berbew | e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872a

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872aN.exe
Size

91KB
MD5

567992d71a399384c5e7252cbea7c640
SHA1

04ded40f017bf589fff16cd583734690bf63ef58
SHA256

e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872a
SHA512

368f8de20f283c56ac954a90b2fc883580146e5e0ee6f7e6cd09ee0a14f49373edc27a42c1066851cf73351ca64c8494f3a06206e1ba76bffa153415838e9c4f
SSDEEP

1536:7g6M/Kw6lJ5Y/h8IC4SAKslk2lqQe8Df0t+1ghnqObmVy9Zt9cx0XBQZFo:7gx/KZJuJ8IrXKx2lqCDfdCkEux0XBQI

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4568	Ngpccdlj.exe
4992	Njnpppkn.exe
2904	Nphhmj32.exe
3544	Ncfdie32.exe
1972	Njqmepik.exe
4204	Nnlhfn32.exe
3004	Ndfqbhia.exe
4272	Ngdmod32.exe
4136	Nnneknob.exe
3360	Npmagine.exe
2556	Nfjjppmm.exe
4912	Nnqbanmo.exe
428	Olcbmj32.exe
4764	Ojgbfocc.exe
2552	Ocpgod32.exe
2012	Ofnckp32.exe
1060	Olhlhjpd.exe
872	Odocigqg.exe
636	Ofqpqo32.exe
1392	Olkhmi32.exe
2748	Odapnf32.exe
3172	Ofcmfodb.exe
396	Onjegled.exe
1476	Oddmdf32.exe
1556	Ofeilobp.exe
3904	Pmoahijl.exe
1468	Pdfjifjo.exe
60	Pfhfan32.exe
3940	Pnonbk32.exe
4564	Pdifoehl.exe
4596	Pfjcgn32.exe
3416	Pnakhkol.exe
4044	Pdkcde32.exe
884	Pflplnlg.exe
4260	Pncgmkmj.exe
4332	Pmfhig32.exe
3872	Pdmpje32.exe
3824	Pjjhbl32.exe
2860	Pmidog32.exe
1072	Pqdqof32.exe
3684	Pcbmka32.exe
2512	Pfaigm32.exe
4104	Qnhahj32.exe
4080	Qfcfml32.exe
1968	Qddfkd32.exe
2772	Qcgffqei.exe
1720	Qgcbgo32.exe
4760	Ampkof32.exe
3028	Acjclpcf.exe
4860	Afhohlbj.exe
2896	Ambgef32.exe
208	Aeiofcji.exe
1888	Agglboim.exe
3320	Ajfhnjhq.exe
920	Aqppkd32.exe
3396	Acnlgp32.exe
4520	Afmhck32.exe
5000	Andqdh32.exe
4140	Aabmqd32.exe
912	Aglemn32.exe
2140	Aepefb32.exe
232	Bjmnoi32.exe
3104	Bagflcje.exe
4584	Bganhm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5436	5288	WerFault.exe	192

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 4568	2032	e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872aN.exe	82
PID 2032 wrote to memory of 4568	2032	e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872aN.exe	82
PID 2032 wrote to memory of 4568	2032	e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872aN.exe	82
PID 4568 wrote to memory of 4992	4568	Ngpccdlj.exe	83
PID 4568 wrote to memory of 4992	4568	Ngpccdlj.exe	83
PID 4568 wrote to memory of 4992	4568	Ngpccdlj.exe	83
PID 4992 wrote to memory of 2904	4992	Njnpppkn.exe	84
PID 4992 wrote to memory of 2904	4992	Njnpppkn.exe	84
PID 4992 wrote to memory of 2904	4992	Njnpppkn.exe	84
PID 2904 wrote to memory of 3544	2904	Nphhmj32.exe	85
PID 2904 wrote to memory of 3544	2904	Nphhmj32.exe	85
PID 2904 wrote to memory of 3544	2904	Nphhmj32.exe	85
PID 3544 wrote to memory of 1972	3544	Ncfdie32.exe	86
PID 3544 wrote to memory of 1972	3544	Ncfdie32.exe	86
PID 3544 wrote to memory of 1972	3544	Ncfdie32.exe	86
PID 1972 wrote to memory of 4204	1972	Njqmepik.exe	87
PID 1972 wrote to memory of 4204	1972	Njqmepik.exe	87
PID 1972 wrote to memory of 4204	1972	Njqmepik.exe	87
PID 4204 wrote to memory of 3004	4204	Nnlhfn32.exe	88
PID 4204 wrote to memory of 3004	4204	Nnlhfn32.exe	88
PID 4204 wrote to memory of 3004	4204	Nnlhfn32.exe	88
PID 3004 wrote to memory of 4272	3004	Ndfqbhia.exe	89
PID 3004 wrote to memory of 4272	3004	Ndfqbhia.exe	89
PID 3004 wrote to memory of 4272	3004	Ndfqbhia.exe	89
PID 4272 wrote to memory of 4136	4272	Ngdmod32.exe	90
PID 4272 wrote to memory of 4136	4272	Ngdmod32.exe	90
PID 4272 wrote to memory of 4136	4272	Ngdmod32.exe	90
PID 4136 wrote to memory of 3360	4136	Nnneknob.exe	91
PID 4136 wrote to memory of 3360	4136	Nnneknob.exe	91
PID 4136 wrote to memory of 3360	4136	Nnneknob.exe	91
PID 3360 wrote to memory of 2556	3360	Npmagine.exe	92
PID 3360 wrote to memory of 2556	3360	Npmagine.exe	92
PID 3360 wrote to memory of 2556	3360	Npmagine.exe	92
PID 2556 wrote to memory of 4912	2556	Nfjjppmm.exe	93
PID 2556 wrote to memory of 4912	2556	Nfjjppmm.exe	93
PID 2556 wrote to memory of 4912	2556	Nfjjppmm.exe	93
PID 4912 wrote to memory of 428	4912	Nnqbanmo.exe	94
PID 4912 wrote to memory of 428	4912	Nnqbanmo.exe	94
PID 4912 wrote to memory of 428	4912	Nnqbanmo.exe	94
PID 428 wrote to memory of 4764	428	Olcbmj32.exe	95
PID 428 wrote to memory of 4764	428	Olcbmj32.exe	95
PID 428 wrote to memory of 4764	428	Olcbmj32.exe	95
PID 4764 wrote to memory of 2552	4764	Ojgbfocc.exe	96
PID 4764 wrote to memory of 2552	4764	Ojgbfocc.exe	96
PID 4764 wrote to memory of 2552	4764	Ojgbfocc.exe	96
PID 2552 wrote to memory of 2012	2552	Ocpgod32.exe	97
PID 2552 wrote to memory of 2012	2552	Ocpgod32.exe	97
PID 2552 wrote to memory of 2012	2552	Ocpgod32.exe	97
PID 2012 wrote to memory of 1060	2012	Ofnckp32.exe	98
PID 2012 wrote to memory of 1060	2012	Ofnckp32.exe	98
PID 2012 wrote to memory of 1060	2012	Ofnckp32.exe	98
PID 1060 wrote to memory of 872	1060	Olhlhjpd.exe	99
PID 1060 wrote to memory of 872	1060	Olhlhjpd.exe	99
PID 1060 wrote to memory of 872	1060	Olhlhjpd.exe	99
PID 872 wrote to memory of 636	872	Odocigqg.exe	100
PID 872 wrote to memory of 636	872	Odocigqg.exe	100
PID 872 wrote to memory of 636	872	Odocigqg.exe	100
PID 636 wrote to memory of 1392	636	Ofqpqo32.exe	101
PID 636 wrote to memory of 1392	636	Ofqpqo32.exe	101
PID 636 wrote to memory of 1392	636	Ofqpqo32.exe	101
PID 1392 wrote to memory of 2748	1392	Olkhmi32.exe	102
PID 1392 wrote to memory of 2748	1392	Olkhmi32.exe	102
PID 1392 wrote to memory of 2748	1392	Olkhmi32.exe	102
PID 2748 wrote to memory of 3172	2748	Odapnf32.exe	103

C:\Users\Admin\AppData\Local\Temp\e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872aN.exe
"C:\Users\Admin\AppData\Local\Temp\e0c31d0955166f58c75cbf594a64a9af4e8ea0135c6739fae5633b60f899872aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\Ngpccdlj.exe
  C:\Windows\system32\Ngpccdlj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\Njnpppkn.exe
    C:\Windows\system32\Njnpppkn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\SysWOW64\Nphhmj32.exe
      C:\Windows\system32\Nphhmj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3544
      - C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        24⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3416
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        62⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2428
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        76⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        81⤵
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        84⤵
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        87⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        89⤵
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        92⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        94⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        100⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1900
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        107⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 404
        111⤵
        Program crash
        
        PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5288 -ip 5288
1⤵
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
91KB

MD5
dffe0574663c3ae5e2b44f0b69630d79

SHA1
37543085b5afd55428bebb1330faa87e47ba961e

SHA256
6818c70a51a0bd4cabe38d282075d06a7d47fa7fa31b021491e43478bd69acac

SHA512
3966b4b40b1db1fd484f61c4aee7d80fbd4db460193e3890da848b1bf2efeb046e639a531fb2da389978612a93f96ca49f8e34a9ff8d5974a43271c10067b6b6

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
91KB

MD5
5a9f3da1f744314f33866b56561e477e

SHA1
8b44a1696adb10a7bafe83c04511f7e85901405b

SHA256
2cf8c40f0364aa4ce10a3c2b4d72d7175d3f812dc9aae9b8474d37dad1a60aeb

SHA512
ddaf97b1237e4135cc6e592224a18b5b9c570ed624f8ecdd3b201425dd6949fbaeca20c78500483f7f6a59a93e054bebca1721c15a378cdaa9a0c204347f0655

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
91KB

MD5
3640178b6f7ec41e5c411806f7f6419b

SHA1
5faf4a481777f228ad47b5f3b653d6c8772d367b

SHA256
dc05d36cc15151f1e45f85f073e020986d74c5e7c3404235cb8a75942f094ad4

SHA512
1c1f55575923e9c0f5dc47a0e43796c05e6c2660c5dbee9f0e9121aa1628e2b949c8ad02ddec1c07edb2e891790e2518f438504a753431986cdcbf16ee596766

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
91KB

MD5
c1887e13529a8c5f4862b2987ea6af75

SHA1
4f28122813f1ed274fcf5acb328bb7986a9c9a1e

SHA256
c95208d840e30c949b0a1641dc6def4f003d979eb456fafb30b00d798626f388

SHA512
059817af4eb4c76a062c9cab51f4e4b533134a50fb9cdcc6d3998bdc1f9dbe4a9b7777b4328e0696200148a92bc6d0cf6d3de03225c3d969dad76a2bd04695e1

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
91KB

MD5
21541863b0706680f7e6d4b9679c768e

SHA1
ec0146104917b4e63f3bfc175a0ce8aedf311e13

SHA256
e82328438707fbb589cd7a9fc9fa136bd4aff3ee914711763fb8630089ea726f

SHA512
6997c1075a8441d42983a7a10683f05d0c97acdf1a45ac75ddb2d112cf011e13a4da32be3f9db98ce830b64fe0553e4a3aefcde8cae7d1f6f97942d220185997

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
91KB

MD5
c29573fd80c1c7c68aed16d06182c04a

SHA1
0f24fa6eb8952b32423b401277c63b2696ae7c06

SHA256
937f0f457c2f16eea4dcf128ea19e2c1a611932bb81853167f952e6f3b1b11d9

SHA512
0c78f889cd7b66fd92cdf058aaec6ba8c6dd7b87083972cbf08adb8562d149bb5c0f419e9f99c944b28d44af6a7b36a456cce99506a3fce27d84bd91dcf5df0d

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
91KB

MD5
3ee900635e43c4405577dc2f8a065c9e

SHA1
99fec0cff57d9ad6099ac320b96e1ffa50bea7b4

SHA256
7ef10308cd5ca5e049350c4f3946a545dd760ffd39cad1b6ff4fc04e695be991

SHA512
84f26908e52ba3854e1c0b0c6af23fc804b950d3d65f043e67f3a3f4596aac3c5ac1cdd0ece63c6c12c6ec5f7e32afa65caecc62ba95ca0f64557e70c6e693c8

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
91KB

MD5
6f9b47292c48813528ee9cf230355353

SHA1
2bd2b1d9d008855f946cc8af791e47b793e18d06

SHA256
0fc29231354bfe3576727d3c937161b139782263c819c8fe9bf9edb4a86fc66c

SHA512
fb8a7b1cd7936332d5883292ad70f122202cec6023fb99f18bc8c6949e1f36abcfbce94d9e9b76b7fc4154dcc9f9a0e05f89ef6ac727b46d7958be2ae4a703df

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
91KB

MD5
25be05f782d3a92b09ecfc7ecf3bd2db

SHA1
2d895e8e64d79fe4093ad03545ebf7fa377b029e

SHA256
b7c047487b8ef1f4c299eef0d2de4ef9e0b2a15a9ed2c9b16edf3d7fe4abe18e

SHA512
5a9c60bfe0ce5726c94c5096a8d37361cb68b07198b9179efab217a89d16003690b06ff631b08712e34cb498aab1cebde58fe9e56cee8d42044423363f3cad26

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
91KB

MD5
26c4bc34c4687f56761a61e2db8e7fdb

SHA1
07ecb6b9cdadc78f28286b951ea83c3d8209b6ad

SHA256
034cdb8b7632999ffd948621f8201d3dfce0272b66e236ef541ccaaf03f1c383

SHA512
04144170154b7e7fa6f875484c973cb3c817363fb93b388b970de55d96e2b3b77540aab4fb7820eb8a0bbd03c0c08242d525ccdcf8ea5baf3e9247fc81a0ad7a

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
91KB

MD5
cd2ab35532737e4d09d2482b5d500fe6

SHA1
70f2a1a236bb381aef677b91c71e0b51286d1fdb

SHA256
b19e188fda192aeaeead4ad7deea12c458c268df7d9d4068d875aaf0eb3d5f9c

SHA512
2c312d1c625ef83610a5c9017f313cf30473986c5ae227035fff898aaef3dc16cc7b7108aa6bfcaaa8527892f5708c0e204944789e5c017213fcc7a2d83a72a1

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
91KB

MD5
fa6b703027d431c4547f1464ebc5516c

SHA1
77a904570aae6feb293f893344525c38a0825042

SHA256
0377ca3c18aa8cc5a94eebc6520209b794a1ae2478b79f352935774a6b5794c5

SHA512
92499fe3a14c15e00f34a3b065d80ee95e615f9107e05e9d3094a1f0f9090922055dd4b74f3360fd047d715c90e7430b7dfc7719a0fddb60f6d8d7e94adcfc6f

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
91KB

MD5
3c7bda2490e06dfbd08f863c19ec6c81

SHA1
0143f1fdf12d8ac81db8fedcaa163ce159129ce5

SHA256
3a3c2c16240e485f98ea1f137e94cf659dcd72dbcf6e5212f9d00b5cc4e0bddd

SHA512
92915cc872ba6b7fcdf4793b767dd0686afe387b9f46e662073939a40e66489ae55970981ecc474477bffa82a979e6670a571d500a7212ba6bfdd1b7ac8c66f5

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
91KB

MD5
b99bdc355ea48961754a4717207ccbad

SHA1
a4050cf93b2261f96ad244db1b77cda2ae8b47be

SHA256
7dac036527bd4e996449630e3f771476f94b289c2ff4e2f8a2bb39c326913171

SHA512
cf78feb8142b5bd4c1d81ff6175e982ef942616a44002a8df67edfde9a6243d6c39cef608e48686afdecbf71d2bb2c755fe6c55bb3a56ff7ee1ce9254aa57081

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
91KB

MD5
7ec9c0d804b006cf3f77b6ed3ea7bfba

SHA1
4ec5c36199bee78b2ea0ab907b9e629bdec6fe75

SHA256
da9439cb2f126c73f20a60b12d403ca6131434f51ee3b6c0a80a20c0d4f9f863

SHA512
9701dd7f8651901d52802356e150942bd680cdb7ccbb44536275f973b1035737d896d8b71c7cd7e373a0c508d63cb5db2f3ae4b19c878b273b13b309c6c2a393

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
91KB

MD5
e6acd7babd9cbbde1c1d54e17fc7d4fa

SHA1
302785b3c0ac30c995c29929c81d15c18256d620

SHA256
d3e3414ade4ea0a999a9e7df603da9df7eb0aad566178b8badfb599f10626a06

SHA512
8b81b940078ca49db40c23ea15654629807f2534b55bc13f4bcc5b7aa09e2975389580f7d139bb5d6008a1b1bd228cc21ff08d02d3ee806337c680aac6304e3b

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
91KB

MD5
93785ef14e41660afe403189b589f1b3

SHA1
385125dba1ac4d28cdc7a482ea324aa9b2fd2cc8

SHA256
e0b54663e3010c4ae8cc4d088c1c463a390c96f0babb25491b4f4f1617f7d9a9

SHA512
3a62f215f8a594c6cf8502355aa9adf2e360f34ec98b41b6767e12388d92d46699305bd4d4dd694c77cba70c21e08ae06399e28e444db27d0a477e78aac9bfbe

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
91KB

MD5
1ee4d96f209fb8a95fc2782d8cc0b4b0

SHA1
3cf9b5871c4d9355e1ca1310adacaff51b4dc27e

SHA256
54676c8c901ce5d21c47bb3b0cebe020a79405cf2d276048451f8cde6ad73eca

SHA512
f16151757be7c5f11f20ae5c082b7ec480f483192c2e897b644bc1462623afe66c845e0d4979c48059209eb70f345972121571e76e8db43540dbbb8846b5e7fa

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
91KB

MD5
371c7fe8ed37bcecbb06f6741219a5e9

SHA1
6aa66bc211fe188ad6555d3b3e5112c2ae84c6ba

SHA256
e3b9759f3f9605fd238e88039e4c28ec87c96043434c354ac7a33f4db1b0f7cc

SHA512
22a26fdf9d621398ca93fd2a0bea822712ad50390ac331c80278dc0d037629190aa321f815cb4f7d13f767f89baa92ed0b0dd2cca6ed14433d846b2f05377ad5

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
91KB

MD5
e41167a036a61b8b00337cbe09cc1b95

SHA1
c9c3addbb0e5383220a85f8e5bd6f55a0a7f45fe

SHA256
a99badd945a1273229333c55119a357d00e9bb75602f6f52996341069fd2dac1

SHA512
a38cd768d13a2c1795e0cdeac832d99d87122d370f485300fc0c8b1971153ba152706c4323dc1f0f659e5f9435c11d608d90654a0f7d34139e42fec7fb65c3e2

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
91KB

MD5
bcd31df02fb98772df6eee5db35745dd

SHA1
0123102a34914acb0765d9cf1b03131e61dbf95e

SHA256
3a33b9514513991a42077144248403dbc67ae5559dfb8107557ce016829dc77f

SHA512
41c7b7396d8af2652149208cdaaab9b3789f64b6f1a68a5e114af6ca27310ab5dbc3bb25713a3962b4bbd2bbb591e5499a9d11e8169480a5c3e363b95b415f9a

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
91KB

MD5
77976813caa2968d66d967920ddc7445

SHA1
4c4d4235c9bf36ec9db62730b29863ecc780a68d

SHA256
1c57d0944b60fcda1f6cf52891eace1b650f967eb0bff47720eaa3c5b4a6c93a

SHA512
fedb7b26744b0b9eb2d729133388958fcc4e3db09773f8b3052792ef4dac27f7c9882edfda42afbf0ae4a30a3d0a15ae7aeb90ae63121931b1d1c8afa6889f71

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
91KB

MD5
b9fd94eee1a8aa77a18fd48b146eb0f4

SHA1
c013403f52add4d1bc662c883ecb262f2287b4ed

SHA256
1ff3d3ef75b10400b5c8d5801e29cd416931c713cddfa73e122b0ee9bbd79145

SHA512
681d7fc08b6171bd783e6eea63702ab114cfbe43457f4add966a596df6c1a64900f6fd8bf16324b9f7c8a8397152e6391b97820b94ffb5e08cb0e8f67c064afc

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
91KB

MD5
f19ba61e9911db8de41acca69a0834ea

SHA1
3dff8dd5cae21ac092616aeb2528efbbb879a1f8

SHA256
d4928f41463592127ca18e1ac7b7c7020f2cca2d607f997f60715e83d1b087cf

SHA512
21326271c2d2544bfe3eb34e4617d89db91b2f69f167166c7c54e70fdf2f3d2a74451193c0c1082bfd8f7763748635cd14074e5c1fc666d988e2aea59deace06

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
91KB

MD5
67afb18f589588d1a4c8c6d2a2a058b0

SHA1
751c76288b5552dcb359f8bff0f339062b74447e

SHA256
1001ad0d8e7bb05202c2b4c450f8ca1ebbed85ce68ee73c9372c6fa871f61784

SHA512
1f96a4f96845a4a1669056efb19bcc8eb38174ec01eeff181cacc3766eadd8d0e2585e40e3bd3b3b775bc1b51d746eddbec2e0d6a9883221fe531593e9a6604a

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
91KB

MD5
3f94078dedffa85c470be11665c2e86e

SHA1
c4c4e0c1a71afa924ccedd56b7e0356d31fbbd6c

SHA256
cfc99cb41829598958318edffcc1c32181eae29347a7fc3b5b56b36895b597e7

SHA512
b47b79245674edec6475c4ea9505cb2bcaf2c64ff3d009e1d051838e3d248d93c493c07ae4e0b189b434baa611e9d0f6efe9ccd5836309686cd4a0c157842e26

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
91KB

MD5
d8e1751b8a65aa443bfa86df0549bb0a

SHA1
4bceba883717fd63f047a2fa5a597a73a0f93c61

SHA256
60fc5ccc18918552e2744dee7b3f3a72e5eb2fb898e831e40e664849692791f9

SHA512
09a54a912384381f19b01ec6d236656e294104242570ed44597ad6ec29c753786800ea6a559db5ebc53875d6957b9736a0ef0e1fbfda7492ffc690441454f965

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
91KB

MD5
25cb7177e02473696b303b204bf8b474

SHA1
79597b7285ceb7458ab4981a2bd31d324c38016a

SHA256
c97b2fd116e58fd2e402506dfb7baa9575ffd4fca0cce962e0f1328c9da2022f

SHA512
cddadd055225743313021070744c6193308e9882eddeacecda415faced4d475e5c6596d7d597eb375f147a1452cc1fc434006a306f81775424de895abb8235de

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
91KB

MD5
96f01d816597b593e2e58d5c2479cbb9

SHA1
bdc3ee48e99f2035424c59948a19b4e5828d9ef8

SHA256
9effabba95ce574c1a36ad8c1d5cc9b7ab769f46705289a1427082b07043dcb8

SHA512
ce7ce2b0c154bd2127b2d5a90e2a79b5658cf4a12c0ce118e0675d342f50ab24fb957d58ce80bce8cfe15aa0581fe3c67d07ed2e9ac083dbdf995151a60862d7

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
91KB

MD5
c450a42c07f91eab1ca1c73bb6fc88d0

SHA1
88c314930f0cf5778d136e430dd5e69600b68e62

SHA256
a20a8345f28ad88ff0c9070152d290c82a1a36e17f6a4dbfa037d7abad389b13

SHA512
8e713398809ad1ff782a20bbfb17e7bc02d6bdec14402223f269b2138f708c23d43acfa9a71e35ec7d78b933a5f241a49f4c6e8e7bd1758cb9ccbc36a99749ea

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
91KB

MD5
143484b9a3cc3ff58a586b435f953e09

SHA1
9898aea88a8bfd085ef58997fa3fe4396760f1f3

SHA256
554b31d9ecc0714bc5838e9f847e47a5a85b755ba40cd58d11652020783e54fb

SHA512
31847ae6f9e07df9ff3e6eaa549a515de5cd6ca6e140b3890fdea3738200e5c9ed433dbf40bab296da7c381c7bad3f7e331f597463a73c22cf2cb04de38bb1ec

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
91KB

MD5
e9f9acad57ec7eba94120a38ec2b31d2

SHA1
57b591ddaccbd9f31ad66ca83ac6e3b6e0d32434

SHA256
c9a7a27af031883402aa17ae8e405f899af7764362277a8f1d7e017446c830ad

SHA512
b3dbcb28cbdcbe6ba11d5c8b792d192c503e74c4250aca858a7ec84ef8ba3e64a8fdabda560018713e0d4431df6c3607647f577da84be1d24a91eaa704e6e117

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
91KB

MD5
3ab0d7ca9cafd07ab089e6dc0302082d

SHA1
016cdec4ff22a80428ec091b65a95a12ff65e6a6

SHA256
89bf0385a91f71bfcb57a3e8e438db991cf3df1c92efb1f4a15177ddc4da5270

SHA512
4e67f0772f0df21442f847cc1dfc0d343a5ec3416f14885bca5b27d1f6b402a29e147e45a9e180fcfdaa6cf70b9f75569fa8bb4479fd71045a0e15e0e85098f0

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
91KB

MD5
af4f70c13567f4fa9064f33e873512d8

SHA1
4a278143fdbc84ddc17a8052a2e239ddb811d59f

SHA256
1143e47480fdd2b4ddef4e1013b6ebce4e18da1e333eb1cb2701e4c87c95d4b6

SHA512
867c97b2ef69d9e0696a8b10a74c849aeadce7d81243f385809c9ce439e7a0ca77ccfb8c934dcdd3691fa71a8ca31eb3e575912adc1baa6d9c1c8995da349d1b

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
91KB

MD5
71648413a037378e5310e323fc6e1393

SHA1
a4c387497bd228fbde8eec781256c4e2043a8a1f

SHA256
cdefe6beedfa2b56d70dcbb1d79ea1c82d33e635dc3e81b49c7dd01bc0d9ef6c

SHA512
ec4c4f29505b5d00588d290d63c18e0dc6cada65bfedec96dcbc2dc8ea03d02881de55774d677fab03e027f74346c00830c745317fc85394e7793027334bea43

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
91KB

MD5
25b11ae9d058a645a490ccfbca94b732

SHA1
4046ddb77de34b5da0be591b23bd9c3d147ca417

SHA256
54de79108152821fe04984bb2ab0c1e5c817caab582c088087febf7900e000ac

SHA512
983d2f3e191c5ee814f9703987619fd2bded22136205add64c5db0a350d056368c4c2decf2741ec127faded6cd2ddb05da4e989471459e1f76bcd36cebacb110

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
91KB

MD5
ef4ab97edbd505a0e1c17831b0ab2d6a

SHA1
4ec7c22ee72d5a9ad6c4ed4b49a7f0c632b9bbe7

SHA256
5e186842829a99c2170de5310a975719e4500a1ee4338ef5a711ac05ba5044a1

SHA512
40c3dcdd0aeaaafce00e698eb63a90d3bdcef1db64220a363b96500bc24b766ff46e21427e51bc0c1877e3caf33a029a5cd645f04764456ac0dd2d43ef0cc43f

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
91KB

MD5
f874d70da1b7743f88347f9c736b9ec8

SHA1
a4aadd490db62aea1a4e965bc1978ec5d8ef12bf

SHA256
5be0d52797406656984c05296dc7f04888b7e5cb9062b48d00bef41a68c12d14

SHA512
555e0a83639190ba09607d4ee17a236ef9359442895612c95a18b9a244c510afbb4071ab0c91166fa6c89c981dce6da8fd5a85b777ec40056af4ae4d2434d1c9

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
91KB

MD5
feeec3bea3616c5fcea0917cf02e0e5b

SHA1
5925688bc03af30b6e48187a60c354e52ff56509

SHA256
e1bf8b35e95e45a7b81cb4751c20f64db6255973a25c7e7d59b9f216525ac7cc

SHA512
57c8fa11ebfdb8a28800024de22e9ab09dfb1a5dd29fc40a0200beaa4971f996aa6d8eb3dccfe931ebb1baef8aec40e89b192d55c4044aee02d5e460c8adb546

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
91KB

MD5
0ffd5130086c0a478e8cf37b7d27501f

SHA1
0154cc667ae3136c1bcc4e45f506794f4a0a937e

SHA256
33ba386b7b27b40c342d585426c20666e82aaa0672c178037d699047c6f40ba0

SHA512
27ce6b531a566bdca35becccc7c29d66d685d79e26017f73abc9e340e3d6d31f3e17bc87a1d2ba1326a985f474b1dd9924c7773d2d6ba596f4a032f6813fd9c3

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
91KB

MD5
d34c5f687d639dedc2b6bb096cefa9a1

SHA1
5fbe24c08124f3e372f837542572a5ece79d18ce

SHA256
415bcf84da2e31cfedac8c481f698e78b801c5febd773fbcc98cce772adfd8f2

SHA512
9d3b9eccacbd5e9d2774e5327071a56eb69afe17ac0b93708d15835b493039804ae16387a1ad3a615cedeee9b5c6d793d676b5488eb6e11eb18f686afbfe207a

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
91KB

MD5
c73058a4ab4ba97164ddb920b4d0ef38

SHA1
66b63b7ca94ade1d6d40ca8854960acf6b071ab7

SHA256
84157ca4547617bb4823d9ff25d9b93ebf8349f62de5786c23b50f24f0afc5f0

SHA512
c8c28e54f2016396ff607c79d8a4846de27505b4f21120855b7ddef848f53dc7b280dad6541752a6ea4ac1e37565105b385d9e355af615845da0d49eec2c27a4

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
91KB

MD5
578854c3e317f2942fd1b65be1ca6d3d

SHA1
96f412043a8e5d7b3feed9e63c49d477c37569e2

SHA256
a74df29575a29e92cb2202a0024b3bcd4cf20458fe43c1fbbc45ca7e8dc610a6

SHA512
3e7d73f2fdad327230df9d1d7650d9e3851f826498dcbd524f8553c53e57c19f13d2cf5dc62ab5c1ce45668b8ef1dc19ceaf356e0aed3d357c1a0ec13104dbe3

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
91KB

MD5
41b0f1c0b56db0a04f3b915a53192640

SHA1
82321de97749c22f534b60926d7d5db0fa648013

SHA256
a38dc0950926c347573260537c35c661a2dbf4187d9d2edfb3f0e203884c5929

SHA512
8745f8068c14f1cb341bc56b1e0e36ff2a8aab5ad97460d481979d0fdd04b88e183f283ffec8057a90c7c575eac17260211fd8a2dca474f16251a1da63743418

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
91KB

MD5
bfd11e5e5df2956f32241b734eb41e14

SHA1
ef1a24f0d5ccb708fe26bb0a0d2e6740c1c45585

SHA256
fc93cba9afd4bfe10a8ff405de5edfbe215f0f9122b19869f7f567fb150b2636

SHA512
b4bce8cb0887144fe7fb66639845eb5b5c30a4c34c3a91406c8ee80e8264f6c9a3c2b41b2db093019b5565135ebb3a546a7406d6b51ebee08b074fd497954f07

Download Submit
memory/60-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-851-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/232-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-763-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/868-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/872-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/912-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/920-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1060-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1392-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-860-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-810-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2128-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-589-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2512-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2772-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3004-588-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3104-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-847-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3360-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3416-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3544-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3648-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3684-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-568-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3904-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4076-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4140-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-581-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4260-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4272-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-843-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4520-409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-582-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-789-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4912-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads