berbew | 954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884b

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884bN.exe
Size

77KB
MD5

a14aae5b010f8badcc87d8607010bc00
SHA1

a65d6b6d69b56f4b2aad2a5b1f4ed9c920c3fe3f
SHA256

954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884b
SHA512

4486e9b57885c863288748bd59327486c58dc5997e9819e765a714b4411967f36ad425880378ebf2ba459579f48b2a5b06ec7c16943ac486b309f12882a0cf33
SSDEEP

1536:Plyg+/XZBNxsV4KfBbKMYBy72AA2Lt5wfi+TjRC/D:dygmJBNxMkM6y72Yfwf1TjYD

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmfdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlfqh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moipoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmdgikhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcehdod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnhdgpii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moipoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqkiok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfqlfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodeajbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeandma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflkbanj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdppiif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnhdgpii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
5124	Mfqlfb32.exe
4848	Mnhdgpii.exe
5280	Mqfpckhm.exe
4404	Moipoh32.exe
4780	Mcgiefen.exe
5136	Mjaabq32.exe
4896	Mqkiok32.exe
5320	Mcifkf32.exe
1700	Mjcngpjh.exe
6108	Nqmfdj32.exe
3964	Nclbpf32.exe
4224	Njfkmphe.exe
5448	Nmdgikhi.exe
2000	Ncnofeof.exe
6088	Nflkbanj.exe
4640	Nqbpojnp.exe
1512	Nglhld32.exe
2668	Nnfpinmi.exe
1388	Ncchae32.exe
4252	Nnhmnn32.exe
5468	Nmkmjjaa.exe
544	Ngqagcag.exe
2732	Oplfkeob.exe
1336	Ogcnmc32.exe
1460	Ocjoadei.exe
1140	Opqofe32.exe
560	Omdppiif.exe
540	Ofmdio32.exe
3696	Omgmeigd.exe
1016	Pfoann32.exe
5500	Pjkmomfn.exe
5636	Paeelgnj.exe
5240	Pjmjdm32.exe
3724	Pmlfqh32.exe
5356	Phajna32.exe
4292	Pjpfjl32.exe
4916	Pplobcpp.exe
5560	Pdhkcb32.exe
5372	Pnmopk32.exe
400	Palklf32.exe
5412	Pfiddm32.exe
3348	Pnplfj32.exe
2768	Ppahmb32.exe
4344	Qmeigg32.exe
4260	Qpcecb32.exe
5100	Qfmmplad.exe
5860	Qodeajbg.exe
3156	Qdaniq32.exe
2344	Akkffkhk.exe
2912	Amjbbfgo.exe
2160	Adcjop32.exe
1900	Aoioli32.exe
5344	Amlogfel.exe
2708	Ahaceo32.exe
1956	Aokkahlo.exe
3240	Apmhiq32.exe
5748	Adhdjpjf.exe
6104	Akblfj32.exe
4792	Amqhbe32.exe
4316	Adkqoohc.exe
4360	Akdilipp.exe
4560	Amcehdod.exe
5088	Apaadpng.exe
4920	Bgkiaj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Apaadpng.exe	Amcehdod.exe
File opened for modification	C:\Windows\SysWOW64\Mjaabq32.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Mjcngpjh.exe	Mcifkf32.exe
File created	C:\Windows\SysWOW64\Ncchae32.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Qpcecb32.exe	Qmeigg32.exe
File created	C:\Windows\SysWOW64\Akdilipp.exe	Adkqoohc.exe
File opened for modification	C:\Windows\SysWOW64\Bahdob32.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Hnflfgji.dll	Cnaaib32.exe
File opened for modification	C:\Windows\SysWOW64\Oplfkeob.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Ogcnmc32.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Pfoann32.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Pjkmomfn.exe
File created	C:\Windows\SysWOW64\Jcgmgn32.dll	Pplobcpp.exe
File opened for modification	C:\Windows\SysWOW64\Pfiddm32.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Kajimagp.dll	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Mcifkf32.exe	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Gdglhf32.dll	Nnhmnn32.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Ddgibkpc.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Jgqjbf32.dll	Mqfpckhm.exe
File created	C:\Windows\SysWOW64\Iocbnhog.dll	Mjaabq32.exe
File created	C:\Windows\SysWOW64\Apmhiq32.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Lielhgaa.dll	Amqhbe32.exe
File created	C:\Windows\SysWOW64\Jlkidpke.dll	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Ddgibkpc.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Mnhdgpii.exe	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Nglhld32.exe	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Boenhgdd.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Nchkcb32.dll	Dkndie32.exe
File created	C:\Windows\SysWOW64\Nflkbanj.exe	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Pjmjdm32.exe	Paeelgnj.exe
File created	C:\Windows\SysWOW64\Qmeigg32.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Ahaceo32.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Ncnofeof.exe	Nmdgikhi.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Nmdgikhi.exe	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Dempqa32.dll	Nmkmjjaa.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Ahaceo32.exe
File opened for modification	C:\Windows\SysWOW64\Amqhbe32.exe	Akblfj32.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Mqkiok32.exe	Mjaabq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngqagcag.exe	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Qimkic32.dll	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Lbandhne.dll	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Ldpnmg32.dll	Mqkiok32.exe
File created	C:\Windows\SysWOW64\Nqmfdj32.exe	Mjcngpjh.exe
File opened for modification	C:\Windows\SysWOW64\Ncchae32.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Bhgbbckh.dll	Ncchae32.exe
File created	C:\Windows\SysWOW64\Lpghll32.dll	Ogcnmc32.exe
File opened for modification	C:\Windows\SysWOW64\Pplobcpp.exe	Pjpfjl32.exe
File opened for modification	C:\Windows\SysWOW64\Boenhgdd.exe	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Cpmapodj.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Qnbidcgp.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Mqfpckhm.exe	Mnhdgpii.exe
File created	C:\Windows\SysWOW64\Mjaabq32.exe	Mcgiefen.exe
File created	C:\Windows\SysWOW64\Oplfkeob.exe	Ngqagcag.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qodeajbg.exe
File opened for modification	C:\Windows\SysWOW64\Bmeandma.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Amjbbfgo.exe	Akkffkhk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1396	2596	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqmfdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phajna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcngpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglhld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkmjjaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgmeigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqfpckhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njfkmphe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnofeof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhkcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpfjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpmapodj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjaabq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcifkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmdgikhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokkahlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfpinmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdppiif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpcecb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhmnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocjoadei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcgiefen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogcnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngqagcag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Dafppp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfqikef.dll"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqfpckhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmjdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbdjofbi.dll"	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bmjkic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebggoi32.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnhdgpii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll"	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocedcbl.dll"	Amcehdod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogcnmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjaabq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmikmcgp.dll"	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qedegh32.dll"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjceejee.dll"	Pjpfjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfiddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obqhpfck.dll"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpolbbim.dll"	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oplfkeob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocjoadei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlfqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqfpckhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amjbbfgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idaiki32.dll"	Palklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amlogfel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll"	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjnfknb.dll"	Mfqlfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nclbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flhkmbmp.dll"	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palklf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5616 wrote to memory of 5124	5616	954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884bN.exe	82
PID 5616 wrote to memory of 5124	5616	954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884bN.exe	82
PID 5616 wrote to memory of 5124	5616	954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884bN.exe	82
PID 5124 wrote to memory of 4848	5124	Mfqlfb32.exe	83
PID 5124 wrote to memory of 4848	5124	Mfqlfb32.exe	83
PID 5124 wrote to memory of 4848	5124	Mfqlfb32.exe	83
PID 4848 wrote to memory of 5280	4848	Mnhdgpii.exe	84
PID 4848 wrote to memory of 5280	4848	Mnhdgpii.exe	84
PID 4848 wrote to memory of 5280	4848	Mnhdgpii.exe	84
PID 5280 wrote to memory of 4404	5280	Mqfpckhm.exe	85
PID 5280 wrote to memory of 4404	5280	Mqfpckhm.exe	85
PID 5280 wrote to memory of 4404	5280	Mqfpckhm.exe	85
PID 4404 wrote to memory of 4780	4404	Moipoh32.exe	86
PID 4404 wrote to memory of 4780	4404	Moipoh32.exe	86
PID 4404 wrote to memory of 4780	4404	Moipoh32.exe	86
PID 4780 wrote to memory of 5136	4780	Mcgiefen.exe	87
PID 4780 wrote to memory of 5136	4780	Mcgiefen.exe	87
PID 4780 wrote to memory of 5136	4780	Mcgiefen.exe	87
PID 5136 wrote to memory of 4896	5136	Mjaabq32.exe	88
PID 5136 wrote to memory of 4896	5136	Mjaabq32.exe	88
PID 5136 wrote to memory of 4896	5136	Mjaabq32.exe	88
PID 4896 wrote to memory of 5320	4896	Mqkiok32.exe	89
PID 4896 wrote to memory of 5320	4896	Mqkiok32.exe	89
PID 4896 wrote to memory of 5320	4896	Mqkiok32.exe	89
PID 5320 wrote to memory of 1700	5320	Mcifkf32.exe	90
PID 5320 wrote to memory of 1700	5320	Mcifkf32.exe	90
PID 5320 wrote to memory of 1700	5320	Mcifkf32.exe	90
PID 1700 wrote to memory of 6108	1700	Mjcngpjh.exe	91
PID 1700 wrote to memory of 6108	1700	Mjcngpjh.exe	91
PID 1700 wrote to memory of 6108	1700	Mjcngpjh.exe	91
PID 6108 wrote to memory of 3964	6108	Nqmfdj32.exe	92
PID 6108 wrote to memory of 3964	6108	Nqmfdj32.exe	92
PID 6108 wrote to memory of 3964	6108	Nqmfdj32.exe	92
PID 3964 wrote to memory of 4224	3964	Nclbpf32.exe	93
PID 3964 wrote to memory of 4224	3964	Nclbpf32.exe	93
PID 3964 wrote to memory of 4224	3964	Nclbpf32.exe	93
PID 4224 wrote to memory of 5448	4224	Njfkmphe.exe	94
PID 4224 wrote to memory of 5448	4224	Njfkmphe.exe	94
PID 4224 wrote to memory of 5448	4224	Njfkmphe.exe	94
PID 5448 wrote to memory of 2000	5448	Nmdgikhi.exe	95
PID 5448 wrote to memory of 2000	5448	Nmdgikhi.exe	95
PID 5448 wrote to memory of 2000	5448	Nmdgikhi.exe	95
PID 2000 wrote to memory of 6088	2000	Ncnofeof.exe	96
PID 2000 wrote to memory of 6088	2000	Ncnofeof.exe	96
PID 2000 wrote to memory of 6088	2000	Ncnofeof.exe	96
PID 6088 wrote to memory of 4640	6088	Nflkbanj.exe	97
PID 6088 wrote to memory of 4640	6088	Nflkbanj.exe	97
PID 6088 wrote to memory of 4640	6088	Nflkbanj.exe	97
PID 4640 wrote to memory of 1512	4640	Nqbpojnp.exe	98
PID 4640 wrote to memory of 1512	4640	Nqbpojnp.exe	98
PID 4640 wrote to memory of 1512	4640	Nqbpojnp.exe	98
PID 1512 wrote to memory of 2668	1512	Nglhld32.exe	99
PID 1512 wrote to memory of 2668	1512	Nglhld32.exe	99
PID 1512 wrote to memory of 2668	1512	Nglhld32.exe	99
PID 2668 wrote to memory of 1388	2668	Nnfpinmi.exe	100
PID 2668 wrote to memory of 1388	2668	Nnfpinmi.exe	100
PID 2668 wrote to memory of 1388	2668	Nnfpinmi.exe	100
PID 1388 wrote to memory of 4252	1388	Ncchae32.exe	101
PID 1388 wrote to memory of 4252	1388	Ncchae32.exe	101
PID 1388 wrote to memory of 4252	1388	Ncchae32.exe	101
PID 4252 wrote to memory of 5468	4252	Nnhmnn32.exe	102
PID 4252 wrote to memory of 5468	4252	Nnhmnn32.exe	102
PID 4252 wrote to memory of 5468	4252	Nnhmnn32.exe	102
PID 5468 wrote to memory of 544	5468	Nmkmjjaa.exe	103

C:\Users\Admin\AppData\Local\Temp\954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884bN.exe
"C:\Users\Admin\AppData\Local\Temp\954a88c8f8a8d0cb43a37e0c62141fabcc1e2735d7b269d9cf57ad91b580884bN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5616
- C:\Windows\SysWOW64\Mfqlfb32.exe
  C:\Windows\system32\Mfqlfb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5124
- - C:\Windows\SysWOW64\Mnhdgpii.exe
    C:\Windows\system32\Mnhdgpii.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\Mqfpckhm.exe
      C:\Windows\system32\Mqfpckhm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5280
    - - C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5136
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5320
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6108
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5448
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Nflkbanj.exe
        
        C:\Windows\system32\Nflkbanj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6088
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Nnhmnn32.exe
        
        C:\Windows\system32\Nnhmnn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5468
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Pmlfqh32.exe
        
        C:\Windows\system32\Pmlfqh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        83⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        84⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        85⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        91⤵
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 400
        93⤵
        Program crash
        
        PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2596 -ip 2596
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aoioli32.exe

Filesize
77KB

MD5
307c37ba91a738854727078a71d1bea9

SHA1
0e78ece90910d3d3dae39f98af98b76f6c32a53d

SHA256
ce17714960a92bcdaa6237ce33c60aeabfb5794bcbbb093e97f44a2e6e470de0

SHA512
020c47b1c06575a3afde0bd0ac56a86e7a61510494014f49441edde8e34d184de8645ca0d16560d622f4395fc3782098e73e4e105da441601ffc4d98b0f67cef

Download Submit
C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
77KB

MD5
ca7b2d034b7a18aec02a5b6bafa9abc9

SHA1
77badcb02165caa39fb66170f2a081990815e66a

SHA256
1b70d831cb82ca8a08088b6bafa45b5e5560477325e2171ce83106009ea7ddb9

SHA512
c45171f1f68df723ba6e29b79c1e5cc9963f0f4f465f53378c7a3f05ec6ed89ff98dd5806ceaf0a31685a10db6969a2ca982c124ca48b855f5515a09915d8e7f

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
77KB

MD5
1e4efbba9b2309a8baccbebf59996533

SHA1
eef2bbd3f84636aa7383bd53ea7871d97c1ae689

SHA256
74ccf6ca8306c11305e618bfbc500842e02c447b7a401369bad7fb9ffca0d01d

SHA512
7f88bc5efe95c4c1e54b884560fd66bc0d5108df9d8c8e4ab1ff460dd50a48f1071aa223aa420defebf34ac0936c902f0a3da4701ee75ff655df091e2c2263de

Download Submit
C:\Windows\SysWOW64\Bhpofl32.exe

Filesize
77KB

MD5
085ae2a4cc3e03df4de375b56ad899c7

SHA1
4d94d53c10ae74c22f7db0eaa5f68b3da1ff9a02

SHA256
5af5588767bb054f248752c3e7fb5ec97b52d9bbf08e183e87e2fad885445150

SHA512
03ebd0ba99eab75c01d7241f774ea60c6305a264546022c8d16ac006b9947295d9a2ddba5b016b5fa654ac5281179614837efe4016937370af383504fc9cfbca

Download Submit
C:\Windows\SysWOW64\Chfegk32.exe

Filesize
77KB

MD5
34b0e7e936107d990ecaad369c43b24e

SHA1
9f1d5e97f98f6629b3e99c7202003d8de1f152ee

SHA256
60c6519b25bcf07128f23052e64cea5598fd5131ee1701bf77919e2eddf071c2

SHA512
c3d47be4336e23cf1f71944a4b48569539c370455a365672a3c72cc7622b10fee40460ef555d7ea295aa13715bcfd423adb7efc229618bdb6f195630e064bc7a

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
77KB

MD5
e21a18f01cc69ab856f8796cfb45c9e1

SHA1
daefae54feaeef7f22b6ff3770c52fcd83f35850

SHA256
85dc22eab94f9b0e27a1ec5ee7211574cbdc5eea89dc35357477fc72f8a9569c

SHA512
3dbb2adabc48c7e23ce92711bb6df7c355ba297c8d1b11b7cd432b3b00f391392daccfd1f7a149d5a5167aa3bada302dacb3db571873a1795561a6e53b4515bf

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
77KB

MD5
dc5141c5ef8f80d79669b39fb33a8cc6

SHA1
82745fd0151ffdc3eff079cf43e529b0c3039619

SHA256
79bdbcf43153f8f2091280d0f8ef73d518470766c4e539d6ed5053e4e7072c88

SHA512
71734543177b7496512dfaa3f631d4a0dca08e2f3e366d259870447aaefcc0777f32e8a00648be95af4b7450f0cbda7ac1ab421427cbbb77fac1295b99f54209

Download Submit
C:\Windows\SysWOW64\Dafppp32.exe

Filesize
77KB

MD5
045a32f28da235ef897192a47e53ec40

SHA1
16386e147306b093207f8741ab8ff9a0a69419f1

SHA256
18f95d665f189428006eb792315d5f3462d5d2b043817c2a0e7e9994767cba30

SHA512
fc3dee7d6372c32dc7dbd2b90974cff8ca167af2f33c78435d8362e7936e4c808bf3769474dc3c45909e2b7ea6ae89e88a5bc380cd6e85cf0b75cd877501e8d7

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
77KB

MD5
4ec92107f9164ed66795489f74249852

SHA1
5ed9daa017b363d5ee0a6adaa01c56ea9622a922

SHA256
dd690eb352f9336a64cd21508142faf0bf7a0701647633ce2031e8e69ea3c136

SHA512
146510bc761fd9c8f0564f58f5ade5a06825a949abfc541f02c3bc1c86205a12c8ea0158155d817fdefef4b2ea6347c0dfcd6aac112580c18622ad3af29d46ed

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
77KB

MD5
1b628a19b30cc0be29cbac557c24dd56

SHA1
efa0e45cc84500ea9d30fd476b2ec02171743130

SHA256
151169c08e2563055d1885bb7fcab65f5a46a4b272c0e9457301ea5a8976fc4a

SHA512
4b87403c97a24d9341476b455a286a22b041d1cd806efc6feafd048b5ca87009a91033932fddc6048dd50311f5399115c563929afe079398ee79fd3a1d83d51d

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe

Filesize
77KB

MD5
2d8ab0d4650ea0e90a4b7af4a2597f6a

SHA1
f6ff3ee366a158f0cc2222b5235dad4ae5982653

SHA256
7e0aa591665ee0373291180bf7fa78d718864e934921b6e965b520801bcd0ba1

SHA512
d429762eb40e3c8d7962d64c177bdcde9590e246c3d98eb8740a87f5985155da49db3e60ab26452e6f2fcce3f851586be15e4b43bc931fdfa6668bf6da57fd9e

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
77KB

MD5
dbc8d0cc5260d75106e94daac5b6df13

SHA1
ebe9fa227ee75f38d3e9a2cfd966da734aa3603e

SHA256
d75f69261c784f95040fb3d5d58c5d65a9a4231f589b653476209a066c07318a

SHA512
79a7daca2dbfbc146b16a3722647f0662b4b631b5ac51245bea04242140259ff026b19851c9f7f20712c3c2c05b1c039d072040fe3115f3666213e5e7218d1c4

Download Submit
C:\Windows\SysWOW64\Mjaabq32.exe

Filesize
77KB

MD5
f016c897967430476c2850a5fff94f15

SHA1
6d52e1ddd079f59f27885c09b9ea54946601f815

SHA256
d500e6f9550e5d758703c19a76aff61c65271b4b30bc412a191acb1a7ca32667

SHA512
344037c6623debaf0df3f12107b93ed975dafe655f145ef7109a67e37dd332bafe045907c5b2b9d37ff4d2224f70ae49798cc05318fb0cf9ab69b279ae26f87a

Download Submit
C:\Windows\SysWOW64\Mjcngpjh.exe

Filesize
77KB

MD5
4131d3367bde6e70a43b1786b975abe1

SHA1
8734490e1fd2d7394285a735d3b715c03ef430a5

SHA256
249272403e0c3eb73c913f484d79da5c9b0f704b54fc5fa4b42c3bc516fe18e4

SHA512
c2f1dabe56e3a4ff76c9f9677ed670cdbbde9eaaeeb61ade29419c13570d78bf2c042dd4b00cf1d354a004a757272368e4f15a080fd5852c330e53390e645304

Download Submit
C:\Windows\SysWOW64\Mnhdgpii.exe

Filesize
77KB

MD5
d2f7b3caa164ca805cee2a992e6d0370

SHA1
ed9e9c1e68d48fab1e1da0d3e6d16cb6c6160350

SHA256
4fa16890f2465e544ec765afca66e991cac82060f66a38dac09d8776ff17ebdf

SHA512
c6f5e71d36d674956b09ac7928b68ddbd20f01bf33cc991bbedfa6de565b804cf3eb684594962826f8a8cea6a17600429b763f518b5d736222c127319dc4e919

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
77KB

MD5
3dec2b32c411afb44625e565e84bea99

SHA1
82fdf1789457f4939292ec6299f7e0b75203f46d

SHA256
cf8a715d42cf803b9532a1982dd19651c080ec28e2090b6107c9f5c91fb10ae5

SHA512
6626849b22512b1ed50bf83eb41392a14967511b399cd1162796a7c97328d1a9fa1d6b8f6995fb7e74383b9505ea24eb9c1accf90f8a3a763dc9bb36c60c8326

Download Submit
C:\Windows\SysWOW64\Mqfpckhm.exe

Filesize
77KB

MD5
6b5fca81c9d37ce92b2354264c0b6b53

SHA1
8d1fc3f51601ff1929886b05ab247fe19eda539d

SHA256
21cc1b3d4108c30f61d63c0efa825fdb651dd37d404f8c807b2339b6d1de653c

SHA512
4e784a673b77e6cfade9a795c9035be40aafb0c3b1715602a9e6f19d553841eaedf6f9bd38cb4ad0b4207bf4ece0ba9987118f1c554eb3e36a65df55d0cebacd

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
77KB

MD5
7fb105e545a97fef5bd3094debf0c811

SHA1
1060dc081ac36a72d21977797a062ea50ee5ee53

SHA256
039d884a83c736081e8dfc77ead051aca036f73088e27e7fdc8bd37f566066b9

SHA512
7d4e15a8c82ef44ce62cd73082630fb7ca7348cd4a980f802f8f2eec82ce7cd76e117de5226018627bc30c67dfb532265ae44e798dfdc2997e696ab9adffcbc0

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
77KB

MD5
82ecc90043a061d5ce7a66a81abff38b

SHA1
d7d439d90a20ad9ca3ac16528d067ff11753969d

SHA256
23af5a292c2be6cca9ff2fe7a38339f3dab903fad488f285a2f6f9366fe8d50f

SHA512
2e17cbe72118173da8db88dfc1d9f0932005ed5d85a28be72772dbada6ce25c42eab61d7750a1c7c17771e3a0360ea41407b33a2f4136b932b6d595a6a8289f2

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
77KB

MD5
e40c80255fb8b499e532d03cc70ceef6

SHA1
a8a49270c6f6aa38398fbf237eaabbd3d882c754

SHA256
bd81da23e39298b05737efb7c43b5869c459e9b512260e713a3b3941c0f3903a

SHA512
f7e99baf24affbde8d5222578a59ba20c8751b1ecb9d4f842247772121e9abc3e7233cb6dd47c04291e5363bed7bf300518b7c90598a4ef208ea5332a52e09d7

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
77KB

MD5
f77a0f75753c4290c3a2514508f59617

SHA1
80888e2199f8e681362f59e6799f0a091824913c

SHA256
019e9abb5fb052c20226875a505aea032ac1d29627fac5bccf1814da54a5e9c6

SHA512
7d365fd02b5345d7f330f0244488b0285e56c65c9c83b5ee1e5fc81df0966930eddc32e968e8077bd7a1462eb024d4f84aa0e86e4c92dcf0f41b9cb56cffd010

Download Submit
C:\Windows\SysWOW64\Nflkbanj.exe

Filesize
77KB

MD5
1869cdc185c6ea2391f450084a2f8973

SHA1
73f1fad343635ec800660b5bc52f3fd132ec0e40

SHA256
1f2aced51414c4ad3fcb2bc6171dc0cef2483dc35a7f4d698b2ca3e029e0b6ce

SHA512
1c03436c9a115eaba9ca921e1e320a24fee930401d73afa0b97f8cfb736a8ec0a81eccf1891a8240f9772503cb4de1151dcd701bafdaa01fcb28d05609437f3e

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
77KB

MD5
293cfccba55e93dc639a4d79578328a7

SHA1
c16e1d1eb9c4ab0d7216581e7f09fdcadeb64675

SHA256
9ef456386064028274bd311656a687669de4a3e3f5a226ec9c09d9e83b0d694c

SHA512
ccc46d26a66ad42f3813e6ff6dfb2866f348ffaa0cae1d99d56916ccaa682a9debecb7828549ff1b08e25e93a6d16f14b6727377d1487e80b714318004645a74

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
77KB

MD5
bfd293a98a3db00240527e40ee06bc7e

SHA1
fbaf59835a676c0768092e4143100b4b713587ba

SHA256
c62d0e7872dafc5d01d5428e1c657cd6178c59a5ddda32d15f3b8356ed92b955

SHA512
d3fefd18d75fbdf77e29b3c4fd03251f82ac9fd65c0ca3f06d04ca8bda8088fe52282d627069e4219fedd91d41c8e5251e10a19b00f21461336f09b10eb5e6fb

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
77KB

MD5
028e8f28f74bad0bf4313a0de4c5593a

SHA1
503b89861eb9e2531fba1d5de9e15b0ac7bebe7e

SHA256
af3c5964d2bead0716e358d3d27aa25f047c2c52f190c507dd802a8573240f03

SHA512
adfe7ab85ae46ace36ef2be037991e040f27d1cc57207d7fd5bfb17d92db690e6fb31bf3d5cd1d2fbc7b62c59be82384871982c56d07ac54357cf5e8d6ee8650

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
77KB

MD5
983313c3bade1367bf49428a8842bcdd

SHA1
ec07ca4964c8404b019f6089b188dd2a90692e45

SHA256
ccf6dd2f8a8528e83dcb6f32d588d2bc089a3612439881b50db96ceed6bd456f

SHA512
2c8d3fc277c2d14084f8d95b7d55e8872f077f8690d1e87c5dc1b60068ccb1ab3882cf1d68c0b276e823a4ff4da91d35a94358ee1c1aad866688b82ad37d59fd

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
77KB

MD5
08c291a11b1128a9efbac13b1ac986fd

SHA1
c1b7e24c5f1bb4866b235f3dbbb0827aef706272

SHA256
22cb5ce577447a0aaf41a29f12d47721a0da4b98c3282e4fa6fcc1db3917a60c

SHA512
c77acd0fe35d669aa037ffa4eec596071c1316cdadfe30da4d9ef575df2fad1642114806aa32969c04d08731f773a706f19acec8e64c47e4e952e48a99661d64

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
77KB

MD5
a77ba282dcdeef1a5fc535c0f5323026

SHA1
71b3bbf6aae3216667674b8a396abc661312c6bd

SHA256
debd691a0f729834ddc4e585c5f3dfd70cf5810614de43aebbe39b0d6f190d21

SHA512
e6c0d002928259318d43f530bed01f9afe40a141f1ca85161f924e59145d36040f130a6337cb3f7312d0b2a6bd3633238507e0346aff23cd2e3d87ed9a64486e

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
77KB

MD5
02edd248729394e69df27b1af0b63f45

SHA1
4bc29d14c589c7b78c4e45f0df91e6824e4ee22a

SHA256
e3125a14655500de53532fe16dafd9c5e104d2b63e1f259362c7e16b577d53c1

SHA512
0fa369d2411a29033b2b2d41d6789cdc57bba3275ac25267dd989de0384ef2b1a956dd5e4facb3744426d829b0bf7d8ba2575d7a9dbae2ef92d366bf24dc2b82

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
77KB

MD5
258b9192e8e22707ea1dfc21801ca42f

SHA1
3d119efece540684c6834d6b30bba25fe4e4a79d

SHA256
b2ce929b25542e210dca671c2cffc2285dc7d484dc2bea07728d246a3fe76f66

SHA512
c8f6496f2e24101a684115dcaef908f4b3eff57752f8d4817a225e415919add40978d5d442d51657e4c3cc39636b802d524141dc4440dc6be3090eb0a4bfe8ad

Download Submit
C:\Windows\SysWOW64\Nqmfdj32.exe

Filesize
77KB

MD5
d4ac7daf0169f26ad516cbbbd7084b80

SHA1
3da5ab35ce03568eecc6eaaec479ffd5a4e3553c

SHA256
565bdc5b7473373353e5abc2e8daf00e40fa3e3fcb8f6d135871b2b2f9dbaf6d

SHA512
5893a0ee2287562b84720df31342e98ab8282c30c1d6b57cad1f4b6ced9c3de6a213728523364cf2228e7bf4bf5233b8679d230ef1512971254a7681e8898ae2

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
77KB

MD5
3ebb80677704e24b81dd0125be0667b8

SHA1
8c93d07681821004f45922eebd730466de30d001

SHA256
aaaab6569852dc8f1c0b278df044bbce9e1b91a4e3e67934d9909385bf9ef0c1

SHA512
eaf83362974c01bd002e6ed5b977ed07319e7b4d46fcd3dbe421558a39d2ed866532d2b26010059465eba148c0bed338f92e64f7b15f49cb00843ce780650e14

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
77KB

MD5
cd84d3a6ea7903fd3d8d477e0b5c4899

SHA1
4f22fe702f09c2ab091ad593ce6a3732cd80cc2f

SHA256
bdf4c39e380009602cdfef9606b381369dd98c82e64a8d284bda9ff22f609e84

SHA512
5bca6dfe2449c632b04b447c25623845c9a42c5d369e8ca93fc4870237d83944782847f3841218c751a27737e49f374e1fc06db802db46026009aafd9011009f

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
77KB

MD5
1de6048eecfbe4b973d16360664444ac

SHA1
375acb6d132e92910a0dc5d0941aba368883d6b9

SHA256
7e4039778ef220d3260202472cff67a1d799b1bd89fb2a2f85d8ae7fef63e998

SHA512
9b466ea223daadc698e42346ab6481edcae99362d1e8ff5888dc4407523d815d955c98cc6928b2be308b103aea37bdff49e8e5f8a8460adcd2c7915e647fdee0

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
77KB

MD5
2eca50cb2a4098264be60547c0979921

SHA1
4d02cb4582e56a65cbc9c08e2eb2d2f370114853

SHA256
cac9ebe474a6c2210e3411ccd7de3f22ee6a1f095810cbca66fa284d8dbe5096

SHA512
5e527a19e14c6208a02fa186b577c5db7a3e9df88c7e13dacc1a554ada42cae615e82a81aa987cc38ce526d7148c44b4f183552be5f2b7c3d954bf28a0979555

Download Submit
C:\Windows\SysWOW64\Omgmeigd.exe

Filesize
77KB

MD5
0c3ca46e29cf5571e97fc01cc6f5f36d

SHA1
435988af5806893d5b165a1d6720d8e4cbfbd5c9

SHA256
61860edefc36670d9c31936b87f94d8ea45ebd597de0993e47d5c9f9fa8bb986

SHA512
0fb28d4b81bc1b15eed2c3f8fb3fa12007393f507b7179470dff7db419e2ae4f7f30012500cecf8385383ae51034c6a11da93e28888599ddb58aea8e589dee3e

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
77KB

MD5
c9a0b536e59a45e01fb09d215a31cdfc

SHA1
4b36ab297d4864c866a146aa8857196973fac7a0

SHA256
4459b2e9bc4ddb0b67c77e3d1bb4e7c9e255721903e145e3b3f8849475f96ef5

SHA512
795bf3d4f0ae3cba8cb35e35e6fd1977c4fb8b1b341f784e39b8133b0cb2d5b410a74c68e8a19d7aa477a8328e617c40c3894771c7ce5e80ae2cdefc2d26c4d3

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
77KB

MD5
1738e7dd3a45013a7840f3ad4f068b1e

SHA1
3f7ad69e734ee545337883bd38304946cecc6030

SHA256
aecdf995320fff75688dc9be1ce193c041eca46f3d5cf2b304b17861ea605222

SHA512
3d8a599215a9adba77d8bba099c5beae843e6545b044add16a50977926e9d520290a52b23937c0a01ceebb106206ae9559741f52a1803783ef32b6b08a4d0499

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
77KB

MD5
e366ab31be9b4b303263629a00096ff3

SHA1
937291701b6ea1ead0953e749542b6c8252e3f0e

SHA256
8f391587febeb6db59d45003f3cb877438ea947c5e64ea7210faa577ecfb63d0

SHA512
1aed9eae746334129a76232b559f1534f27c601d8ae73998cfdaf0ba8f0aaf94d0e63f80380bc8940f7188f2809de18f24710f3183ece5d28408f554edec17cc

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
77KB

MD5
22ca8790f2e5d422227344b172a6780e

SHA1
a297a324d3c8c81d61b45f5e1f1b44c70de91f92

SHA256
f30c64f7d7d2267c0079c368d0ee01024e5a8348704c286efe5f92f8ab517185

SHA512
dff71354e4e30c1e078ffca3c0b63dd72b88267aed663bfdbab1fe34861f159dc67ff748ebe452b758f639d96f3a9c2449edc8d0e7ed8a475c7ffc0533b18534

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
77KB

MD5
a74b1a341cf3bd37ab4595ec58620db1

SHA1
687e79ed66601928c7c9c78e6fbebc10341512fd

SHA256
8eaa86dab532d2db5bbd5fd3c6949e8e18dd81db448e0f11c91c6649bb6540e0

SHA512
779aac0d4eb55d95068f76dab74f1be367afe032158508a989fe1d3cd54f4f34cc74e5e65910bf79d94eda67adde7d3ec06fd04117224cbd64f7ad2232b2cdde

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
77KB

MD5
9fe5fa0c73e74b27c9e20ab43c2c07c1

SHA1
a5c9b9694bee88b75b493ec839efc6b776c1dfd4

SHA256
1fbad761e357b81f3226cec647cac6f11d824311005437ffb9e98cccbe9aa7a9

SHA512
1198e149787e5e9a0ad89dd94103fcf38fbf43e6242a884ffbedfa23597b243912cc122b16d1f4820ad1d324f8cea2be920388dd10878768af88d9e06326fbc0

Download Submit
C:\Windows\SysWOW64\Pmlfqh32.exe

Filesize
77KB

MD5
41df5c6515d327db16ce27636c52ec74

SHA1
423283b0e62f19a4fa76f7c522b62667b41a38f9

SHA256
237b4aaab219f65e3ebd18ebddd1b711d0b88a94f4818af0bb89e52f42ecee9d

SHA512
1459fe36729419806646858d0c8a966d275f81f43523d46275c159610c8eeb955affa9d297cb66efd24aaedcac6d800b0db2fd23c46f649cae4be09cc33068ed

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
77KB

MD5
07585e68bba09b957255295a7300039f

SHA1
58252dab6b9e15cca193b2c72972853555fbfd60

SHA256
b3bea0e17041ef433849e0fb2a0d20e70db80f6a9bc311412e51b61513b7a0d6

SHA512
bbab03baa0ccd14f5740e2a590fe553dbac5d7e64f6f55eb79a0ceaefdbeb388cfdb70ecbbee8b17910cef237742b99280d1315162ceb326a53f701d76d15ff9

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
77KB

MD5
6808a9021793dc3a9461f393342c3074

SHA1
46215303cc42fa7f1ddd75a82b9fcebbdee77685

SHA256
72ee8c5ec4b1fc36c7b00c6bc72b83e360f2192393106dcdb8e5ed44eb9f5984

SHA512
3747b018e2b7ca64a31fa9190446a53797994a05307d50946e2438be9af0856e7362d5b6dd496f61c2d9742d91dcbb6594bd158dbde95c12d55bcadf127b597e

Download Submit
C:\Windows\SysWOW64\Pplobcpp.exe

Filesize
77KB

MD5
661fcf2f7315c4488a804cf161c573f2

SHA1
894cec8369f4177d89a5264edb37202da5710787

SHA256
a8549af32cdb3632ac22c735c48800a9243677c7a668c623b7e3d2fd8d0e71e5

SHA512
36b4ffcef82718ddd31ba7b87f014c911f49268f4d6b74e822d7876a40d0bf7ae857544a30177ad93832f10d699ee6fafdc8c0416fa1e69311968b6a3c3e6968

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
77KB

MD5
1e5a0d11141968b89f9166a912d55051

SHA1
e5abbcc6651b7aa2e9ffb3efa12c4784beb20115

SHA256
e0114aa2e6588ed11e162c9f358d52111ffa82c4966858312519e322831101ab

SHA512
2ceb7ee6ab35b2c3702262771473c13223399ea1149216b561ec8ff9113079d0d50ea3c8d7ac8891a5f6d9b0e983312e06f3d7a45466d0526f227cc20df43f61

Download Submit
memory/400-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/544-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/560-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1048-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1336-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1884-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1900-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1956-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-598-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2380-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2732-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2768-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3024-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3308-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3724-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3896-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-572-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-579-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-593-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5124-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5124-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-586-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5176-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5232-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5240-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5280-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5320-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5344-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5356-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5372-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5412-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5448-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5468-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5500-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5560-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5616-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5616-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5616-6-0x00007FFAAFF90000-0x00007FFAB0185000-memory.dmp

Filesize
2.0MB

Download
memory/5628-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5636-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5748-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5860-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5868-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5924-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6088-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6104-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6108-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads