berbew | 9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244e

Analysis

max time kernel
113s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe
Size

243KB
MD5

c78f754c0c5c66951f722e62482ddb80
SHA1

9c7b2a5ab9669ad3b1c29730d700c0113042ff0e
SHA256

9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244e
SHA512

e6deebff8dafc7355c7f2f1f767c981b75b6a20adc1c56a75104b578971e928c9dc1b779361e9104df4aac70c8387f368fecc69c918675707041778b4be85a6d
SSDEEP

3072:wc1IVxpsKz8lHXtlU2Nhluy78nwTxyIvXQWBaolfC4VJ62Q:X1c/sKzwdlU2zlNgwTnAWtlhjQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijpnfif.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olonpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljddpfe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odeiibdq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Poapfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oeeecekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohendqhd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqcpob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qngmgjeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbkbgjcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkmdpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amqccfed.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 51 IoCs

pid	Process
2936	Npagjpcd.exe
2596	Ncpcfkbg.exe
2568	Nadpgggp.exe
2144	Nljddpfe.exe
564	Nkmdpm32.exe
1120	Odeiibdq.exe
1796	Oeeecekc.exe
2556	Olonpp32.exe
308	Ohendqhd.exe
836	Onbgmg32.exe
2408	Ojigbhlp.exe
2224	Oqcpob32.exe
1800	Pngphgbf.exe
1952	Pdaheq32.exe
2236	Pcfefmnk.exe
1812	Pjpnbg32.exe
2348	Pbkbgjcc.exe
1364	Pckoam32.exe
2472	Pfikmh32.exe
340	Poapfn32.exe
3056	Qbplbi32.exe
2716	Qkhpkoen.exe
2188	Qngmgjeb.exe
1608	Qgoapp32.exe
2708	Aganeoip.exe
2684	Aajbne32.exe
3016	Achojp32.exe
2220	Amqccfed.exe
1652	Ackkppma.exe
828	Aigchgkh.exe
2120	Aaolidlk.exe
2908	Aijpnfif.exe
2324	Apdhjq32.exe
2660	Afnagk32.exe
2872	Bmhideol.exe
1940	Bpfeppop.exe
300	Bnielm32.exe
2280	Becnhgmg.exe
2484	Blmfea32.exe
3068	Beejng32.exe
744	Bhdgjb32.exe
2492	Bonoflae.exe
2972	Behgcf32.exe
1356	Blaopqpo.exe
1644	Bmclhi32.exe
960	Bfkpqn32.exe
1984	Baadng32.exe
2092	Cdoajb32.exe
2900	Cfnmfn32.exe
2624	Cmgechbh.exe
472	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2728	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe
2728	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe
2936	Npagjpcd.exe
2936	Npagjpcd.exe
2596	Ncpcfkbg.exe
2596	Ncpcfkbg.exe
2568	Nadpgggp.exe
2568	Nadpgggp.exe
2144	Nljddpfe.exe
2144	Nljddpfe.exe
564	Nkmdpm32.exe
564	Nkmdpm32.exe
1120	Odeiibdq.exe
1120	Odeiibdq.exe
1796	Oeeecekc.exe
1796	Oeeecekc.exe
2556	Olonpp32.exe
2556	Olonpp32.exe
308	Ohendqhd.exe
308	Ohendqhd.exe
836	Onbgmg32.exe
836	Onbgmg32.exe
2408	Ojigbhlp.exe
2408	Ojigbhlp.exe
2224	Oqcpob32.exe
2224	Oqcpob32.exe
1800	Pngphgbf.exe
1800	Pngphgbf.exe
1952	Pdaheq32.exe
1952	Pdaheq32.exe
2236	Pcfefmnk.exe
2236	Pcfefmnk.exe
1812	Pjpnbg32.exe
1812	Pjpnbg32.exe
2348	Pbkbgjcc.exe
2348	Pbkbgjcc.exe
1364	Pckoam32.exe
1364	Pckoam32.exe
2472	Pfikmh32.exe
2472	Pfikmh32.exe
340	Poapfn32.exe
340	Poapfn32.exe
3056	Qbplbi32.exe
3056	Qbplbi32.exe
2716	Qkhpkoen.exe
2716	Qkhpkoen.exe
2188	Qngmgjeb.exe
2188	Qngmgjeb.exe
1608	Qgoapp32.exe
1608	Qgoapp32.exe
2708	Aganeoip.exe
2708	Aganeoip.exe
2684	Aajbne32.exe
2684	Aajbne32.exe
3016	Achojp32.exe
3016	Achojp32.exe
2220	Amqccfed.exe
2220	Amqccfed.exe
1652	Ackkppma.exe
1652	Ackkppma.exe
828	Aigchgkh.exe
828	Aigchgkh.exe
2120	Aaolidlk.exe
2120	Aaolidlk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pbkbgjcc.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Nadpgggp.exe	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Qbplbi32.exe	Poapfn32.exe
File opened for modification	C:\Windows\SysWOW64\Aijpnfif.exe	Aaolidlk.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe
File created	C:\Windows\SysWOW64\Elaieh32.dll	Nadpgggp.exe
File created	C:\Windows\SysWOW64\Pckoam32.exe	Pbkbgjcc.exe
File created	C:\Windows\SysWOW64\Ibafdk32.dll	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Amqccfed.exe	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Becnhgmg.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Qgoapp32.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Olonpp32.exe	Oeeecekc.exe
File opened for modification	C:\Windows\SysWOW64\Qngmgjeb.exe	Qkhpkoen.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Aijpnfif.exe
File opened for modification	C:\Windows\SysWOW64\Nkmdpm32.exe	Nljddpfe.exe
File created	C:\Windows\SysWOW64\Aceobl32.dll	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Ffjmmbcg.dll	Pbkbgjcc.exe
File created	C:\Windows\SysWOW64\Poapfn32.exe	Pfikmh32.exe
File created	C:\Windows\SysWOW64\Amqccfed.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Qofpoogh.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Amqccfed.exe
File created	C:\Windows\SysWOW64\Apdhjq32.exe	Aijpnfif.exe
File created	C:\Windows\SysWOW64\Ohendqhd.exe	Olonpp32.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Oqcpob32.exe	Ojigbhlp.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Qngmgjeb.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Qgoapp32.exe	Qngmgjeb.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Olonpp32.exe	Oeeecekc.exe
File created	C:\Windows\SysWOW64\Migkgb32.dll	Nkmdpm32.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Aganeoip.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Aajbne32.exe
File created	C:\Windows\SysWOW64\Aijpnfif.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Becnhgmg.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Nljddpfe.exe	Nadpgggp.exe
File created	C:\Windows\SysWOW64\Ipfhpoda.dll	Oeeecekc.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Odeiibdq.exe	Nkmdpm32.exe
File opened for modification	C:\Windows\SysWOW64\Qgoapp32.exe	Qngmgjeb.exe
File created	C:\Windows\SysWOW64\Pmmani32.dll	Amqccfed.exe
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Apdhjq32.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Becnhgmg.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Dcnilecc.dll	Ohendqhd.exe
File created	C:\Windows\SysWOW64\Qbplbi32.exe	Poapfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
532	472	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olonpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfikmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajbne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkmdpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohendqhd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qngmgjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onbgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oeeecekc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbkbgjcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aigchgkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadpgggp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkhpkoen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Becnhgmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odeiibdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Poapfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijpnfif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljddpfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pckoam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqccfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojigbhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaolidlk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjphijco.dll"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdiadenf.dll"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migkgb32.dll"	Nkmdpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nadpgggp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Aijpnfif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaapnkij.dll"	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdqghfp.dll"	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igciil32.dll"	Pjpnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onbgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll"	Pcfefmnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elaieh32.dll"	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfhpoda.dll"	Oeeecekc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohendqhd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbkbgjcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Amqccfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojco32.dll"	Qngmgjeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbjgn32.dll"	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khcpdm32.dll"	Nljddpfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmelgapq.dll"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpoogh.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Becnhgmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pckoam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olonpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfikmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkmdpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Bhdgjb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2936	2728	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe	30
PID 2728 wrote to memory of 2936	2728	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe	30
PID 2728 wrote to memory of 2936	2728	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe	30
PID 2728 wrote to memory of 2936	2728	9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe	30
PID 2936 wrote to memory of 2596	2936	Npagjpcd.exe	31
PID 2936 wrote to memory of 2596	2936	Npagjpcd.exe	31
PID 2936 wrote to memory of 2596	2936	Npagjpcd.exe	31
PID 2936 wrote to memory of 2596	2936	Npagjpcd.exe	31
PID 2596 wrote to memory of 2568	2596	Ncpcfkbg.exe	32
PID 2596 wrote to memory of 2568	2596	Ncpcfkbg.exe	32
PID 2596 wrote to memory of 2568	2596	Ncpcfkbg.exe	32
PID 2596 wrote to memory of 2568	2596	Ncpcfkbg.exe	32
PID 2568 wrote to memory of 2144	2568	Nadpgggp.exe	33
PID 2568 wrote to memory of 2144	2568	Nadpgggp.exe	33
PID 2568 wrote to memory of 2144	2568	Nadpgggp.exe	33
PID 2568 wrote to memory of 2144	2568	Nadpgggp.exe	33
PID 2144 wrote to memory of 564	2144	Nljddpfe.exe	34
PID 2144 wrote to memory of 564	2144	Nljddpfe.exe	34
PID 2144 wrote to memory of 564	2144	Nljddpfe.exe	34
PID 2144 wrote to memory of 564	2144	Nljddpfe.exe	34
PID 564 wrote to memory of 1120	564	Nkmdpm32.exe	35
PID 564 wrote to memory of 1120	564	Nkmdpm32.exe	35
PID 564 wrote to memory of 1120	564	Nkmdpm32.exe	35
PID 564 wrote to memory of 1120	564	Nkmdpm32.exe	35
PID 1120 wrote to memory of 1796	1120	Odeiibdq.exe	36
PID 1120 wrote to memory of 1796	1120	Odeiibdq.exe	36
PID 1120 wrote to memory of 1796	1120	Odeiibdq.exe	36
PID 1120 wrote to memory of 1796	1120	Odeiibdq.exe	36
PID 1796 wrote to memory of 2556	1796	Oeeecekc.exe	37
PID 1796 wrote to memory of 2556	1796	Oeeecekc.exe	37
PID 1796 wrote to memory of 2556	1796	Oeeecekc.exe	37
PID 1796 wrote to memory of 2556	1796	Oeeecekc.exe	37
PID 2556 wrote to memory of 308	2556	Olonpp32.exe	38
PID 2556 wrote to memory of 308	2556	Olonpp32.exe	38
PID 2556 wrote to memory of 308	2556	Olonpp32.exe	38
PID 2556 wrote to memory of 308	2556	Olonpp32.exe	38
PID 308 wrote to memory of 836	308	Ohendqhd.exe	39
PID 308 wrote to memory of 836	308	Ohendqhd.exe	39
PID 308 wrote to memory of 836	308	Ohendqhd.exe	39
PID 308 wrote to memory of 836	308	Ohendqhd.exe	39
PID 836 wrote to memory of 2408	836	Onbgmg32.exe	40
PID 836 wrote to memory of 2408	836	Onbgmg32.exe	40
PID 836 wrote to memory of 2408	836	Onbgmg32.exe	40
PID 836 wrote to memory of 2408	836	Onbgmg32.exe	40
PID 2408 wrote to memory of 2224	2408	Ojigbhlp.exe	41
PID 2408 wrote to memory of 2224	2408	Ojigbhlp.exe	41
PID 2408 wrote to memory of 2224	2408	Ojigbhlp.exe	41
PID 2408 wrote to memory of 2224	2408	Ojigbhlp.exe	41
PID 2224 wrote to memory of 1800	2224	Oqcpob32.exe	42
PID 2224 wrote to memory of 1800	2224	Oqcpob32.exe	42
PID 2224 wrote to memory of 1800	2224	Oqcpob32.exe	42
PID 2224 wrote to memory of 1800	2224	Oqcpob32.exe	42
PID 1800 wrote to memory of 1952	1800	Pngphgbf.exe	43
PID 1800 wrote to memory of 1952	1800	Pngphgbf.exe	43
PID 1800 wrote to memory of 1952	1800	Pngphgbf.exe	43
PID 1800 wrote to memory of 1952	1800	Pngphgbf.exe	43
PID 1952 wrote to memory of 2236	1952	Pdaheq32.exe	44
PID 1952 wrote to memory of 2236	1952	Pdaheq32.exe	44
PID 1952 wrote to memory of 2236	1952	Pdaheq32.exe	44
PID 1952 wrote to memory of 2236	1952	Pdaheq32.exe	44
PID 2236 wrote to memory of 1812	2236	Pcfefmnk.exe	45
PID 2236 wrote to memory of 1812	2236	Pcfefmnk.exe	45
PID 2236 wrote to memory of 1812	2236	Pcfefmnk.exe	45
PID 2236 wrote to memory of 1812	2236	Pcfefmnk.exe	45

C:\Users\Admin\AppData\Local\Temp\9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe
"C:\Users\Admin\AppData\Local\Temp\9bff61fc6ddc168467ace8917dbd57cba3602453495ccab1f3552689fb6b244eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Npagjpcd.exe
  C:\Windows\system32\Npagjpcd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\Ncpcfkbg.exe
    C:\Windows\system32\Ncpcfkbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Nadpgggp.exe
      C:\Windows\system32\Nadpgggp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\Nljddpfe.exe
        
        C:\Windows\system32\Nljddpfe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\SysWOW64\Nkmdpm32.exe
        
        C:\Windows\system32\Nkmdpm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Odeiibdq.exe
        
        C:\Windows\system32\Odeiibdq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Oeeecekc.exe
        
        C:\Windows\system32\Oeeecekc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Olonpp32.exe
        
        C:\Windows\system32\Olonpp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ohendqhd.exe
        
        C:\Windows\system32\Ohendqhd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Onbgmg32.exe
        
        C:\Windows\system32\Onbgmg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Pjpnbg32.exe
        
        C:\Windows\system32\Pjpnbg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Pbkbgjcc.exe
        
        C:\Windows\system32\Pbkbgjcc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Pckoam32.exe
        
        C:\Windows\system32\Pckoam32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Pfikmh32.exe
        
        C:\Windows\system32\Pfikmh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Poapfn32.exe
        
        C:\Windows\system32\Poapfn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Qngmgjeb.exe
        
        C:\Windows\system32\Qngmgjeb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Aajbne32.exe
        
        C:\Windows\system32\Aajbne32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Amqccfed.exe
        
        C:\Windows\system32\Amqccfed.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Aijpnfif.exe
        
        C:\Windows\system32\Aijpnfif.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Bnielm32.exe
        
        C:\Windows\system32\Bnielm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Becnhgmg.exe
        
        C:\Windows\system32\Becnhgmg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Beejng32.exe
        
        C:\Windows\system32\Beejng32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 140
        53⤵
        Program crash
        
        PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aajbne32.exe

Filesize
243KB

MD5
0116859e4cb8ba32b3c3ac3b59a57bd3

SHA1
492f9fe5bbe0a152ece253612bc40c900799152b

SHA256
14d79d6bd062a9ba8b75a5551f0616da5d6ec68172de5176842e1010c460a9d5

SHA512
23a7ca03be3ffe63989ac08acf052c58e635b7a91e0db610b4bd3bbc2e9b7ffc9e65f30d09055866f4b18289e54f9accabb1ac863f8e8c07cf2f81f2a9c945ef

Download Submit
C:\Windows\SysWOW64\Aaolidlk.exe

Filesize
243KB

MD5
03732812e1f626c47613c0a849ab9c8a

SHA1
f531d93c8a83aa76e94f98b6ae9243f82323b270

SHA256
f39897aa95d011085117bc95e300785e645c4934d2e12c5dbdf5a5162b54ee0d

SHA512
4c7bcf7420a6aea1711513dbfec030c24432b736efef6a7bec8026877136f54c000668def37d70204299f1c2937d048fc072000c58d6c1642db7cc28a1b69c19

Download Submit
C:\Windows\SysWOW64\Achojp32.exe

Filesize
243KB

MD5
6b43b8dc18d4932a134941f63793bd20

SHA1
d96b686b854a79256a42649cc76a5290090f8809

SHA256
f53667b7a319fd4467554d4443a118a4462248ba70c0877f6fdd46166540b420

SHA512
063ca84550fb8f44468d383ea618e392c9e51113b9b2713ec8df44e368ec252b0a243de61625b9aff342ee68c4ab07178a95125d4fbbc0bdcc43deeacd1f98e8

Download Submit
C:\Windows\SysWOW64\Ackkppma.exe

Filesize
243KB

MD5
5492423765a067158f34ac1d51dc4745

SHA1
ad8865ce07ecb737d796800cd6a44b86dabd5f4c

SHA256
89283856ff5729f55f01e378701da69b27e7ad303262034cb1ab59d4cc2bc844

SHA512
c8ada0c0f7a35bcfe59f238c8f8168b5342f107298d8b53fc14609006b1732b71004b8ba9487a12bea65acf98302aaf5f056055a583a13902665a42a8351a76b

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
243KB

MD5
99b5c650e1c8aae8658fb709e73dbf1b

SHA1
1afc700987c1570b6fac5d130495c7fa535d6d72

SHA256
65932d629482d109fa58c3f76177181f92454aa6353121314e65a5baef34a0e4

SHA512
cc7e53d7bea7609b12c0f2ef0a9081cae16a39531458543d5a7a0f2deada7450c10fc4b45f3e355d1efebaa236b2a27377d3d6dfd9f17389dc235d987fcc4772

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
243KB

MD5
6c3e9ca186533c53780eacb482d20eb8

SHA1
066bca5ec9e39dc4145b6edc64a4d50150dec775

SHA256
3d53d07e08ff55716dbabc42ce99d53ece86a293a03fba7c5aef64dff058e07d

SHA512
df4640d33f4fdd049d7eac1ce7eb03c894d3d9db05d8efa6b2cba64643a3db3f2a980781626a693d55b70ccf5e5650d18ca19935da069b9fc78366eb091a86d5

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
243KB

MD5
95663182739b408376607e118bef13ad

SHA1
482034ec0b6bd4e76741de5cbbb3c6bcae25f288

SHA256
b332bbb3596e8ab874bb9cd6f5844e7794fe1846b4abbdaca5d6dcf6896c74fb

SHA512
6f65bf7a06df0793452f0112a85dce99a1652da730c4f160bfd6baaee666dd6e9cc64b3eb512cf4d5f67c4f31cc1e033f9a482c007f681ad737164e8b39e4df0

Download Submit
C:\Windows\SysWOW64\Aijpnfif.exe

Filesize
243KB

MD5
987c683a19f8d1a4e5494e6fd7159443

SHA1
77b2ac9a80cb6b8714251e819a89a9e2fc0771e3

SHA256
85f75eae70ef11bf951239dfded7215f47a4836b3a16c56e19e5a792ad3d19c9

SHA512
32aa6218b9ad512cb82ac33a220763f8a2b44973817b3693d9ea12cc0edf975af6441c0d4dc540bb68ee02ff3e37e84a7faab4818d909ec434825767e5eb3a51

Download Submit
C:\Windows\SysWOW64\Amqccfed.exe

Filesize
243KB

MD5
37c7325ed77dac776cc375486137cb10

SHA1
bd128780bc199cf6d0e89c2e5913192172dbe618

SHA256
3a238324b96c269273b67ac25327ed12aeac185a3250d947a07be177040c25c9

SHA512
09d3135c190251a00ee184a3e29761c2ae6aa2fe95e8abfc35fb93a1b62ea03ca66fd54db14968a6941d1ceef0fc0e61d18864a5b3d69da5225acd3ec93380b9

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
243KB

MD5
5e34fd137dfd10da7e465f2b34bf46d5

SHA1
9fdc0510cdc6d0b2810ff4b0b9596dcb0e4b750f

SHA256
99ba9fc1451665768100a7bff4e7b532923b23ef84d9f9df528ac1a954138c2d

SHA512
0e43b22137d09cd57ad6b6de91f4ba077922dce07a0e4dbb8b7042e0e680118c467d530a73dc588fffaceacb37776560faba752fbf04154e32bbc0d6d461e16f

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
243KB

MD5
28feb9afa5da1343ff0c2902f2e0d135

SHA1
4b668c364042a03650acc087a38b9da44670822b

SHA256
86b4cdfe73393c274624db3fba68a7b09d3cf54b311bfb1cf02c9159d0c3b8d0

SHA512
d2a322e45c2dc2ece8b94c0e815111402b5529331502229e919f9229724f5220c9767d9e7664b774b5f22419b4505c3e2810469b6ead5614abc3125e11c23a94

Download Submit
C:\Windows\SysWOW64\Becnhgmg.exe

Filesize
243KB

MD5
190813b370a8e4a612773b8bb40e194c

SHA1
ef233e60e446564765ffc65fa2b6a94e704b92ff

SHA256
cd65a9dd3dd5343fa934825d10cc1a2ff6d026ea60d3215e582db1a6e650291e

SHA512
054fc07e5fc8ac20bc03e9a58529add617a09203c935b93e6490f291272f8c00b0916f4202b85410c923e72c29ca797ac0e37439b3f8ecb42deec753c4efd9d7

Download Submit
C:\Windows\SysWOW64\Beejng32.exe

Filesize
243KB

MD5
da8608b568fd4e758e98af265d384d12

SHA1
ddf778abc1c0ff97de0dff0baaf9d9b26ba8bb88

SHA256
ca78b295978f2579cb7d3b905da15ca51ae653c3d63e4ec42a1a219c4e08d675

SHA512
a66797352befc334134e85db821e226c71090278eafb0a81783e787894d0ee5470e1a57f50c5e0dd007ee17cb02729d66cad3949c0826cd59a7448ff093b7598

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
243KB

MD5
faced47ffe46d3b8e595a3b2c67ba09c

SHA1
7c32afca3f9d37901283d4a73a78fa0d892179d4

SHA256
c71690d29896867a51e73dc2620dd3a7daf773c00f05cd1b50880e6e224b44a0

SHA512
8805aef6700af8e2ff2ee6274efd628eb743397c9fc029257bd91d59c9501917440d36f43cb1aa94e918586d91df849eb0860d5596a7f5f87d5e6649a46e81a5

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
243KB

MD5
98bd3194ce164e6c8f6ccbb396ded89b

SHA1
afc1101679de9853e55fbe6e5918c53087c566d1

SHA256
897088a21d31052ddf3b46f202382280eb96c589e496d7f839609526e774174a

SHA512
6096e0d0275df4d284b437ea63b48d0dc90c6ce125575d44770dfd0c75b52ea8459f1654c7e8f4f2bb6698bfb9fc8ddff501344fa34c43a99d54fc40938f41dc

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
243KB

MD5
91214f3a5fdcc086d611fe25c4cf3e56

SHA1
f190673baa8a4d33ccab27f7bb046e4f5a715907

SHA256
9a3cb4ae5a0dba88b7f36b3ab9523f38aa94bf0ffefc87bcda8fe94ca7e54400

SHA512
b2a429832e6e11d68f800bb97f85c9c7baed9c9673eab251494e639ad40b231fed341495b8b02784c586be1b15df503b4860b021dc735a857b9fe92b74b05140

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
243KB

MD5
1071d9470bff2c3638669dab9a4cc63b

SHA1
86e54a76fea2c42231398ffaac9ebfba8acedb4c

SHA256
b217558d8fb260ea7e21bc67ef1df95773d4b21e9f03a07a52ac478e54aed1a8

SHA512
9b6d393babc35cd94ca6fb66a91476b82fcca0a620a2fa12bad11f59e3b3fa38e98f9036675b902297fec84bc45c9cc494bdf2cf68b4e8a78826c181bb383664

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
243KB

MD5
f7dea77de83f41f40df3d050027e2cb1

SHA1
1089ba44b7c21004ee9627574b1276dcb3295e61

SHA256
ee3d0a16ebca6581eca4d08c1a28f7358b58de599cfb989950f30976fe23c617

SHA512
978c61ffeda35f5740b524732710c0331c5d1b919820c1775122a1c78e2ca8e6bb7b222d4d6249744b1af923630a4e99b1a6e33786f09da7e42a33d00533d1c5

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
243KB

MD5
a322613a11e4d0b87b84dbb7bb09543f

SHA1
d8fd215d41d117c34444d8b160ef6d3f200f00b3

SHA256
aa6efbddeb5cb6077b3a633466aa162bd10618ca94ce98ce93a18fdba354a603

SHA512
d662538c676bf007b7df60570bb878dd4a2901565c0015cb601d6dae2257118219994e00c689f0b9794d55230d68ba784a14786fb222da115bee942b38b393d8

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
243KB

MD5
51baf59dcba5f2c28a97ad4f6e4bb01d

SHA1
a24d8f85284c65bd60672ab95ba2ad98784b15f3

SHA256
57414eb2ac1dc3b7ff579ad2dfee50b1859aa2908c1dcba256f5aa586a570795

SHA512
8056364a3de8680afc219b928bb52c1238aecf0c24e91a9c9800439fb3c6b960e14dca742160acde52b363831aa501adf0d1a0e14facc6a2a8d77cef04b0f9ea

Download Submit
C:\Windows\SysWOW64\Bnielm32.exe

Filesize
243KB

MD5
e8fe0cd8dd29d5808f90bc1ca448fc3b

SHA1
77c365a122d5b4d100e2f1b9ed80433d6fb2b6eb

SHA256
f73e02d1d5f36de6808786115baaf67bd9b86c3f722a6d4de7a57466d58bd97e

SHA512
b439a5461d562a96b475571f1faa794d39d1bba21823cd5cb2fab106ba1ea20e2b3fc16db1645f629b94a5f7a401296c5a3ac3453e24c02f189cb91030159113

Download Submit
C:\Windows\SysWOW64\Bonoflae.exe

Filesize
243KB

MD5
13a3665f53d1be865268708ea544ef1c

SHA1
3b9c420b4581f76e52dc1018118275c9020a9069

SHA256
99e19db3fae719c6f54c4155a12cc8a6dab5329a6b250d1deabb654823be621a

SHA512
abafb12bfde8d0001b5d45ccfb46a115884aaa6c46a437d5840e9480fe824c79c4d06144ded1d9dded44c4de1ff9b82691faa2062347eddb3ba1178cdf84917c

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
243KB

MD5
3f36ce9ce1f27c4130f8f684907fbdbc

SHA1
a4c00321ea9fdff5a88a95f05499e56446e94190

SHA256
1e3274a061dd2290b591b2e4c00459d1b6c75032282eeccbf8129ece0c0f7e7d

SHA512
dc2bf558cdf66082c33285343350ca57f729b73eac3b60f51d43eb9ba3873b35f7ac134e17104a860230b6c31610f44514a98bf027e0610c1c8a2ca17dc8122a

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
243KB

MD5
a0fa3f68af711d3f80c2d1b9f5849bf8

SHA1
7df092c1b6fa15c46d647aab14e9786dc5647ae7

SHA256
70ba057a741c1de25d526d721544fda495efcbd4728f0c8a13c6acecd6508d79

SHA512
d65ebb88e4392d00a8917e901b5bb66801b14b10d888f53a9e368fb3196a12be36457f156d3c90a09bf730325905d8509f28a9a86e15548d82ca41e9773c4db5

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
243KB

MD5
2c79fb5bada22839abff860b2c749172

SHA1
35bda60a5e510bf1b282258fdbd19150bd6a275d

SHA256
b48f555c08d9032d3758f7d1f1a2067b4cd2da9ac1ef5a846365ba4f44e683e5

SHA512
706bbb9201f10242ddee78bd742e0ce26784a45e9762731efcd41f4c00f19a19b53ce188b94cdd19a5fad63b773e1bd867e92e7358f48cf574e4d67c6a05d502

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
243KB

MD5
a6eebee76c826b19f6171a9ebfe2419b

SHA1
ed8967eec882ac3defd94efa088673438f379e6c

SHA256
6f42b8b4a9048364a9b214a13d41cf16a8f17918e683f5c1d30a3ce1a83f4056

SHA512
17af1eb5f398da1809a60b2ca2f6d82057da26ffe23c3c77bfb5d390fa8e2758d1deaa373e7bd0ea07104e1b3001ee9ec6fa6d598a7ce88762708a8ac74d4377

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
243KB

MD5
ecbbc61c299bada0653e899bf916acdb

SHA1
772d92c03906b26deda0e5832f1f23c3988d4455

SHA256
6d33e4fa306aeb6188690cb1c79cfcbd33ea0ef9eb4f0d757ae1295a553ae746

SHA512
d01a0dd7abcbd7dffffe7276a65ee983ba6300d694dbc4c9c8d7ab15ce45d98406c8f082746bec6e371986acf17ca2ea705610da30b9ce5035ed469ecac2b75c

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
243KB

MD5
eaa9522c6a44fd47ade11c4d29df8922

SHA1
12488cf5bfc58faca2d142fc07dc094e05341e47

SHA256
a29d6de3fc209fb4f844a9317669c723e65940a4632ebc02fb5d56a33fb3bca3

SHA512
6bfa92caa18bbf5a56ff63265f6bd37ccc78d23d35b758986bec5ca43a84f32de6f059a98dbb25c99102594293324df7d79bdfa634557e17fd82e8fe86ad07b8

Download Submit
C:\Windows\SysWOW64\Onbgmg32.exe

Filesize
243KB

MD5
8eba2b261661a110e61669150ae66ff5

SHA1
91e0d189676521476dd521593835d9ae455bc9a5

SHA256
d58664fc9f1125319c54f19e00994c66ef04073bdeb2de734141abe69e461650

SHA512
25c3ce36981c758b18bc0f3081f91479bab3fcab16d809b039777f648226221678b6f00708f52bbfc0291ed5a2124c6f761a5474397b5eae42e26c1cf8cb8c2a

Download Submit
C:\Windows\SysWOW64\Pbkbgjcc.exe

Filesize
243KB

MD5
8b8d1f20c66bfc8b80a3143c4897358b

SHA1
9da78d9a171dd42c5ab748bf9251647f9441f57d

SHA256
fe1db9c9f817c5a8a2f40cd5009656933f67528ee236d3e88ad357e1a5f88284

SHA512
d7249348247616903e63e6790c43c7c0632e92913ae8401cb9462d24a51ef32bfc69e93be7c15de21fc889903622f5d056ec43ae73ab6979fbecc61e4b7c32a1

Download Submit
C:\Windows\SysWOW64\Pckoam32.exe

Filesize
243KB

MD5
8acf9b186285c5d9beee44726b81b565

SHA1
98bbc616606be37e65ad8a87eb14b7a5163bdf30

SHA256
58eb49abbe58dd3c8fdd9f68d3f36aab34e95d0d74a8592e7a4cfc2401229037

SHA512
64f63eb0de3a908318612e42bf621d31642527f5619d3c6d6f2b9a1c83c1c948ed2d1d98913f2b49f1b8539c3f2fa2d7ee3abb88f69b8b482398600c4dcaec4e

Download Submit
C:\Windows\SysWOW64\Pdaheq32.exe

Filesize
243KB

MD5
68a17805336503503fb4235bad6a307b

SHA1
aee3250710f3321c47a1f1ea9d6df3daedbb3935

SHA256
f99b0df5caa667317abe54605d2de944454020ec29fe576eeb39c64e58187164

SHA512
c0054fc822f1e078f4583370914bc3a00ea9a8236c1be70797d8e1d63e5cc8c52e9bdc2a892f141a0c513ed775482a6f091b3a208d454ed910ec96583c5de008

Download Submit
C:\Windows\SysWOW64\Pfikmh32.exe

Filesize
243KB

MD5
9b50ae0c218d483cca2bbc7a64f89585

SHA1
0f70fd77fc5a0c366f5a6fa06f524a7efc86845b

SHA256
608a342333e937ac3638b3d095e77e7babecc49791764692ae949d271424b4ad

SHA512
5c33d1e4530edcff39e1fa5d8bec011c70b77153ce78cbd774703f1d10e2759a012062529ef4def467a51a109926bef5307b67e39e2295fdf94dca4255f71efa

Download Submit
C:\Windows\SysWOW64\Pjpnbg32.exe

Filesize
243KB

MD5
9d8d99a57aa3007d8436aba542096411

SHA1
cad79ebaa35165576c628f0c7f1a0a0eaf2c3387

SHA256
1e0dddc851f8de8b5564c9c1411fa736d1db24b13f407143e1fc47d5aeb4e881

SHA512
22143bc94be0fb5e4f62dadc30a8a428962660190756dc2e1d22078d731461d9d5904c0d5f44ddf18d156e8734f06d28f8a65131c72c03cf9d1aaac738e6ef63

Download Submit
C:\Windows\SysWOW64\Poapfn32.exe

Filesize
243KB

MD5
372ae584201472b67be067e5a87d253d

SHA1
fb979cd21fb489ee0418c61cd4d715726649146e

SHA256
6828a3ff489215ca3ca981946c093eef437a75bc63283287d44f756274102200

SHA512
ae2d0c7191acd82251fdfed56e21a1a6f1ad9e765676cd867c95ff581f9d1b4a6f386f2fd621e82a8d072aaae3a3753911d39bdc3050c9de13838559613c5c36

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
243KB

MD5
ddf6e52d6e4ad31a9cc08bfa9ac2bbf0

SHA1
509f4c1013f3008c095afe513941cec4e1dda933

SHA256
e60d346101a96b137ea0210c0afc251147326ee152db0e58d74fa8dbcd60fb79

SHA512
8b2dd9b9af95ba9d9004a8b36b3b3d06dcc446d021725c38fdb0a9f7b16c928626fe4a6fa60644c9679c3ce9afaf8cfbaf6088f46346372917be7690b837f79a

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
243KB

MD5
d0e4d5d5f52f1307afd341a1797d06ca

SHA1
122b6b895e15b611a644914b2b366987fbd329f6

SHA256
f86392999b889503d44f4cf5661853794680751a88e3e7ed0f6b2f8d8cec203d

SHA512
f1b01c7ff5ecd49f7c1ffb467ab574305ea4fd82cb7e0138c369ae4fad98c9bcbef0a6ea92fc19a729136b4580bd630e94d93d2d1977f14a7347fbb8f9efea06

Download Submit
C:\Windows\SysWOW64\Qkhpkoen.exe

Filesize
243KB

MD5
d3e383810af82f9c74ba55dd74311cfe

SHA1
c9d5d6fa69b06b56326f3a33b99d67ca30c5db97

SHA256
ed6c8789cc1c1c724ae4cd74cb1e33766d709a5d797baa5ab9b41b69c27808aa

SHA512
1016b37efcd4758223dd21134ca76715b20712c540fe06d4a6cc3047d132b6759cc10a2b0e56215cf1a29863df273489362f8eb986b561b597524479a41a28e2

Download Submit
C:\Windows\SysWOW64\Qngmgjeb.exe

Filesize
243KB

MD5
856e7b7bc61ff47625fb59acde5372e4

SHA1
0cd1f04ba7890a11c734d21f48e8644abe9db411

SHA256
f39655fd20f8ff442272f8f684e88619c43ec84557fbcfa5dbd55afa2407a7b2

SHA512
e78063403a7f349383597853bbfbc3a29aaa7d3267f0c1d8252f067a6fd59acbaf24a2f54faaf4e3843923d2fbf742deb4acc50e2f14f29aa72f701a8b11cfb8

Download Submit
\Windows\SysWOW64\Nadpgggp.exe

Filesize
243KB

MD5
cd01e438aed137e432cc27bba5c5473e

SHA1
ef2b41bda9bd33b699697ddce68c9db143124679

SHA256
883f0f3d59ae4a782f745a89af3919d07b424727666b69cb7f0204a21d126d10

SHA512
0338b0f2d0d989671cd15a36ab7c5fd210363491165102b7061b32302759d114c1057edc64859f9fcb7a76eb155c8af5cdd2e84eac68c996b59804a7ff8a6540

Download Submit
\Windows\SysWOW64\Nkmdpm32.exe

Filesize
243KB

MD5
f87fc47e4826023d87d0ae79e5ff5120

SHA1
d2f64fba8aed9386e8b8d45e7cd20b550fc7d897

SHA256
35c49316a7959e4724cec4168aaf5792d5cf926ce2a2b1e04b3c813a9f3e2e58

SHA512
3d125d223763eb20887053e6377b34e6c18ddfe625c427fd4ee2a9e5dc374c322af451fc26747381ee6efd77c0f4110f2277eb1932f99b7d32fa7511e4a18d0b

Download Submit
\Windows\SysWOW64\Nljddpfe.exe

Filesize
243KB

MD5
b0d6918b53fd3749341f39f8101e2a08

SHA1
3d1e6e619287756db7cd35a31c5fdefe383ca0fe

SHA256
8e6a42a12f08eea971357c6aec96f652680038354a298b646556e0b2eb4c91d5

SHA512
381d4ae66e495cf15345937d4eb90e88bff25ddffd395be354ef70076b753a57d5d63874c30c959e663018d7acd9392c3ce21fedc485053b147ae4762406ffba

Download Submit
\Windows\SysWOW64\Npagjpcd.exe

Filesize
243KB

MD5
3e2dccf9b1a4d36d26dca6d95631fba1

SHA1
fee32f45ea9068d10a780a25859f3accf86e0baf

SHA256
70d79bc7ac36b16400b9a11137ddfeba4b8a421739eb47b00d311c31bc694351

SHA512
a6d51985db349769eaf805959dfec5f67b43d29f71f8b5998d2e98aa0197526a891d15e303652763d43c18276e692415ff2a795e5c734e3fdbe72f23429f2c55

Download Submit
\Windows\SysWOW64\Odeiibdq.exe

Filesize
243KB

MD5
6f0a89bda60343b5e35bd032fe1e2957

SHA1
f188789bfa8be244169c51f00ece471989f3c693

SHA256
9a71f017df240f324bb02f88bcd867ddbea4352073cf5900f4e39dde4a38d2df

SHA512
62b0b4af4a289cdc0256a1d7e04f8a42475ef78c429aea3d235a6c58f91c75773b135de15ff39263c17ae829c62a8cce163335c6151376c2dc6c6cda2a859132

Download Submit
\Windows\SysWOW64\Oeeecekc.exe

Filesize
243KB

MD5
8913c2ac150f3deb53f37beb6a9e93e5

SHA1
9fbca9732833d731e8a3ca2b9e616df80fb0e03f

SHA256
f22ea55dc1f5502401d3aa9ef51fa25458b5b2698c5be0e42e998c371719ce06

SHA512
0956e2154cb7409a12ad23bea0e8bda852a0b6c69b17b13b0a854244b1455497f5db19e526a698ac190d461c22689a0dec97e58e2d2048e5a9ac7a7c87e60b03

Download Submit
\Windows\SysWOW64\Ohendqhd.exe

Filesize
243KB

MD5
e1dc669e2e424475c1a97013cbac1755

SHA1
6754d47c3726cc583dfeca576d8fa7a3c0e787bb

SHA256
9742a31ce563f1a29896d74c0dabadb5d51c76cb788da4bd65e2094db52e58f4

SHA512
d8628dba2f6ec1a1ac5e6497390213594609e52df9928552612ebc96b750412af6c67f86d5e75157fb84b1bee53c51daa30d2eec671dc76a719d04c8d77407ca

Download Submit
\Windows\SysWOW64\Ojigbhlp.exe

Filesize
243KB

MD5
b530f0fdb79446a2f02cd0eee3579815

SHA1
a317fd8c23cd273b696c1272bd074db016eab8a7

SHA256
cac6f1867f3c5e675aaae6035b719989abd0c7a5463781d332653207f194f65e

SHA512
7db40574b564566722732002946c98282273a1d6b646a7f80706ce9e599d5d7b508deda93c68d29ed1a2f991eb8a2b3712c9aa7a0c64477857d4d265b3f1afb2

Download Submit
\Windows\SysWOW64\Olonpp32.exe

Filesize
243KB

MD5
bc4dc72d79035592569b57203adfd1e5

SHA1
89840306cc77614ea88708e8a647309fb4777e10

SHA256
6f199c260eade90d6d26235803bb6a483a4c16654cbb54732ff7e9158ae72ea4

SHA512
f56fbd22cced69e6024b658cb81ad4caba8302db2eeb276a35571f5a60e2732e775174d1e4f8b47330dfe57b84edda99652634eb5a43a26b0b41dccc4c0b6d65

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
243KB

MD5
6980499c04636c7144961459f4804ed5

SHA1
a4d86a78eb7041574efe2b9a31fc569e2cfc934c

SHA256
aa547c87dfc63803562e9c4f7eeffb4ec9c11ca98f44a39c1eb2e0362d4b0682

SHA512
b04828c79554a9e78e4da8317326330d127181917b684597732e39f141d1e85f4ec5097bff89abf2d359eca5bc0615e98266b393b54f8cf0e3115598f072c9f2

Download Submit
\Windows\SysWOW64\Pcfefmnk.exe

Filesize
243KB

MD5
fa63523c0b629b54c55b7b9d4c23d28f

SHA1
58bd80084fb26147736ddaa96a774a25ecf82f78

SHA256
e88b9bd4aa647041810ab2a7c019e3025488ffc5b8228f3c906d35fb554d6e23

SHA512
c7c88b07715ee03d59791306e4e460c8121025015e43b2a43356b994b6028ac59eba8c8af3b3c7f99060965e387a415c06c96892f8cc99587ee8907a6cefb32f

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
243KB

MD5
3dd1dbfaa5fb34012d7f655051c985bb

SHA1
8a8672352204879ff8858e66232984f68e292e0b

SHA256
04eb577e7394caa063660608b4646ce560c2ad197a6e0b6d98afe2ecb0b689df

SHA512
8080a06eb94960d2e76df9e78ad04e1cd941b3020c9ee2f61a0d8c6e7c7f93b1d9576bb56a4ad463d17006c9ff4ca280c1bc7b0fe3ec42be67047bdf759954a2

Download Submit
memory/300-448-0x00000000002D0000-0x0000000000337000-memory.dmp

Filesize
412KB

Download
memory/300-443-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/308-125-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/340-265-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/340-274-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/340-275-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/564-73-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/564-70-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/744-485-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/828-375-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/828-382-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/836-133-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/836-141-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1120-79-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1120-86-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1356-512-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1356-519-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/1364-257-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1364-258-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/1364-245-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1608-310-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1608-318-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/1608-314-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/1652-362-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1652-372-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1652-371-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1796-104-0x0000000001F80000-0x0000000001FE7000-memory.dmp

Filesize
412KB

Download
memory/1800-189-0x0000000001F60000-0x0000000001FC7000-memory.dmp

Filesize
412KB

Download
memory/1800-517-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1800-176-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1800-188-0x0000000001F60000-0x0000000001FC7000-memory.dmp

Filesize
412KB

Download
memory/1812-220-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1812-231-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1812-232-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/1940-438-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1940-437-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1940-432-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1952-191-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1952-203-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/1952-204-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2120-391-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2144-52-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2188-307-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2188-306-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2188-297-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2220-360-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2220-361-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2220-355-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2224-514-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2224-511-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2224-174-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2224-161-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2224-169-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2236-218-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2236-219-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2236-225-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2280-449-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2348-242-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2348-243-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/2348-233-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2408-495-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2408-158-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2408-159-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2472-264-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2472-263-0x0000000000310000-0x0000000000377000-memory.dmp

Filesize
412KB

Download
memory/2484-467-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2492-496-0x00000000002E0000-0x0000000000347000-memory.dmp

Filesize
412KB

Download
memory/2492-487-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2556-106-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2556-458-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2556-114-0x0000000000470000-0x00000000004D7000-memory.dmp

Filesize
412KB

Download
memory/2596-34-0x0000000001FF0000-0x0000000002057000-memory.dmp

Filesize
412KB

Download
memory/2596-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2596-401-0x0000000001FF0000-0x0000000002057000-memory.dmp

Filesize
412KB

Download
memory/2684-340-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2684-330-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2684-339-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2708-329-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/2708-328-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/2708-319-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2716-296-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2716-292-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2728-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2728-12-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/2872-431-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2872-418-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2908-394-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2936-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2972-510-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/2972-502-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/3016-349-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3016-350-0x0000000000330000-0x0000000000397000-memory.dmp

Filesize
412KB

Download
memory/3056-287-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/3056-276-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3056-285-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/3068-468-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads