32.exe
2196	Pmjqcc32.exe
2952	Pdaheq32.exe
2136	Pfbelipa.exe
3060	Pmlmic32.exe
1456	Pjpnbg32.exe
904	Pqjfoa32.exe
1732	Pbkbgjcc.exe
1616	Pmagdbci.exe
1744	Pckoam32.exe
1244	Pihgic32.exe
1496	Qkhpkoen.exe
3056	Qbbhgi32.exe
1292	Qiladcdh.exe
2188	Qjnmlk32.exe
2940	Aaheie32.exe
2620	Akmjfn32.exe
2144	Anlfbi32.exe
1628	Achojp32.exe
2108	Ajbggjfq.exe
1916	Aaloddnn.exe
776	Afiglkle.exe
1704	Aaolidlk.exe
2368	Afkdakjb.exe
1584	Alhmjbhj.exe
444	Acpdko32.exe
1564	Bilmcf32.exe
2360	Bpfeppop.exe
2980	Becnhgmg.exe
2448	Blmfea32.exe
2740	Bbgnak32.exe
828	Beejng32.exe
2028	Blobjaba.exe
772	Bbikgk32.exe
1044	Bdkgocpm.exe
1936	Blaopqpo.exe
3128	Bmclhi32.exe
3192	Bdmddc32.exe
3252	Bkglameg.exe
3320	Baadng32.exe
3380	Cdoajb32.exe
3444	Ckiigmcd.exe
3508	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2720	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
2720	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
2852	Nofdklgl.exe
2852	Nofdklgl.exe
2612	Ocdmaj32.exe
2612	Ocdmaj32.exe
2588	Okanklik.exe
2588	Okanklik.exe
2220	Odjbdb32.exe
2220	Odjbdb32.exe
864	Okdkal32.exe
864	Okdkal32.exe
1516	Onbgmg32.exe
1516	Onbgmg32.exe
2120	Odlojanh.exe
2120	Odlojanh.exe
2260	Onecbg32.exe
2260	Onecbg32.exe
1720	Odoloalf.exe
1720	Odoloalf.exe
2660	Pkidlk32.exe
2660	Pkidlk32.exe
2196	Pmjqcc32.exe
2196	Pmjqcc32.exe
2952	Pdaheq32.exe
2952	Pdaheq32.exe
2136	Pfbelipa.exe
2136	Pfbelipa.exe
3060	Pmlmic32.exe
3060	Pmlmic32.exe
1456	Pjpnbg32.exe
1456	Pjpnbg32.exe
904	Pqjfoa32.exe
904	Pqjfoa32.exe
1732	Pbkbgjcc.exe
1732	Pbkbgjcc.exe
1616	Pmagdbci.exe
1616	Pmagdbci.exe
1744	Pckoam32.exe
1744	Pckoam32.exe
1244	Pihgic32.exe
1244	Pihgic32.exe
1496	Qkhpkoen.exe
1496	Qkhpkoen.exe
3056	Qbbhgi32.exe
3056	Qbbhgi32.exe
1292	Qiladcdh.exe
1292	Qiladcdh.exe
2188	Qjnmlk32.exe
2188	Qjnmlk32.exe
2940	Aaheie32.exe
2940	Aaheie32.exe
2620	Akmjfn32.exe
2620	Akmjfn32.exe
2144	Anlfbi32.exe
2144	Anlfbi32.exe
1628	Achojp32.exe
1628	Achojp32.exe
2108	Ajbggjfq.exe
2108	Ajbggjfq.exe
1916	Aaloddnn.exe
1916	Aaloddnn.exe
776	Afiglkle.exe
776	Afiglkle.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Onbgmg32.exe	Okdkal32.exe
File opened for modification	C:\Windows\SysWOW64\Pkidlk32.exe	Odoloalf.exe
File created	C:\Windows\SysWOW64\Pdaheq32.exe	Pmjqcc32.exe
File created	C:\Windows\SysWOW64\Elmnchif.dll	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	Acpdko32.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	Pfbelipa.exe
File created	C:\Windows\SysWOW64\Gcnmkd32.dll	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Beejng32.exe
File created	C:\Windows\SysWOW64\Okdkal32.exe	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Aaolidlk.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Ajcfjgdj.dll	Okanklik.exe
File opened for modification	C:\Windows\SysWOW64\Afiglkle.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Acpdko32.exe	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Okdkal32.exe	Odjbdb32.exe
File created	C:\Windows\SysWOW64\Onecbg32.exe	Odlojanh.exe
File created	C:\Windows\SysWOW64\Cjakbabj.dll	Pfbelipa.exe
File created	C:\Windows\SysWOW64\Akmjfn32.exe	Aaheie32.exe
File opened for modification	C:\Windows\SysWOW64\Akmjfn32.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Akmjfn32.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Odlojanh.exe	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Plgifc32.dll	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Docdkd32.dll	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
File created	C:\Windows\SysWOW64\Odjbdb32.exe	Okanklik.exe
File created	C:\Windows\SysWOW64\Blkepk32.dll	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Ocdneocc.dll	Pkidlk32.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File opened for modification	C:\Windows\SysWOW64\Becnhgmg.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Odjbdb32.exe	Okanklik.exe
File opened for modification	C:\Windows\SysWOW64\Odlojanh.exe	Onbgmg32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	Blmfea32.exe
File created	C:\Windows\SysWOW64\Odoloalf.exe	Onecbg32.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Aaolidlk.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Pmjqcc32.exe	Pkidlk32.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pckoam32.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Pihgic32.exe
File created	C:\Windows\SysWOW64\Qbbhgi32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Bdkgocpm.exe

Program crash 1 IoCs

pid	pid_target	Process
3560	3508	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okdkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmagdbci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmjqcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akmjfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afiglkle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odlojanh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdmaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbbhgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onecbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odoloalf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbelipa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkidlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qiladcdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alhmjbhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okanklik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqjfoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofdklgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjnmlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdepma32.dll"	Ocdmaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcfjgdj.dll"	Okanklik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnilecc.dll"	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneolbel.dll"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnmkd32.dll"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qiladcdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edobgb32.dll"	Odjbdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjnmlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odlojanh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Afiglkle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnnjk32.dll"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll"	Becnhgmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nofdklgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kganqf32.dll"	Qiladcdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmjqcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faflglmh.dll"	Odoloalf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Pmjqcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqjfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odlojanh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pkidlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmagdbci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjnmlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okanklik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okdkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmnchif.dll"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bilmcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2852	2720	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe	31
PID 2720 wrote to memory of 2852	2720	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe	31
PID 2720 wrote to memory of 2852	2720	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe	31
PID 2720 wrote to memory of 2852	2720	159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe	31
PID 2852 wrote to memory of 2612	2852	Nofdklgl.exe	32
PID 2852 wrote to memory of 2612	2852	Nofdklgl.exe	32
PID 2852 wrote to memory of 2612	2852	Nofdklgl.exe	32
PID 2852 wrote to memory of 2612	2852	Nofdklgl.exe	32
PID 2612 wrote to memory of 2588	2612	Ocdmaj32.exe	33
PID 2612 wrote to memory of 2588	2612	Ocdmaj32.exe	33
PID 2612 wrote to memory of 2588	2612	Ocdmaj32.exe	33
PID 2612 wrote to memory of 2588	2612	Ocdmaj32.exe	33
PID 2588 wrote to memory of 2220	2588	Okanklik.exe	34
PID 2588 wrote to memory of 2220	2588	Okanklik.exe	34
PID 2588 wrote to memory of 2220	2588	Okanklik.exe	34
PID 2588 wrote to memory of 2220	2588	Okanklik.exe	34
PID 2220 wrote to memory of 864	2220	Odjbdb32.exe	35
PID 2220 wrote to memory of 864	2220	Odjbdb32.exe	35
PID 2220 wrote to memory of 864	2220	Odjbdb32.exe	35
PID 2220 wrote to memory of 864	2220	Odjbdb32.exe	35
PID 864 wrote to memory of 1516	864	Okdkal32.exe	36
PID 864 wrote to memory of 1516	864	Okdkal32.exe	36
PID 864 wrote to memory of 1516	864	Okdkal32.exe	36
PID 864 wrote to memory of 1516	864	Okdkal32.exe	36
PID 1516 wrote to memory of 2120	1516	Onbgmg32.exe	37
PID 1516 wrote to memory of 2120	1516	Onbgmg32.exe	37
PID 1516 wrote to memory of 2120	1516	Onbgmg32.exe	37
PID 1516 wrote to memory of 2120	1516	Onbgmg32.exe	37
PID 2120 wrote to memory of 2260	2120	Odlojanh.exe	38
PID 2120 wrote to memory of 2260	2120	Odlojanh.exe	38
PID 2120 wrote to memory of 2260	2120	Odlojanh.exe	38
PID 2120 wrote to memory of 2260	2120	Odlojanh.exe	38
PID 2260 wrote to memory of 1720	2260	Onecbg32.exe	39
PID 2260 wrote to memory of 1720	2260	Onecbg32.exe	39
PID 2260 wrote to memory of 1720	2260	Onecbg32.exe	39
PID 2260 wrote to memory of 1720	2260	Onecbg32.exe	39
PID 1720 wrote to memory of 2660	1720	Odoloalf.exe	40
PID 1720 wrote to memory of 2660	1720	Odoloalf.exe	40
PID 1720 wrote to memory of 2660	1720	Odoloalf.exe	40
PID 1720 wrote to memory of 2660	1720	Odoloalf.exe	40
PID 2660 wrote to memory of 2196	2660	Pkidlk32.exe	41
PID 2660 wrote to memory of 2196	2660	Pkidlk32.exe	41
PID 2660 wrote to memory of 2196	2660	Pkidlk32.exe	41
PID 2660 wrote to memory of 2196	2660	Pkidlk32.exe	41
PID 2196 wrote to memory of 2952	2196	Pmjqcc32.exe	42
PID 2196 wrote to memory of 2952	2196	Pmjqcc32.exe	42
PID 2196 wrote to memory of 2952	2196	Pmjqcc32.exe	42
PID 2196 wrote to memory of 2952	2196	Pmjqcc32.exe	42
PID 2952 wrote to memory of 2136	2952	Pdaheq32.exe	43
PID 2952 wrote to memory of 2136	2952	Pdaheq32.exe	43
PID 2952 wrote to memory of 2136	2952	Pdaheq32.exe	43
PID 2952 wrote to memory of 2136	2952	Pdaheq32.exe	43
PID 2136 wrote to memory of 3060	2136	Pfbelipa.exe	44
PID 2136 wrote to memory of 3060	2136	Pfbelipa.exe	44
PID 2136 wrote to memory of 3060	2136	Pfbelipa.exe	44
PID 2136 wrote to memory of 3060	2136	Pfbelipa.exe	44
PID 3060 wrote to memory of 1456	3060	Pmlmic32.exe	45
PID 3060 wrote to memory of 1456	3060	Pmlmic32.exe	45
PID 3060 wrote to memory of 1456	3060	Pmlmic32.exe	45
PID 3060 wrote to memory of 1456	3060	Pmlmic32.exe	45
PID 1456 wrote to memory of 904	1456	Pjpnbg32.exe	46
PID 1456 wrote to memory of 904	1456	Pjpnbg32.exe	46
PID 1456 wrote to memory of 904	1456	Pjpnbg32.exe	46
PID 1456 wrote to memory of 904	1456	Pjpnbg32.exe	46

C:\Users\Admin\AppData\Local\Temp\159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe
"C:\Users\Admin\AppData\Local\Temp\159c4b8d1c15e1be7fe4cbb89cd2da83c6e8fcd50de9e80317537ec327517113.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\Nofdklgl.exe
  C:\Windows\system32\Nofdklgl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\Ocdmaj32.exe
    C:\Windows\system32\Ocdmaj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Okanklik.exe
      C:\Windows\system32\Okanklik.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Odjbdb32.exe
        
        C:\Windows\system32\Odjbdb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Windows\SysWOW64\Okdkal32.exe
        
        C:\Windows\system32\Okdkal32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Odlojanh.exe
        
        C:\Windows\system32\Odlojanh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Onecbg32.exe
        
        C:\Windows\system32\Onecbg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Odoloalf.exe
        
        C:\Windows\system32\Odoloalf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Pkidlk32.exe
        
        C:\Windows\system32\Pkidlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Pmjqcc32.exe
        
        C:\Windows\system32\Pmjqcc32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Pqjfoa32.exe
        
        C:\Windows\system32\Pqjfoa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Pmagdbci.exe
        
        C:\Windows\system32\Pmagdbci.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Pihgic32.exe
        
        C:\Windows\system32\Pihgic32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Qbbhgi32.exe
        
        C:\Windows\system32\Qbbhgi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Qiladcdh.exe
        
        C:\Windows\system32\Qiladcdh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Qjnmlk32.exe
        
        C:\Windows\system32\Qjnmlk32.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Akmjfn32.exe
        
        C:\Windows\system32\Akmjfn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Afiglkle.exe
        
        C:\Windows\system32\Afiglkle.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Bbgnak32.exe
        
        C:\Windows\system32\Bbgnak32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Bbikgk32.exe
        
        C:\Windows\system32\Bbikgk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 140
        54⤵
        Program crash
        
        PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaheie32.exe

Filesize
3.2MB

MD5
cfa14b47bf2afe2273a65380f98c26e8

SHA1
0ea3b43015df0e7b62ec8733482fe777b6f62d45

SHA256
4f59d2008358aa84aab30396e69c85694b2bc97466d397c74013cc0d5cac4753

SHA512
464ce40d5094e19a85acfb00b668a35080789641f7da204b11a85fb8671ae8816c870e1fc6e5944fc9772caf9b75f2effa07f1ae23b86f5e22a8b21e31f892db

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
3.2MB

MD5
ff46c33983e80040633c8c9c560d3899

SHA1
be1725021945818da77f5e68617688bb2cf429e8

SHA256
eca1643b34c0584c4cedb5b7b7c28cca49f56c432fccc7ae389d415ff0feb7bc

SHA512
06dd4ed70d0449517a92e882c02a5490b5efe5138d553ef320477cf24699e63364d67ad7ccc73c839d6514c8b35b9ea667294d4e81c99607282d54ac67f58a87

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
3.2MB

MD5
738b1d33461af5572c4f117656631197

SHA1
81d2fb820c6bafc19965cf4e56de2f57b5acef17

SHA256
c09c5dac748f17ee9f71f0ca7c6b6321a67304acb281a2abf2a9e38534d27175

SHA512
a507c7825d6aa65749092a91e19478fb467a733ee40e181ba23b28e05e62e372824d0e61654101b498afd37c64bf97fe5fa541917b74ba6fef78c927de76d9ee

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
3.2MB

MD5
7783dfd27ecd01a90af4c46f72503557

SHA1
4183bf49a0318f5688f75ba135962178f58a84db

SHA256
632c88e349dc0ac31ec285338caa09f4a6d680e99e3d5fa90c78febd8355b372

SHA512
7042cb58b101fba2c0009df496214924495e95d3699936366500e03c672b9b0657ab1580ca68aa4e52e288fad0fa60950cfd70f9abb74b3d9c8654b4e771626c

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
3.2MB

MD5
0a1cb13f1ccbff291133669a6d35dc5b

SHA1
c0d456d6e72400cf7b33a7e7c48fce7d72137236

SHA256
f80cc71925ab190a601de256ac89c7faabbf8d0c55cf4e054092d86c94fe74bb

SHA512
dca5c9f1350b007f82624fa1faf3ded60e7cc1116a9fd62c8bb8ea868ca43532d923807c4d5ef88f01679445c7babbdc6633983229c0c25fbf0f8d9c89c3ded7

Download Submit
C:\Windows\SysWOW64\Afiglkle.exe

Filesize
3.2MB

MD5
c307f579a5e4bf6e92a7f3e3a20aba48

SHA1
90258dcbc2391227483fbce65d2fddf41791d6c9

SHA256
36f73d3a9aed7717e48db23c6f859fd504cf9be9f5ade9fcd63787c771f7e599

SHA512
e271eaef54420b29a2523efe35b8ec73e0c7478519b6929cfc02ebb8932df348b5edf46ffbdf7cf94d8cbe8dd746603d05bb736091f76cd5048fc7c8bb0d94cb

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
3.2MB

MD5
ac0075c0cf11975cae3d38621519c41c

SHA1
fc69c757024570fc43650bcb52eda1ff9c4517b8

SHA256
2ea381caceb1ba5b7f113cbbcf952beaa5f7033bda602940e2a838092585524f

SHA512
860b85ca746faea96587ca9fe16d41882bbe30639e7471f800ea2719271102b0067bdeb9d90ee9272e6f1b9557e3cba926f584b216893d36b3fb7c55045d36b2

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
3.2MB

MD5
7857ff0b583e763b51d3777d4e0eef40

SHA1
430e1f5c99aea44f860b478c6cdc8df3493c39ef

SHA256
d746263747d75c8f84240b9657f7b2f176d4f55e719b4365bb799e27b67bdc83

SHA512
08859398a8e915787b810e17df69ddc786cd53c51f6f70403ea51cab366bf86a82646100a65af83a5bb05a11812f28485d46393753597f96f3c830601649ac1d

Download Submit
C:\Windows\SysWOW64\Akmjfn32.exe

Filesize
3.2MB

MD5
d413abe28c311ddfbf0555c9e4e94873

SHA1
043915bf08bb58768883018a64128886ebb36b1d

SHA256
e6cd9cdb49e28f63edabd0365bbaf250b25dc56eecc463dedaf90213745e722f

SHA512
1676e0d16bd4a3365eb8c8e8460cf549627f23fce6d6bd3d743a728048b75e041ad0b49733c5b071f5a1b7dbbcbf3ca5c43a5432d35a78988c5aaec62648ae14

Download Submit
C:\Windows\SysWOW64\Alhmjbhj.exe

Filesize
3.2MB

MD5
711b9295b8d99ce67cd176a5e034be37

SHA1
68c1cf24851230cfe422d64f593803d2b3c0f771

SHA256
9080585c5ddf82206084cb3f821b721236d659ea55fcf5fdc8fd9671f7c5dcb2

SHA512
8752376ab841c985104ebfd30cdf4ef99a229a556ea752e97c6e6c50c65ca4d6a2374ec42483200a8bda158c2f1d424a93f747f61b233d825477a450f45391bf

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
3.2MB

MD5
15eec833cd39412e853c8eec829c8f51

SHA1
dd66ab4e6fb57d5844c8d901ab0618b981fd3c75

SHA256
f7a39af72a68a5b778aa570dfb370e0295e082ab8322e66f2e4c3dc3e26ee2fa

SHA512
044469b0eae0b0d4f95d2c581c49fce1a7b59f4ca89fcb2d9156df9b82e38c250032a3732d679f46d463d50f84deae5e22ba512023b116c1971bbf82613da5c1

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
3.2MB

MD5
e4b464d4365b547d8f9a21ec54e1d983

SHA1
b74fddb9ba57c16e9a7a26b020a53850adc628e8

SHA256
8460c7395d87cc4f4f52a222c2d7b6c0d86c8fe48999b7d1f378feec4fc46f8d

SHA512
8784f719e9e8f89dc6e3522565358aabf1bbbf88b945e6f00fc7882ad98ac05f099da562234588d3edba4e63868f4022e2f5842178e0d54e64673bfeff110f6d

Download Submit
C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
3.2MB

MD5
196f2dd4c7ddaa3fc6e300b19a8b83a4

SHA1
6498b2dfe8e7b7b7c5ea2a33d690b61c2718ea84

SHA256
f8683686e79452c46047c6eed372807f3403311993ee38a9ff26530dcdf52de5

SHA512
a89fb8f5e264c3d38949181bcca551dae18eaccb0e796f263b5a8dd3b08d5504dc48199b14de403b05d91beb6dc23a1946a060cfe5390967cdf2df2d13a42eec

Download Submit
C:\Windows\SysWOW64\Bbikgk32.exe

Filesize
3.2MB

MD5
779dab8638a908ef01671448cc6a579f

SHA1
f4ea2dcdec132a584c4a421d92f0711a04494a56

SHA256
ff12c2edbe76575f329348a8c6bcf31dd9130560bcb91cf69b8bf09f21454600

SHA512
d2333f3442d1afb619a06612091e446d832a6950cde4271bdc97ce5c86ce18fd8d3d24bd7be09c25ecd06c0c46f04b7a492176a37121a1e27eb922d8f3f6fc04

Download Submit
C:\Windows\SysWOW64\Bdkgocpm.exe

Filesize
3.2MB

MD5
3a3c169f5ce086a99b98e7acfb973911

SHA1
590f99c5889027f661622c51c4926ebc2b80aa16

SHA256
4b4e59719d342f9278dadbdd4f51078dd56fa5a1579ab59a58ada624bd015aac

SHA512
1eb4be35c704ce2a94e53387c2cd04dfee0e5a5293c18a6869910ca8ce63bfde6863378a697fe717640e7248a4ac903297d3dff78caeaa4766fb6d4b9c7cc881

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
3.2MB

MD5
64cef987b32d935dea6997d493e8a9b8

SHA1
74054016f388aa00357cea2134315584c31e2aa8

SHA256
53188f2d3fdd4a656db36cbb9dec67b95ce8a8cfd28ddd59515d55fb58f695a5

SHA512
ba43fe9d2cae3b3e1cbd6354b5d0f2a9245b3bf8fe198a0cd306566acb4945fc4c7519467db9fe5666e4ccf7212fdbe27e518175805eea296d31305acf2bf127

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
3.2MB

MD5
20259fa8d7c1b2cd608dcd576af2f1b0

SHA1
02489f80038b9040241811f03cedec59b739dc73

SHA256
8ba057960803af774028f8a873f8ff97e85c865d5e8f893c1391a0d271dc783e

SHA512
410a25cb8e1201a3ed67dd34480add1b82853d7aeae21c4b34b9165d26c15b3cc6f91a2f0564d2a583bfcffc016da259777b0815612afac5cafd1c447e6b47dd

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
3.2MB

MD5
f01bebfc9bdf507eab2747a3d10e47df

SHA1
15803f55a7010e20505164ba4f9ab7269dca0f04

SHA256
0d88d8b93b5ed57c7e618bdd7cb0075c2dabe0baf7e1178b5201cfc93c048c52

SHA512
d239ef256c52db894fd559b037a799a5455ad812b7f08d07f1347f930f413bd4289cd16cc56b52bf255f90c60f6686c6455e8ff335910100b857e25590600336

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
3.2MB

MD5
c85eadeab932b5d8a5af20ee783448c9

SHA1
05e7da6d307218291b698ed539a5890d01354376

SHA256
3a61ad93a5fb3cfd8f797c692464eccffb61baf565a4730bbb635691ded3e95e

SHA512
d84d7b0a5e513c0bc3a67faa44c6f0a7b759d4fdca1775b89e9841749d2d01d9929ec90e447e70826b91ef89876a44bcc7aafb8efb363aa5c0d8530379b0c74c

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
3.2MB

MD5
d8e7a7dd46a19a3b280e118383b83288

SHA1
40c79423b8e37d3e68fddab34f9e3da8c0c658cb

SHA256
1e11c927559314f6c3e865f98f3192d4a5230da9c9b28dd0c33a59505fe4bf41

SHA512
c8935257879a42325d8a152f31d8a51fb0c3d2d47b8efeb137218636c2862b55caa8258e93b8f2285f9f2141f2d38c5278dd6a55e578f82d4d319f566adf6c70

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
3.2MB

MD5
abba142ee489de6ae7bec501069f353d

SHA1
f920e3a269dfb7dcecab4df657f1cc673265d041

SHA256
75e5e8d02bad5e4583a8e06a66f02a171507c3db2a486ed53aeeaefa4b93bc14

SHA512
913da907a641aabf40f61a55a82fae9466e3d74ded8ac8cd552483a217634a81e244b27e121ed5e6dc5dad13c9ba83579c5e99d8eee182caeedc5a72cb1b667a

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
3.2MB

MD5
918fe142d1bd51361212f2c7b39ac752

SHA1
6c02fc5951bc826bc055b39d2c8998712c417156

SHA256
1bb4b7a6d378f5700fdeb4c9902042bf276a8d9c46be7efd7347d0cc1b2245ff

SHA512
0d7d514d80e839b06301ca6ab23dd6acf75051bb9715b15d6518030cd53b078c725ad1dfdbbe877a32765860d3168668346654fdf674f11b23dc54af6635c37f

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
3.2MB

MD5
b2e17e4cf5659bbae652add0a90ca3ab

SHA1
0cddfc784495d5d4410793ee0fe81aff17a47db3

SHA256
dc7237b1b2205b916221b3517136c9672ed5a789d546ce126f19b33a2c59203a

SHA512
75ae59f361183dbc5a503542ce712ad6f1a25ec99598769d021afb66fcbcfed071e99736bd9465993f8d0f4c8ba2dc6212772da9d48e49eb20eedb4d744ed8b0

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
3.2MB

MD5
11f9f0acd9f197c9608a7ad37489fee7

SHA1
c629e8321480908859a1da0484902bf5f37f8e9b

SHA256
3557ef53d1c48ed5b4d7bf10fd94f5492cb31f55da863951f9c66236c794fa27

SHA512
30cffe6ae7e53d60f0d07dce86885ea8ee2d47dd8fc9b316cc9e5e92487f72e9741aa9145e0147ddc03c324ae9beb189b1c8a21b30921d5fe4b7a1c54a35902e

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
3.2MB

MD5
19ae21993ca0367b6635b3f3f1dc873a

SHA1
d1e8c5d3d35c9ed1a90c89e98f531bd7afa6967f

SHA256
a1aa812476724a1fbcd9723c794e6e38a49e97134fdbd8c4f7679d00541dc5f0

SHA512
3f0dbf4215f9abcde1338202db5d0a5db2ae3d2c80d6b45d4ff14ae9306bb3989bedcf884aa21402d319a0822c7e04e82ecae6467b94c8fd263f64701b39c9d2

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
3.2MB

MD5
8f42788cfbf06b6a02802f6106068681

SHA1
14dbbaf49cbf66643561e5844874b8e64aa29be9

SHA256
d071c8cb7d94d3fd3477831e3ebbbff77615fb19d7ce4746ab52f059b71bde89

SHA512
19551da7148726f3408c188f1ebc40daf9d806753d2b5372f615b487c2509ea5974f88e6390bc2982651f7a6adc1df7e08e5392fc3b2f7da89021be91226eeb4

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
3.2MB

MD5
9918c14651aa93aa025e7b506ad1df97

SHA1
9b2156e209a60c5b5e6c2932b2bf2a2d0aa3ba88

SHA256
127dd91c6cfe2f239971ea9d39d611ee8f976650ca28b889341ea343645189e4

SHA512
69eab9174dc50b264d91a13d279a1dc05c659759bd6f37078be28b2f6b011d98455f4fc3b16bf02f98370251b36ace42788bc056f6a76a1dfc27a45b98e65310

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
3.2MB

MD5
54c8e7b7e0a0f1b4f0465209269e65d7

SHA1
a18e102f7f50fa65fcfe15a228aeb9a6c7bdfd43

SHA256
cbc730233509b26d84ff2c00ad74efa86f12deaf6a73d405f4c111ca285b9dd7

SHA512
9524c79148336683ffd4b905e86d27c99246135be97dc79fe5dd5dced818f972c08b19f9e356b01df813e67284d552cc5fb431a5b28ede675714cd7fb7433e55

Download Submit
C:\Windows\SysWOW64\Edobgb32.dll

Filesize
7KB

MD5
959de88df368fbc89735ee5fcd289359

SHA1
f072d4babe636e99c3e6045830942851763ecc9d

SHA256
60f41e5c8dc6a397cfc2f4c0c1a3ab58862a355e3d94c43d1597be1464ed98ae

SHA512
5d8b7fd5689a9fb2b530700f68e00d96123660d90b42e3abaa6734d8ba35c170d4bf430221fd0f3aefe57cf810a3caefa82dde20c068231df4198517bd53cb1b

Download Submit
C:\Windows\SysWOW64\Odjbdb32.exe

Filesize
3.2MB

MD5
1df6a22e8923b7561dbfab4e9a76c022

SHA1
e257de56cef26638b7595877e24a78156e27340a

SHA256
d50ee58f4f5d9b04c681fe404a391aed9a879d0d0d924300a13e4bbde3b230ea

SHA512
33eb8ad9b71c5ca25eac0d175219418833d378345b7ac495edd9a7b95b4eb5de2526e20242ac147bbf720f49eb8214ddd05beb96b0bf95a096a5842fce1a6411

Download Submit
C:\Windows\SysWOW64\Odlojanh.exe

Filesize
3.2MB

MD5
790d1f6dc6d055d5a607ee135e0d35e0

SHA1
16faba46cd395a91ad8d2bd2cacdf59120047c65

SHA256
e1528b5eff310087aa61b12043c15542bcfbaf2d96daba675a698805c98a86e6

SHA512
ce4ff9db838101e81c89f03617e1c23f877208a3417f0bc7d5b1683a3c24d41242f2d8fa0f0f2d486205b00dd1a3ac1ebec8ea1291d003c7c28bcd946c7008ca

Download Submit
C:\Windows\SysWOW64\Odoloalf.exe

Filesize
3.2MB

MD5
4f1ae1cc5d426097c88e079938360230

SHA1
a2af77d48fb63d282927858ffc4f73e794ae5bac

SHA256
4645cd5b80e9472352382f7d306dfd13ee809168e4c66bc57d0140d464fc3e3b

SHA512
eff395337e6269231892a0588d1c1512137e954203cdc1ca1bac335f196b89c42d7edab97bd0d1302a3983972c8407a54922bb3104d12e4584eb7f0020a51773

Download Submit
C:\Windows\SysWOW64\Onbgmg32.exe

Filesize
3.2MB

MD5
dbb5109de80d7b4de1d2de8b82e0a4a2

SHA1
dc2e55c16eac285ab422bd835b73472a531572d5

SHA256
093db6bb2ccb459f5ac095cbf569b1a48f69a9a24396fcf4b01bf2b97772dfb4

SHA512
ca32ed5f71eff2ff771352eb9271bc328f206a9c68e5316aad995681c2bfe2a0bb4eb894665763e5a2500b36707a6a978344f2e31864aee9a3c500561a999288

Download Submit
C:\Windows\SysWOW64\Onecbg32.exe

Filesize
3.2MB

MD5
5318f22914c5e83273f0fa5b0fb4bc79

SHA1
a58c706e7061b03dda37ccbe022c68ca8899e2d3

SHA256
b27d6d7d40fb760777d19980e643494e3917ed4969cf4b067c0c532be1703ca6

SHA512
5a96c0b7a151ba5260eb92d5ed129e9df774deeded77ac147ee82c6f85849379ba12ed86deec596c3f07ee9f349deda244b3ded85f1d980d0b8ced5ec18564db

Download Submit
C:\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
3.2MB

MD5
d90ecdfbff3199fc65d786ba9776537a

SHA1
0b92767992250ea51430111029a145c264c7cdbf

SHA256
4beca712e21629c663ab473759920e75ffb5189d1a81f884c00498e8b8831c4a

SHA512
71daa5168335e6a2beaef468f26221741807001df8a1e15c16bc09a8d292e5045c6ede14ff67b8df11a68cae180e55fc9e7ee88a8d3b0ea1a81ecd89223ae7f7

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
3.2MB

MD5
4d77e22f82ca7838c27c9be111b8d49b

SHA1
6215c1f23268ed51a808236180e85ab811b3b35e

SHA256
ad12bf903c7bca7366cef1fd24d0c34213feb71548d6a7bfe3ad3d1efd456253

SHA512
77d9cd765df177431d746a03237047718bb286c6bcd27942accb66da11273e5d7e65b2400c489d7dbba128c79519e2f6817c865cb7aa591ad08149a40d2ab73f

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
3.2MB

MD5
b5ff26b587deec51b12b8a6456e2cbd2

SHA1
bd1eb09959fa3738831c34b457afac193a7ab3a0

SHA256
73f0826a56456cd6783691f6064e51504d78a15009674f42d4edb63fbc41c618

SHA512
928e30252dc13f9661a4c168bf92fde94d9b3a7da42dda806da9d929e77933ab98720750a4a1b53490dd83d2f8e0e7db015d360f7f8a392412494288640723fb

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
3.2MB

MD5
c0eae3bbceb797254bdb16b0416ef9c3

SHA1
5859a442a38b22c70cf3eb00bba4f4452f192d59

SHA256
166208d938d410d4c83a213ddf048d1f08dbdb2ff4236bade5a0e45d51998c67

SHA512
699f283f8a53e6679ebe309ea3da3f5d448c7fbf6b4b91fc99a5fd1ca48b7d108cc8883389bedac7dd982bc10b3bd1d5ebdb6367890055263e3544f04cb7a2f0

Download Submit
C:\Windows\SysWOW64\Pjpnbg32.exe

Filesize
3.2MB

MD5
a1ee892c843043586bbcaae0bdd31cac

SHA1
d253bc8cc21259f85be5051b5c67c9a078c6e1ea

SHA256
8beaa48efe5984ca05076bdb9007c1964bb99f7caf440ba22a788a3235141c80

SHA512
8f6c296fff83096a8b8d0e958ebc348ee9851db6ac51166ba9b51692fdf8dd2da781aa94f4cab213a78eac7847e391ccd146cec6c5d44e77518e337d0c24f6fd

Download Submit
C:\Windows\SysWOW64\Pkidlk32.exe

Filesize
3.2MB

MD5
f16cfcfcea24f969e45b575d90c89950

SHA1
09e0289502f090b0d87a607a9ebe76e3bbb82867

SHA256
7d3cb39555f257ead7da0200b8ff651f2d2e4a52a32bd6c459a3ad706df7b58c

SHA512
5ce6a6c5f96c30a05daff7a1ca68a2794f2634f4538fb80ee318a86af2281a4cfa2651f8f57d120b70733f673a3ea505313d18836ce0a5aa5b75e21ad90dca78

Download Submit
C:\Windows\SysWOW64\Pmagdbci.exe

Filesize
3.2MB

MD5
ca04473655548d7d7961739532d021da

SHA1
a73b66601a7c6b2a8864b97ec6d1039d6ac19ee4

SHA256
eae22213b8d6a0f71091ef3b8316548534a2331663fac4f900dbb6578a6af69b

SHA512
9741f4e9f999e763ac77837ea729312719370804a1bc22fd4e63a348f5c2bfffee73b5bbee68fe919eb18db89688df98fa4ae7c111f78c292ba3a97e67737a85

Download Submit
C:\Windows\SysWOW64\Pmjqcc32.exe

Filesize
3.2MB

MD5
dd88f4db4d1561efbdc87b74b8d94adc

SHA1
329655f4f38256a1a7222cc0449c86227eea16bb

SHA256
4a90b09590186a244b75f4e35aa67cac4001bbf3d01cb677629ad3a599c2185d

SHA512
4669f3585a8095a118b97b9ced75d8816cba0bf938711c9be11ce3bc979f6d3d26a0d82612854b5cf2fdbb665ec8bbe134df4dfcdfff7050115ed76396176441

Download Submit
C:\Windows\SysWOW64\Pmlmic32.exe

Filesize
3.2MB

MD5
feec141e86158f41bd4af1df82d2fd84

SHA1
9742f825f3d21c7caf9e32c89f6831650af77952

SHA256
7d75e401ccefe6f8c25844f5ad18fa24360062a951d8eb973f5d412627eb33f1

SHA512
a16901d8ca851cb83b3bf186900445ab85afa6003dc64bfa5875ad8c9a4885aac3245fecabc9dca1b0ef3a302ffe405fe4ccaacb55dc55bb21a832d689aba695

Download Submit
C:\Windows\SysWOW64\Pqjfoa32.exe

Filesize
3.2MB

MD5
cbb21cf737a1e6c9641c311ba0b45b80

SHA1
a4a979975e8153fdc63235a0fd78801f732cd3bd

SHA256
ccfe824b95795b43be7d012db74f45556833603033efe7a597fefe8ae8fda8af

SHA512
8af7921d8334e35a892f710c86fa62d7f12dd26c07a664d8ff1add49f85cab196c914d4e9d189ea5b0a5153dd95682f02fe5d596814afab894be91d9cd1e1ee8

Download Submit
C:\Windows\SysWOW64\Qbbhgi32.exe

Filesize
3.2MB

MD5
77689935ccfd9ab2afce1c018367cd55

SHA1
5b5a7f42441674a5fe0420b4fe5380650f70d0f4

SHA256
b61106dff0b23ba382069c7ca1008f3ffedc0a92e3437cf53a316bfa686a6953

SHA512
b2c97dad878903ea294717531b2b989209119d690a3d747999809f45000280f365822ee9f15dabccfca8c48a8f48e05a977200912b25623a49d781504da920c1

Download Submit
C:\Windows\SysWOW64\Qiladcdh.exe

Filesize
3.2MB

MD5
67548288cbed9ad165a079074a8ec062

SHA1
2e46bed5ed81366f1497412ed92b78c75cf58cb7

SHA256
5be9341dbd7affd4829b57669caed731ac77bd3fb9c44a828b79aa66480d7b23

SHA512
993181b68a9eb96a0f5f2dc1ff3e609344ddb07696b7daed6539a5c03081ea5ac4fe7c434a9427943a09460d0b7c2888cc03f14acfb72a1c7b4ceaac564c2827

Download Submit
C:\Windows\SysWOW64\Qjnmlk32.exe

Filesize
3.2MB

MD5
537100add1157b18ead400ea85ec6333

SHA1
a04aec2e2cadfa9995f1b32992d6d1e3afb86150

SHA256
e36e5b93ff5bfc5d95c8eef29a66fa178e44b7466df1b8782f95cb2bedbd9153

SHA512
e0a52a006d53d49c560423d52ae89f56ee4d427c1314497155ef8c9338d81f67d45ad46e6d7f9fb98b8e7ce4d2003f8be7c526571d3ebd2060ab2ecc51ccf7c9

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
3.2MB

MD5
e97dfae3dafe11045f5cf3d2bac02f1c

SHA1
078392060476ca810b684fec171ae1a37cc1fdb2

SHA256
5d82fd21c686231c63a0809ab13c8ae6a256e74b6a5bc46389c376d65a8b5ee1

SHA512
ff6fabceae6635eceea30175328f3a447d9709a6865d003af46c61fdd030bb11c5c4bb0fc098f8ef812de4fca2e9064e68722b22e2350cce47d346483e072fb8

Download Submit
\Windows\SysWOW64\Nofdklgl.exe

Filesize
3.2MB

MD5
df4c8ddfa6a44e9dfc7da0cb298de2d8

SHA1
f3c0ce3991eeb0075d60efdd63c92a592f007237

SHA256
7140faf81a162c34c5f82628ca3f0a74a501003a7a4ca9d85e585f5d6febd73c

SHA512
8d23d1084e4e4769eea40cbe6e5322e9c4cf2df370fe869ba68e8ce0788a2f89553b3d3af408cf06f48528edcdf5d373d0fab798c9e8728f050495fe86972530

Download Submit
\Windows\SysWOW64\Ocdmaj32.exe

Filesize
3.2MB

MD5
38590e73fb47961cba8948ce07d9ee31

SHA1
7560f1f0868dbfec34ad610a47f2688044b620cb

SHA256
adbea4c6434e3ae528dcfeacbb7ef8e2c8fb2c49b08d6e46c858b2caa9755291

SHA512
0694e97be8e2ded63612c259bd2fc07612a340fde4ad8bb01046eb3362f6ecd5102f8dbeab69b6d4863a29653547d442e2a77fb7a03ba0f1e54d6c5663fc8906

Download Submit
\Windows\SysWOW64\Okanklik.exe

Filesize
3.2MB

MD5
5be4fb50fe65f2e2a6f1db2837880d94

SHA1
b0a2cd35e2f30408a8b6fdb73b83c6061e08c16f

SHA256
6e0b1b856aee1205abcf994321ee76d87df026d5bb2e8fc4d7e2cb4f1bc2fac7

SHA512
31cb2043ed8a39926974011bbc67ea3dd81b82059d4a2e6f1d7caf110ac0f9a0d46e8d21658818cbcc963d5556062351d52e18787ea0f9f70a32741b7df04227

Download Submit
\Windows\SysWOW64\Okdkal32.exe

Filesize
3.2MB

MD5
dab21425b0340bc24a686555f1b3c6d2

SHA1
a0d43b4ec3e1af431a7bfeb48c43fa23e2ec8fb4

SHA256
45cdf7760eff5b4ae5b3f3b85bf810d7d262553e1abe23dad40e8369a6fc2754

SHA512
1e1c606196a6a10950174ae87e6c5db64f177cac643be5a4d33d1c652736735357538fa8968a8096e768976630fce9abff03de8334ecad6fcb48bf32f24f68ff

Download Submit
\Windows\SysWOW64\Pfbelipa.exe

Filesize
3.2MB

MD5
d03ec8ae54ea408d183caa2635e78ec1

SHA1
376156981caa5cf6d41262132d7f6925ec12c21c

SHA256
16ff44a53477c02f1c2b091388084e2a901db05db880e531f773625af5d05420

SHA512
915d1ec8db723945848071e99a912b337a8b335e84e276978a0675a9f3c76b1229c172c58790a86d924dcba7f63d57e2e63fd31711cb31356456c3b07c3700f7

Download Submit
memory/444-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/776-399-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/776-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/864-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/864-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/904-235-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/904-231-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/904-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-277-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1244-273-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1292-300-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1292-310-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/1292-306-0x00000000004B0000-0x00000000004E6000-memory.dmp

Filesize
216KB

Download
memory/1456-222-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1456-209-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1456-221-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/1496-288-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1496-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1496-287-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/1516-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1516-411-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1516-97-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1516-92-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1516-421-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1564-451-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/1564-445-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1584-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1584-430-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1616-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1628-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1704-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1720-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1720-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1732-242-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/1732-246-0x0000000000300000-0x0000000000336000-memory.dmp

Filesize
216KB

Download
memory/1732-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1744-265-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1744-266-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1744-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1916-385-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/1916-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2108-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2120-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2120-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-191-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2136-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2136-192-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2144-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2144-354-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2188-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2188-317-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2188-321-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2196-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-65-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/2260-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2260-434-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2368-422-0x00000000006A0000-0x00000000006D6000-memory.dmp

Filesize
216KB

Download
memory/2368-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-377-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2588-54-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2588-42-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2588-378-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2588-55-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2612-40-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2612-366-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-34-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2620-339-0x00000000002C0000-0x00000000002F6000-memory.dmp

Filesize
216KB

Download
memory/2620-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2660-455-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2660-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-6-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2720-343-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-353-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2852-355-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2852-26-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2852-362-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2852-21-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2852-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2940-332-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2940-331-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2940-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-172-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/2952-177-0x00000000002D0000-0x0000000000306000-memory.dmp

Filesize
216KB

Download
memory/3056-299-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3056-289-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3056-295-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3060-194-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3060-202-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3060-207-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads