berbew | 0b753888d69dace50fdcae1a6f93de3b869982d854aa47a8ff4d688e971a7bbe

Analysis

max time kernel
98s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Padodor.SK.exe
Size

96KB
MD5

4ddb023dcb2a65b25f990dcdb0b1f1d0
SHA1

653583800c914514e6e9d9ed2b5ccdb6da455d38
SHA256

0b753888d69dace50fdcae1a6f93de3b869982d854aa47a8ff4d688e971a7bbe
SHA512

296e6f267b583e59eb4fe5e41c28fa8d66fd872c39382cd5dba21e142ea603183d0401376b2bc892938aae6afb5a14ca1a821eeae878663bf417676a764f9c02
SSDEEP

1536:daYzas4btdhMHo5hr/c5sLeyWH28CmIw1W1iA5w7RQ+nR5R45WtqV9R2R462izMR:vzv4btLoo5J/c5Qe7HdCmIw1W1iHe+nO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqimikfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcngpjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofhknodl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqfpckhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nclbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onocomdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjknfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpiplm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njfkmphe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ompfej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omgmeigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afbgkl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahdpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpdnjple.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnofeof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paeelgnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akpoaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcgiefen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bkibgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqkiok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akpoaj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
536	Mfqlfb32.exe
4204	Mqfpckhm.exe
1232	Mcelpggq.exe
3700	Mjodla32.exe
4616	Mqimikfj.exe
4092	Mcgiefen.exe
4692	Mgbefe32.exe
4820	Mqkiok32.exe
3556	Mgeakekd.exe
4884	Mjcngpjh.exe
2888	Nqmfdj32.exe
2032	Nclbpf32.exe
4488	Njfkmphe.exe
4892	Nmdgikhi.exe
4212	Ncnofeof.exe
100	Ngjkfd32.exe
3176	Njhgbp32.exe
2156	Npepkf32.exe
952	Nglhld32.exe
1480	Nnfpinmi.exe
1336	Npgmpf32.exe
3316	Ncchae32.exe
4012	Njmqnobn.exe
2556	Npiiffqe.exe
3808	Ngqagcag.exe
3568	Onkidm32.exe
2996	Omnjojpo.exe
4924	Ojajin32.exe
1224	Ompfej32.exe
5084	Opnbae32.exe
2516	Ofhknodl.exe
4540	Oanokhdb.exe
4056	Oghghb32.exe
2656	Ojfcdnjc.exe
4396	Onapdl32.exe
2316	Oaplqh32.exe
2608	Ocohmc32.exe
4576	Ojhpimhp.exe
1920	Omgmeigd.exe
3712	Ocaebc32.exe
1448	Pfoann32.exe
812	Pnfiplog.exe
628	Paeelgnj.exe
2532	Pccahbmn.exe
780	Pjmjdm32.exe
1600	Pagbaglh.exe
4172	Phajna32.exe
2452	Pmnbfhal.exe
4288	Pdhkcb32.exe
2184	Pjbcplpe.exe
1916	Palklf32.exe
4648	Phfcipoo.exe
1376	Ppahmb32.exe
1496	Qjfmkk32.exe
4360	Qmeigg32.exe
1424	Qpcecb32.exe
2448	Qhjmdp32.exe
2000	Qmgelf32.exe
2632	Qdaniq32.exe
3672	Afpjel32.exe
2936	Aogbfi32.exe
2740	Aphnnafb.exe
1216	Afbgkl32.exe
3228	Amlogfel.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mqfpckhm.exe	Mfqlfb32.exe
File created	C:\Windows\SysWOW64\Folnlh32.dll	Mjcngpjh.exe
File opened for modification	C:\Windows\SysWOW64\Nclbpf32.exe	Nqmfdj32.exe
File opened for modification	C:\Windows\SysWOW64\Njfkmphe.exe	Nclbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nmdgikhi.exe	Njfkmphe.exe
File created	C:\Windows\SysWOW64\Ifomef32.dll	Opnbae32.exe
File created	C:\Windows\SysWOW64\Adfgdpmi.exe	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Bpdnjple.exe	Bmeandma.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Ckjknfnh.exe
File created	C:\Windows\SysWOW64\Dpiplm32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Ncchae32.exe	Npgmpf32.exe
File created	C:\Windows\SysWOW64\Onkidm32.exe	Ngqagcag.exe
File created	C:\Windows\SysWOW64\Paeelgnj.exe	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Qmeigg32.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Geqnma32.dll	Amlogfel.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Bkibgh32.exe
File created	C:\Windows\SysWOW64\Mgnddp32.dll	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Mcgiefen.exe	Mqimikfj.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Akdilipp.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Kibohd32.dll	Ojfcdnjc.exe
File created	C:\Windows\SysWOW64\Omgmeigd.exe	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Enfqikef.dll	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Mcgiefen.exe	Mqimikfj.exe
File opened for modification	C:\Windows\SysWOW64\Ojajin32.exe	Omnjojpo.exe
File opened for modification	C:\Windows\SysWOW64\Oaplqh32.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Pmnbfhal.exe	Phajna32.exe
File opened for modification	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Bpdnjple.exe	Bmeandma.exe
File created	C:\Windows\SysWOW64\Bjlfmfbi.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Ennamn32.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Onapdl32.exe	Ojfcdnjc.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Oppceehj.dll	Nglhld32.exe
File created	C:\Windows\SysWOW64\Ompfej32.exe	Ojajin32.exe
File created	C:\Windows\SysWOW64\Ofhknodl.exe	Opnbae32.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Pjbcplpe.exe
File opened for modification	C:\Windows\SysWOW64\Adkqoohc.exe	Aaldccip.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Caageq32.exe
File created	C:\Windows\SysWOW64\Ckjknfnh.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Gadiippo.dll	Omgmeigd.exe
File opened for modification	C:\Windows\SysWOW64\Pnfiplog.exe	Pfoann32.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Chnpamkc.dll	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dkndie32.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Mjodla32.exe	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Qgnnai32.dll	Mcelpggq.exe
File created	C:\Windows\SysWOW64\Nqmfdj32.exe	Mjcngpjh.exe
File opened for modification	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oghghb32.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Onapdl32.exe
File opened for modification	C:\Windows\SysWOW64\Qmeigg32.exe	Qjfmkk32.exe
File created	C:\Windows\SysWOW64\Bddcenpi.exe	Baegibae.exe
File created	C:\Windows\SysWOW64\Dicdcemd.dll	Ncnofeof.exe
File opened for modification	C:\Windows\SysWOW64\Omgmeigd.exe	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Omgmeigd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5208	6140	WerFault.exe	203

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojfcdnjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknlbhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfqlfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmdgikhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ompfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgeakekd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjcngpjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paeelgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaldccip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkndie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onkidm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofhknodl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njhgbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnofeof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phajna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nclbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pccahbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npepkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apaadpng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbjkn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjodla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njfkmphe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbcplpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omnjojpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omgmeigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocaebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqfpckhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpdnjple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngjkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adfgdpmi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmeandma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaacddn.dll"	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgmgn32.dll"	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njmqnobn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifomef32.dll"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oanokhdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Oghghb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfoann32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adfgdpmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmgelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll"	Aokkahlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoecbmi.dll"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmnbfhal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcleff32.dll"	Ngjkfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbeojmh.dll"	Mjodla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmdgikhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnkocdc.dll"	Backdoor.Win32.Padodor.SK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dannpknl.dll"	Nnfpinmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocaebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgeakekd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmfdj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bknlbhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Cpbjkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll"	Ahdpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nglhld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll"	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgifbhid.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 536	2664	Backdoor.Win32.Padodor.SK.exe	84
PID 2664 wrote to memory of 536	2664	Backdoor.Win32.Padodor.SK.exe	84
PID 2664 wrote to memory of 536	2664	Backdoor.Win32.Padodor.SK.exe	84
PID 536 wrote to memory of 4204	536	Mfqlfb32.exe	85
PID 536 wrote to memory of 4204	536	Mfqlfb32.exe	85
PID 536 wrote to memory of 4204	536	Mfqlfb32.exe	85
PID 4204 wrote to memory of 1232	4204	Mqfpckhm.exe	86
PID 4204 wrote to memory of 1232	4204	Mqfpckhm.exe	86
PID 4204 wrote to memory of 1232	4204	Mqfpckhm.exe	86
PID 1232 wrote to memory of 3700	1232	Mcelpggq.exe	87
PID 1232 wrote to memory of 3700	1232	Mcelpggq.exe	87
PID 1232 wrote to memory of 3700	1232	Mcelpggq.exe	87
PID 3700 wrote to memory of 4616	3700	Mjodla32.exe	88
PID 3700 wrote to memory of 4616	3700	Mjodla32.exe	88
PID 3700 wrote to memory of 4616	3700	Mjodla32.exe	88
PID 4616 wrote to memory of 4092	4616	Mqimikfj.exe	89
PID 4616 wrote to memory of 4092	4616	Mqimikfj.exe	89
PID 4616 wrote to memory of 4092	4616	Mqimikfj.exe	89
PID 4092 wrote to memory of 4692	4092	Mcgiefen.exe	91
PID 4092 wrote to memory of 4692	4092	Mcgiefen.exe	91
PID 4092 wrote to memory of 4692	4092	Mcgiefen.exe	91
PID 4692 wrote to memory of 4820	4692	Mgbefe32.exe	92
PID 4692 wrote to memory of 4820	4692	Mgbefe32.exe	92
PID 4692 wrote to memory of 4820	4692	Mgbefe32.exe	92
PID 4820 wrote to memory of 3556	4820	Mqkiok32.exe	93
PID 4820 wrote to memory of 3556	4820	Mqkiok32.exe	93
PID 4820 wrote to memory of 3556	4820	Mqkiok32.exe	93
PID 3556 wrote to memory of 4884	3556	Mgeakekd.exe	94
PID 3556 wrote to memory of 4884	3556	Mgeakekd.exe	94
PID 3556 wrote to memory of 4884	3556	Mgeakekd.exe	94
PID 4884 wrote to memory of 2888	4884	Mjcngpjh.exe	95
PID 4884 wrote to memory of 2888	4884	Mjcngpjh.exe	95
PID 4884 wrote to memory of 2888	4884	Mjcngpjh.exe	95
PID 2888 wrote to memory of 2032	2888	Nqmfdj32.exe	96
PID 2888 wrote to memory of 2032	2888	Nqmfdj32.exe	96
PID 2888 wrote to memory of 2032	2888	Nqmfdj32.exe	96
PID 2032 wrote to memory of 4488	2032	Nclbpf32.exe	97
PID 2032 wrote to memory of 4488	2032	Nclbpf32.exe	97
PID 2032 wrote to memory of 4488	2032	Nclbpf32.exe	97
PID 4488 wrote to memory of 4892	4488	Njfkmphe.exe	99
PID 4488 wrote to memory of 4892	4488	Njfkmphe.exe	99
PID 4488 wrote to memory of 4892	4488	Njfkmphe.exe	99
PID 4892 wrote to memory of 4212	4892	Nmdgikhi.exe	100
PID 4892 wrote to memory of 4212	4892	Nmdgikhi.exe	100
PID 4892 wrote to memory of 4212	4892	Nmdgikhi.exe	100
PID 4212 wrote to memory of 100	4212	Ncnofeof.exe	101
PID 4212 wrote to memory of 100	4212	Ncnofeof.exe	101
PID 4212 wrote to memory of 100	4212	Ncnofeof.exe	101
PID 100 wrote to memory of 3176	100	Ngjkfd32.exe	102
PID 100 wrote to memory of 3176	100	Ngjkfd32.exe	102
PID 100 wrote to memory of 3176	100	Ngjkfd32.exe	102
PID 3176 wrote to memory of 2156	3176	Njhgbp32.exe	103
PID 3176 wrote to memory of 2156	3176	Njhgbp32.exe	103
PID 3176 wrote to memory of 2156	3176	Njhgbp32.exe	103
PID 2156 wrote to memory of 952	2156	Npepkf32.exe	104
PID 2156 wrote to memory of 952	2156	Npepkf32.exe	104
PID 2156 wrote to memory of 952	2156	Npepkf32.exe	104
PID 952 wrote to memory of 1480	952	Nglhld32.exe	105
PID 952 wrote to memory of 1480	952	Nglhld32.exe	105
PID 952 wrote to memory of 1480	952	Nglhld32.exe	105
PID 1480 wrote to memory of 1336	1480	Nnfpinmi.exe	106
PID 1480 wrote to memory of 1336	1480	Nnfpinmi.exe	106
PID 1480 wrote to memory of 1336	1480	Nnfpinmi.exe	106
PID 1336 wrote to memory of 3316	1336	Npgmpf32.exe	107

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.SK.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\Mfqlfb32.exe
  C:\Windows\system32\Mfqlfb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\Mqfpckhm.exe
    C:\Windows\system32\Mqfpckhm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\SysWOW64\Mcelpggq.exe
      C:\Windows\system32\Mcelpggq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Windows\SysWOW64\Mjodla32.exe
        
        C:\Windows\system32\Mjodla32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Windows\SysWOW64\Mqimikfj.exe
        
        C:\Windows\system32\Mqimikfj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Mcgiefen.exe
        
        C:\Windows\system32\Mcgiefen.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Mqkiok32.exe
        
        C:\Windows\system32\Mqkiok32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Mgeakekd.exe
        
        C:\Windows\system32\Mgeakekd.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Mjcngpjh.exe
        
        C:\Windows\system32\Mjcngpjh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Ncnofeof.exe
        
        C:\Windows\system32\Ncnofeof.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:100
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        25⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Onkidm32.exe
        
        C:\Windows\system32\Onkidm32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Ofhknodl.exe
        
        C:\Windows\system32\Ofhknodl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Onocomdo.exe
        
        C:\Windows\system32\Onocomdo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1876
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        47⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        51⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        58⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Akpoaj32.exe
        
        C:\Windows\system32\Akpoaj32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3212
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        75⤵
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4668
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        78⤵
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        88⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        89⤵
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3012
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        95⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5588
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        103⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5720
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6008
        
        C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        112⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        113⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 420
        115⤵
        Program crash
        
        PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6140 -ip 6140
1⤵
PID:5220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaldccip.exe

Filesize
96KB

MD5
a38cb2da3f0f376deeaa87260826b05b

SHA1
a62f66e68084876516ac36541d0ef0e1495b2e93

SHA256
bf5f53c149a9d8a2d77145261c495487370c2996c81fef432ae0677ca351ab22

SHA512
d3de3f361d717e7b99d282805de4540e599f22efbe0a1d120804d750dc4a127d9314666b28f9cafb6bf4b8a24110c5976941f4eec90eb716fbc320f635cf2832

Download Submit
C:\Windows\SysWOW64\Apaadpng.exe

Filesize
96KB

MD5
70eb1f3c840b98888e6935741ac657c8

SHA1
e51862ac4369eb00d028156bb15fb6afa973476c

SHA256
48493d67a8398182ecf15d1a9956f9cc9855f6370207f2b5c4f2c114030884f7

SHA512
f1ea6a8ffdb002edd74266036a41d67081a6866bcd4c44ead2277cdbe6334a1b6415885e9dde104286bdc09a9b1139e49e4f264b13671e14257de2e1ca5448f7

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
96KB

MD5
e03780ccda17289c821828d6d195355d

SHA1
548fc0c1687eaa407cf87af00b6f04e3dc6170a6

SHA256
bcb4d87826eb5f305adcd8b0ff8306e7adb4d48321f9ae5c894db41c8b891fe1

SHA512
6aa2d77fa22a0eb23888c5f7f9245dad4e9625d111aa7d5aeb9bd7fe1464131640abda068a47a202c2c857b9f960415f91a47a54a8669a5f7bda6b25ec28ba2d

Download Submit
C:\Windows\SysWOW64\Bkibgh32.exe

Filesize
96KB

MD5
81c8a51914b5ff1df584bfab70ce26dd

SHA1
c346bf41c2411ec86a41cebb9dd74c7f3fd93975

SHA256
a9d84354c42d475dcb27755f22bf99a02110caf9f163ceaabeb8b90cf7c874a7

SHA512
2d654acfc6cd0d1a35144bbd321417753ee3f8ff0d76a56d1d08272480bef7f0f32c6cb4741380d16d004445380cd2052dc4d7735611c308c6d4e16e27ac9d37

Download Submit
C:\Windows\SysWOW64\Cglbhhga.exe

Filesize
96KB

MD5
87ce3095c335bd381ee34e193acb66d6

SHA1
c2bb96fe64fbb7a2827484fb41a03c93274e5b95

SHA256
32b27b040f921b010cdcc1d3832da5d2840768757ad9d9cf814d92bdf67787ab

SHA512
6fa776d8d545e44bb554588e999b2c0b7990b3fe284899cb766c2c5ad2d71d6d29648a6b0a1d2c206e82357b35c3665e2cbd0ed0067ace82673e09b278141239

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
96KB

MD5
8e9df25f8cc607b83ae6e9e20200899f

SHA1
24ba5707ad908e42f2f875e9870644e8f2cc10d7

SHA256
811361171355b6e3561f315e3ff57440d6faf38ef60810b8def69cee0af1f716

SHA512
274ffbe14ad666112163e164a070b0a9ff0b5c08b8ec018f9e92ac60e24a6c497785a9fae79a3c539b59f1901c856b77df57b9b52cb0607650da713d5291ec0a

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
96KB

MD5
50e02b058f9059f17ec559b4437e6aff

SHA1
120952a255bf990ea3926013d6fb1858dabedb44

SHA256
7682b1a7bc24b9d65988137669f2b844b67492879807cb7f6c790ddf131bdf01

SHA512
7e3bbab80c2881d51746d7d60857abe0cc79e34eb2e4f4697a68d46eb2e08919fe5710c7732e12de4dab07c47093e385fc51f0440a85cdbdeb278bb11957cce9

Download Submit
C:\Windows\SysWOW64\Mcgiefen.exe

Filesize
96KB

MD5
d766fe223b455d0fa28d7457e616dc05

SHA1
4871b2d0e2052c69cd8d5e060d1ea2b8578b4f7a

SHA256
663c0a6d2f36ae9e7b6deb211c0a5e9a40e357a045ff5cb81edc2df47c260a9e

SHA512
9e79fa29462df29cb580f3f0dce34e2aa0c43bc2a34b8075438a44649fff1581c2bf85cd6cadee3cad0f9b6287c45b240eed7b6f43c84754328ddcdbd93c3b82

Download Submit
C:\Windows\SysWOW64\Mfqlfb32.exe

Filesize
96KB

MD5
ac36dd0d9240b2fd562c5456add1bc5e

SHA1
a11c77c1e791ea36a893bae5547f14f118be521a

SHA256
2336c7092bc75dfbcbb7d0d1edb007e87905029555a4ee32a74d0edc9be70eed

SHA512
a57cc942464cbc5ab615c2bade64d8edec225746c652f6e41d41898410a7ec1178cf159b59f9ea1e1d1610c58bd1a26b99b8256a74860968d8181d191865fe2e

Download Submit
C:\Windows\SysWOW64\Mgbefe32.exe

Filesize
96KB

MD5
0c0631816dfb7f4732ed7d30bee310f8

SHA1
60374fa47e766d354bf2eec71a93b4685f6a8af3

SHA256
345fd9a2b8ffb279cbaa8100bef5548ad48582163c6a54281a5c98c70c6ba9d0

SHA512
2466c47b93891fc17a41e053d20942fd26bbb9b40f82ec4e0814745f0039d0c57f56e1974643358e525ee5a9fd6fede7a06c76315f82aeec8f008ad22c64eb0a

Download Submit
C:\Windows\SysWOW64\Mgeakekd.exe

Filesize
96KB

MD5
55f1b6a4183df14cfcf2dd79ee690795

SHA1
0a4572974c320dcbfc66f5c0f1fbb71be37ffbd5

SHA256
0043b2f7863231e326702b298a7deb844c368876d78565d046de17a5634f04c6

SHA512
823d9adc0ca8657e466e53fee0534e61219a915cd65549231109d348fa0a2106a06617eea41f1447f061c2007574966417cc67ef965ce01c607a028a15a3b085

Download Submit
C:\Windows\SysWOW64\Mjcngpjh.exe

Filesize
96KB

MD5
d670ab018b9e1c0160d98173e2dcea59

SHA1
cc2b8eb33259efb271d1c27f39b1309f5bbdf0b6

SHA256
c63ecae93a43a612335ac0d70e776eb486e9b23f1f6e84eb5f70a128438e49dc

SHA512
436b7f4419d629b2f82048f4a2ba68557f3a7a6acc0438a31c59810f6df4f1f1172fa34d4f2f96649e14bd848d74006f046ff770f2cf23c4d9e8d7653ee7a295

Download Submit
C:\Windows\SysWOW64\Mjodla32.exe

Filesize
96KB

MD5
71f60d5a0fa7b5f1ce82ef79c53b4c2b

SHA1
1059bd68882b2dfb68865f3deaf858b2d59c9c5d

SHA256
73c6e6719a10c533c92d52dd245ddefae3b3629f9d2fd876bd4f5597d1ed2cc6

SHA512
3f2d4f3de334dab72bfe6b31036dc5075f1c6f5dca18b3fe0910d74b3913637d464827aa0f4b7dc6de6547a8925a1c30a8f98c57d619ef4964a5d65e7e1ba584

Download Submit
C:\Windows\SysWOW64\Mqfpckhm.exe

Filesize
96KB

MD5
086a9b68d0815ce61534cf65cf8fb54a

SHA1
330f1c39dcb4166a9bdd1c224ef3517618ff0e2e

SHA256
acee9ccd9f0066c981651865dbc20ef63e1c0bec0fa0e615e07ebab566c29030

SHA512
45d75c196fb2a2336e0bb073e9e5d3ea8cb6691d9747bbb406a32d8582d3056222a399e971b5eba183c894c76ddbbffb2e33f7f0ae646d117493c922eee8123a

Download Submit
C:\Windows\SysWOW64\Mqimikfj.exe

Filesize
96KB

MD5
a0996b4fe8c0118e879643108a8a5058

SHA1
d7bda747031594ec7c95f0c123321f3251e5e0f6

SHA256
e7e1da0592b6fbade168c282e8004ff41d04f5c388c9ba9673bdabd156fc8f3c

SHA512
aa80234688266d939c119220697cb1b8c3be6287f8c499baaf7438a5aeaf81df3f5a5e617174acc394d8300465afed674b0df9fcb99541f665fb8480ba649c4f

Download Submit
C:\Windows\SysWOW64\Mqkiok32.exe

Filesize
96KB

MD5
331958cb17ee54016fa046ca63c36013

SHA1
455247988a4b7fea598255616dac83d7279fff6e

SHA256
9eca9c5fdfa0b4670cc0a31267ffb19961e639810fe65658b26bbcb29b1ae71f

SHA512
8457d040177569b7667daa7a1e49fa10ab64944aa1539344b6bbcc5e3a062c574b72fdfd270e430cd90eab87521b4022b64fba923252933366a034a3a1d10086

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
96KB

MD5
5d827b381e9228c6e3c6951ad3cc8795

SHA1
e889cb4b54d4995df66a27d5c0e2f1fe8b7c0576

SHA256
446ff045dd09fd048a3e0f9aee9b79d87b3b962ecb7a759421aa429923ec82b4

SHA512
7eee13b59c801dc0cf7da31842cdf4790df015b426d236cc571e2ecc5ad36f91e017c0498c2f77e83d82f01749e43a3393c175b781a8f25333b9bd11ce053f12

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
96KB

MD5
c773897d9f3447624dd7a44ff9d3fe5b

SHA1
c837243d5947d91d77385a578d880cf25c8482a9

SHA256
d930e2dc9bcfc6e93d60ee84d4334fb3e07108df50d12478447d4fc3305b5a37

SHA512
7ce3d1fa72bb6567fe9cecbe9b6550c6398286e657b76bcc45dd3080556e6e9551e9ecbcfa31557a3d4d30407782445f39752b9fcca876c2886d920fcb93cc22

Download Submit
C:\Windows\SysWOW64\Ncnofeof.exe

Filesize
96KB

MD5
3c5348c458ae0f485f2eebc80126149c

SHA1
98e57101763c5e9e4bdef225471315566df97721

SHA256
37c95b1c2524553c6e5cca85a578ee8194b3e78ee9c8ce05aad3b163de390189

SHA512
f0c92744a7f997af3f2a127921c1cc7844951cc5149325d7000d1dac921474165df516c0c003030b00444afc346c8fe8a538a553a82bc1e4e7ac979b97ea62e1

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
96KB

MD5
6e5dad7142f70457c1efeac08ca82b06

SHA1
ed5126ef4820c91c0d22700ca9f49bce394a04d9

SHA256
66a4f789ef6eb5171599a2115854c1638af000de131342f0381f9677dc014a1a

SHA512
c44f3180671981d21949d924f8e670d0aebe616d92a981da858c7e4b7439bd908c5b1b20953e5cf24b82200e7c5c0039e8f558595aec056ea30d569726af4df8

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
96KB

MD5
ee7120bf3f8687041a3020ca678a8751

SHA1
47acbe437656b2186e7b7824b586002c5c5d7041

SHA256
8dbb5ce8f824f41486592031127cfeb4400a28fcb322f4a8a4b1c2637f502902

SHA512
8fffa45039198df6e5a9a1f1c5e89f9077328f8994198565cf1d788bb724062c34599f836e3743f596ecaadf8ced3f7da12402d718c66b68ef145ede4b36ed7c

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
96KB

MD5
238ceda710f585999a7e53d1fde5f667

SHA1
950d7ae092d5419d23acc3f2a78d6b5ecc3caa44

SHA256
a5311ea4dddff3d74e1cae9551fc0f28fa7ca2e8e12417be8a5828a46cc5ce04

SHA512
33dc99e4966856923063e7de044e31be06375a4731a43f7fb5ed9c500520592fd9a7c330c0c5371e65fee9dddbd10e7283ff5273a89c64506e93d70e32e60c6e

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
96KB

MD5
5f6275eaedbcd7fd8f8c3dbb2f6ce1a7

SHA1
749d0a8de8ff41891a8f646aeee744ebcbd49653

SHA256
8ea9b09216187ce762eca759281939656fd7819ebd2d7c22ac4fee057354a1b1

SHA512
926908eb71223c67cc345307dc2a9deae8bee56e8b800ee8c78f9601426ad12ccc45ac1b2c42de072383c506f9652ca9fe2e52c7446454eb1682a92898fa62b4

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
96KB

MD5
77a4e9fe3d1de3d9269f7756efef3470

SHA1
891783803c569bc7bcf84a1c553ee465181168f2

SHA256
b9a8c6f2d4112c6b79a5590cf6bfa25361bc6cd711372afc62d4957817e5be2c

SHA512
9a11f5e51db7d51532c27312633234349bc3218d84e7aae1331d917a1d9f427c7876320907cf3485fda7ecf43066fb6d8f41709b80e7ffac28870174b790cc40

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
96KB

MD5
8c8ec700917ade54cd50d4d0929064ad

SHA1
18c38a379db40bd514914e30eae20e94a2b22ecb

SHA256
e97307fa78da79c47f50cead2a20dc2408934bceefeb9b24b1d82b49f20cc2be

SHA512
858c487ee895c555e7ba999a7449e52cb22a0290bd9334599b53e3b854460ea87d4cca7ea67738ddb738d691501b2e416c5046a34219a12ea3936b10bc501e42

Download Submit
C:\Windows\SysWOW64\Nmdgikhi.exe

Filesize
96KB

MD5
09c22b49d8a5a718ec9a52cdea6335fa

SHA1
996d6cf750fb1707e62ea7c6238534e826710efb

SHA256
460075100aeb0fff71cf1905fdcc4c895f8920c813f719fb56080faabc4ef6bc

SHA512
ee3640fdbd2de47c1b3d1b548e93ba9ae9e33bd5c23ddd009e31a5de5873954d5f5b5a54849ad82424a6a41cddc7ff0feb087b0cf1eb665e13dabe7da467693d

Download Submit
C:\Windows\SysWOW64\Nnfpinmi.exe

Filesize
96KB

MD5
6890bc2d091d64dd12479a2296631bcd

SHA1
03b0afb521d5411c300701bad4eba93e6fc3ded8

SHA256
58cce6d56d465b9e8b4c86b536631a058e5778d5eb7d81e912472f32213a4a20

SHA512
85a54ffddaf121423fe02f2c624eee3031b00fc931554a915f3f069c7f57f6e3e50bf3a0906fef6684646bb8753af9ff644b84c379ff6a33c53233bd38cf26ca

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
96KB

MD5
808a2b6645f4102949844b801a22085c

SHA1
9baafdcf3eb43b6f90fe1a51b11aa9c4c9c99dbf

SHA256
c5c42d8c0d99d410e57403bd6275f35caf039a1734fdc9a20327316f2468a795

SHA512
9c15d82e959954de7521828bf7f465f3e00417593442bf2b0576558d31fd25e3ddc8fb2749d5b2524d93e9abd4caa2844871765a93d43784dd40c04b9d3b2546

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
96KB

MD5
9bc4387f56c966c51f9524a1d5098e09

SHA1
651f2c3d9403c6b0613acb2d7d6bd5f6ef77384d

SHA256
c23cd23959f70c16e65e4e683fa4c7254310d32153599db3b8d0d2687d0aa0b8

SHA512
6b41a32a47bd504c1c39fe3c7353e421c968edbb31103947c0e17460e4344749d07b67c1b3bf2c31e97e7600e46afb7e8a91349946bf58aa089c2f08f373f560

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
96KB

MD5
cd00d3c894b5117a3df25ef1ebf65e16

SHA1
fdf88aaee1611fdd449907fc0d6af41551729fc5

SHA256
82a4fb4d403affac2540b5b56eb158f04f3a6088a1748f57ba00815eede0856a

SHA512
edb094d3e91a938f72f4f4cddf5f18ca32fccc252b7aa2c6feaa995b15232f01a336efcc376e62602d283126d7ad7d222b5c808dc900693fade7d316b4632e2f

Download Submit
C:\Windows\SysWOW64\Nqmfdj32.exe

Filesize
96KB

MD5
294b390d3280c6d42e6332af1867504e

SHA1
141356791960031e89173905c1be2dcdc45970ce

SHA256
bcd05c85673d519410e8511811eb6b444fa9ba3b354f775ba2bc8a9f4371679e

SHA512
bc3bdf3b8821cae1a56685256f2867be0a6978160c99d576ada3de921861abb7f8883d8d9efb3e58ba4e9a9d06ceec517f05dced353933b39c3acdcfe12309b4

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
96KB

MD5
7d4f2ca8ef68acdff2e0591a5df3905f

SHA1
e991b585527c615a754cc91056a7b8bc3894b889

SHA256
bcbbb1d056df6df1e2b28a3abcad1fb067c8a597502d83ffa3fc499c4b69b362

SHA512
05fcfe76d5c0940c96b8776d88531c53c254d21be25a7b145628dc93af32f37db5cc645d8023f6bcbd7ad6208cd07f48777301a82ef84ed6f286b342bd9428f9

Download Submit
C:\Windows\SysWOW64\Ofhknodl.exe

Filesize
96KB

MD5
86f017e0bc8b0551debcb2337b747d1c

SHA1
c0039cfaf467c33b00d3424267e58255e81895c6

SHA256
e754a8e5cb2862149b977db01a16964a71139ee2d6168aea095089f0db0427cf

SHA512
1fd73c8b5ce9ea051938fd63642d5e058598d7cb6f35408e852677d6b57fead173b13877ae4ecd76f491b4454f4cf23582cafa43f9a145cb0fde6129c5adc782

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
96KB

MD5
96801c7ae683a0e8372bd278d5364d19

SHA1
4a5ba016aa5c6a78b19e7feb23e67297d1face57

SHA256
0e5b39427fe49a6817367fdffdba8c0f8b773f62d5385c2e76045a339782719c

SHA512
42865afe47487c9c70a92717ed54b346726acb0ebc24235afc77e54524b6b61b0b5427b419e06f7826123b3090525464fc4ce86cf0331baeaf4c64c66712f6b7

Download Submit
C:\Windows\SysWOW64\Ojajin32.exe

Filesize
96KB

MD5
b8695e66f256ddc58b6abc908bc58a95

SHA1
6c7ce30273e98663f83a4f2abfe920491d1d5f2e

SHA256
ed94453ac2784df6c939a0f06c8f8cf7f8f9f89f681822d9579ca02de04d864e

SHA512
b3d03cdf27497b09d3f0dc11fb1ff30579845bf394e86af1a0d20bb41f73bd52b9938a9b4ab3e97772f25738ed610ac2037d1b7ba65dbef06722a2a13c62c05a

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
96KB

MD5
6d719ee206d8f5d6df56b49679d39f9c

SHA1
22db8db48e99fe67d2dda7270fec0a4c7a832809

SHA256
02831291e5092bfe045f064a7361e79f1b7fe1fdff27738f996be9c30b866a83

SHA512
78c4f71e97832013791d162fb81c0b7be9bfdd0a6efa6c1bf3d458f01ca74588258c1c5a207e27fd24df08ed55c7a5df64b673f747195a4b6a9267ffb6fa40f8

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
96KB

MD5
ce1c05397a27014f9a6a24b97808a295

SHA1
eabe1aa5fb1de66c94ad9b36a2ac68b778da8bfd

SHA256
7d9733ff6e624e871267fe9e74f5027ff5c697ea3cbdde60246ca3a481ccf0c7

SHA512
197e570aae9b3b25300f5c54042a37be2ef33212fb2c1c753b323b1c0ec73e02e979030e3c4e9889b5af501360aac90c9f67e7ba4b75ceec96fc0d2222348018

Download Submit
C:\Windows\SysWOW64\Onkidm32.exe

Filesize
96KB

MD5
afaece293b5de1cdb1d695a76764c3b5

SHA1
98e397a6db06937e1cdc524554bafa2f30ca3d63

SHA256
9d49e38cffe2178f26fa0c5345189dcb1d4ceaca93a4a6cab69cb8db5925d7f0

SHA512
8cc66792fd8a40b8207d1c7239b4b792f33a85c68b86d9ab226cf70ad8313b457f7b084bc6cdd7ac8e887424001c684e18dd2c308bbcd5fa7d95925e27442ab2

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
96KB

MD5
fc823aec0ba968a491b633dd62bfcd29

SHA1
8b1902a46702608beb25cf17c789ee5ad00bc511

SHA256
db5db632dd439f38ef7953ba5362b09b3b8d5e7ebdb94e10bd3566e857f8af88

SHA512
b7ebf074ac2f30e40d0d55e1d21550063ad6118e6b5bd42ff70e20b4a5e5fcc8cd2f344bfa25c40f7ca74c4de655821cbd79ac24d71171d8c73055f8d3a0c9e6

Download Submit
C:\Windows\SysWOW64\Pdbeojmh.dll

Filesize
7KB

MD5
2587127a8930a24e9379902b28f5f80d

SHA1
8b4f09cf0d93a7ba6d76bea9a78e37c290b3bd96

SHA256
8980e4ed8d897e9fb3a798caccde5915259c8aaee0cf42f8a8094becf6215a3e

SHA512
1f3141dcaf7104c1e376f0786818c2512a5cfe21b8914f2b9417c7f13c83879b3288e689eecf20e0660d3e0fb320eda459b28e177d2d7a2eae7e0c31f570d023

Download Submit
C:\Windows\SysWOW64\Phfcipoo.exe

Filesize
96KB

MD5
6f7a39143fff511e91d026edd62a58d7

SHA1
cc694e30fa7520bc9ba5a8c0f4ae6f5d8bf00909

SHA256
7014b91f1e19fe2e6b9f4bf08945ac4b83fbc403374a28a8987ba0d9145187e2

SHA512
1274a068b4bce9dac9ba39fcb522490821958231e0e04d61af33005ca71b2822e44445e0694207eb61e63c7e10b5a3be7e3a3d0d1af010731728efa29d0a12e2

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
96KB

MD5
ae8dcc9177a35a356d9f688010eef362

SHA1
d35c5a508b59d097a37687073ad2a83dee08340e

SHA256
f718d85c28fd4f4a304352e1c469fc2098fd62268d26ea23fbe3ed98696ec623

SHA512
b7e1f94989e6ebd09f94674bdf1c2c9338c01b59733bd960227aca11dacd1783e9311ac464fda03fc2976a5c1cc6c1cb6b1f1c3dd12de26ad8b78c3d6bd7e3bc

Download Submit
memory/100-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/780-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-485-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/952-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1020-503-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1104-547-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1216-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1224-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-560-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1232-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1336-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1376-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1424-401-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1480-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1496-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1600-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1780-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-407-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2452-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2580-575-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2632-419-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2656-273-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2664-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3176-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3212-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3220-554-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3316-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3556-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3600-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3700-567-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3712-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3808-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4012-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4056-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4092-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4092-581-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4172-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4176-561-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-553-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4212-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4288-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-582-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4472-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4488-104-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4540-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4576-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4616-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4616-574-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4648-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4668-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4680-515-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-588-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4692-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-527-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4820-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4884-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-589-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5016-477-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-568-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads