berbew | 704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe
Size

63KB
MD5

c4fe4b5ffbf5d15c93a3e0e7dd3f4390
SHA1

ed31828a6cbb198a8f5856e08c52b771fb993a70
SHA256

704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1
SHA512

91e1139a9c48ecdb3c826a92c4c16b03beea584e60038f4f4967caf9747f4516a28208f1e6b022d3820f898a70470036764a1ddc435dca941bedb4f56854bc12
SSDEEP

768:03sltiHwWIBjv9H93soqQJHK+W4mOaygAlFMoeuQVIX/1H5PXXdnhg20a0kXdnh6:AQnjv9H98oq7FOnleu5zH1juIZo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfdfoala.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohdlpa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjgemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnopjfgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgjjoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cebdcmhh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbgndoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnhjig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkcjjhgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfdfoala.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqfolqna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agqhik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplkhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oalpigkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjgemi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjeaog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmmkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biigildg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilcol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnienqbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjkiephp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opfnne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgmpkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnienqbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdnkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhoind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhfoocaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdlncn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbfema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbfema32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbknhqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgmpkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjeaog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgjjoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjaiac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndlba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbgndoho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdaqhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfcae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjpceko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhoind32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnnlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nieoal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oinbgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anjpeelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqnemp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdnkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegnol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbbdip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjnbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaofedkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkcjjhgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpknplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maeaajpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npognfpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pafcofcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmbgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinpdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkilbni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niihlkdm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3344	Mhjpceko.exe
228	Mmghklif.exe
4420	Mdaqhf32.exe
5004	Mjkiephp.exe
1176	Maeaajpl.exe
4572	Mhoind32.exe
3500	Nipffmmg.exe
4952	Npjnbg32.exe
4448	Nfdfoala.exe
3988	Nmnnlk32.exe
1532	Nplkhf32.exe
2420	Nieoal32.exe
2288	Npognfpo.exe
4864	Nhfoocaa.exe
4236	Niglfl32.exe
4656	Niihlkdm.exe
1648	Ogmiepcf.exe
2728	Opfnne32.exe
3240	Oinbgk32.exe
3080	Oiqomj32.exe
3688	Ohaokbfd.exe
996	Oickbjmb.exe
1976	Oajccgmd.exe
3516	Ohdlpa32.exe
4244	Oiehhjjp.exe
4896	Oalpigkb.exe
1956	Pdklebje.exe
4020	Pjgemi32.exe
336	Ppamjcpj.exe
1140	Pdofpb32.exe
2688	Pnhjig32.exe
4060	Pklkbl32.exe
1924	Pafcofcg.exe
4068	Pgbkgmao.exe
492	Qnopjfgi.exe
3144	Qhddgofo.exe
2884	Qjeaog32.exe
4424	Adkelplc.exe
4248	Akenij32.exe
4616	Aaofedkl.exe
1372	Akgjnj32.exe
8	Aqdbfa32.exe
972	Agnkck32.exe
1216	Aqfolqna.exe
2640	Agqhik32.exe
1516	Anjpeelk.exe
4304	Ahpdcn32.exe
324	Anmmkd32.exe
5096	Bdgehobe.exe
660	Bjcmpepm.exe
1320	Bqnemp32.exe
1484	Bkcjjhgp.exe
4988	Bbmbgb32.exe
1488	Bdlncn32.exe
1736	Bgjjoi32.exe
1848	Bbpolb32.exe
1556	Bdnkhn32.exe
3736	Biigildg.exe
5008	Bnfoac32.exe
2840	Bilcol32.exe
4708	Cnhlgc32.exe
4356	Cebdcmhh.exe
1616	Cinpdl32.exe
4388	Cnkilbni.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oinbgk32.exe	Opfnne32.exe
File created	C:\Windows\SysWOW64\Egheil32.dll	Bdgehobe.exe
File created	C:\Windows\SysWOW64\Dbbdip32.exe	Dgmpkg32.exe
File created	C:\Windows\SysWOW64\Deqqek32.exe	Dbbdip32.exe
File created	C:\Windows\SysWOW64\Mhjpceko.exe	704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe
File created	C:\Windows\SysWOW64\Jjqakeon.dll	Npjnbg32.exe
File created	C:\Windows\SysWOW64\Pafcofcg.exe	Pklkbl32.exe
File created	C:\Windows\SysWOW64\Dccjlblm.dll	Ahpdcn32.exe
File created	C:\Windows\SysWOW64\Jabajbcd.dll	Anmmkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dilmeida.exe	Deqqek32.exe
File opened for modification	C:\Windows\SysWOW64\Enpknplq.exe	Dhfcae32.exe
File created	C:\Windows\SysWOW64\Npognfpo.exe	Nieoal32.exe
File created	C:\Windows\SysWOW64\Affgmbdd.dll	Pdklebje.exe
File opened for modification	C:\Windows\SysWOW64\Bdgehobe.exe	Anmmkd32.exe
File created	C:\Windows\SysWOW64\Nopkoobi.dll	Deejpjgc.exe
File opened for modification	C:\Windows\SysWOW64\Maeaajpl.exe	Mjkiephp.exe
File created	C:\Windows\SysWOW64\Ahpdcn32.exe	Anjpeelk.exe
File opened for modification	C:\Windows\SysWOW64\Nieoal32.exe	Nplkhf32.exe
File created	C:\Windows\SysWOW64\Haapme32.dll	Agqhik32.exe
File created	C:\Windows\SysWOW64\Dgmpkg32.exe	Dndlba32.exe
File opened for modification	C:\Windows\SysWOW64\Niglfl32.exe	Nhfoocaa.exe
File opened for modification	C:\Windows\SysWOW64\Ppamjcpj.exe	Pjgemi32.exe
File opened for modification	C:\Windows\SysWOW64\Agnkck32.exe	Aqdbfa32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkilbni.exe	Cinpdl32.exe
File created	C:\Windows\SysWOW64\Cjaiac32.exe	Cbfema32.exe
File opened for modification	C:\Windows\SysWOW64\Nmnnlk32.exe	Nfdfoala.exe
File created	C:\Windows\SysWOW64\Ogmiepcf.exe	Niihlkdm.exe
File created	C:\Windows\SysWOW64\Ppamjcpj.exe	Pjgemi32.exe
File created	C:\Windows\SysWOW64\Njiccd32.dll	Ppamjcpj.exe
File created	C:\Windows\SysWOW64\Ahafcp32.dll	Aaofedkl.exe
File created	C:\Windows\SysWOW64\Bdnkhn32.exe	Bbpolb32.exe
File created	C:\Windows\SysWOW64\Foadqnoo.dll	Bnfoac32.exe
File created	C:\Windows\SysWOW64\Cgnqqq32.dll	Cebdcmhh.exe
File created	C:\Windows\SysWOW64\Dndlba32.exe	Cbnknpqj.exe
File created	C:\Windows\SysWOW64\Dlmegd32.exe	Dnienqbi.exe
File created	C:\Windows\SysWOW64\Bfffkmlb.dll	Mjkiephp.exe
File opened for modification	C:\Windows\SysWOW64\Cjaiac32.exe	Cbfema32.exe
File created	C:\Windows\SysWOW64\Edcijq32.dll	Dnienqbi.exe
File created	C:\Windows\SysWOW64\Nfdfoala.exe	Npjnbg32.exe
File created	C:\Windows\SysWOW64\Oigdefgf.dll	Qnopjfgi.exe
File opened for modification	C:\Windows\SysWOW64\Bdnkhn32.exe	Bbpolb32.exe
File created	C:\Windows\SysWOW64\Dnienqbi.exe	Dilmeida.exe
File created	C:\Windows\SysWOW64\Enpknplq.exe	Dhfcae32.exe
File created	C:\Windows\SysWOW64\Igehifaa.dll	Nfdfoala.exe
File created	C:\Windows\SysWOW64\Opfnne32.exe	Ogmiepcf.exe
File opened for modification	C:\Windows\SysWOW64\Oinbgk32.exe	Opfnne32.exe
File opened for modification	C:\Windows\SysWOW64\Biigildg.exe	Bdnkhn32.exe
File created	C:\Windows\SysWOW64\Qfckpa32.dll	Bilcol32.exe
File opened for modification	C:\Windows\SysWOW64\Opfnne32.exe	Ogmiepcf.exe
File created	C:\Windows\SysWOW64\Lkkgqn32.dll	Oinbgk32.exe
File opened for modification	C:\Windows\SysWOW64\Bqnemp32.exe	Bjcmpepm.exe
File created	C:\Windows\SysWOW64\Jnbecgdc.dll	Cbfema32.exe
File created	C:\Windows\SysWOW64\Gfjofpjj.dll	Ogmiepcf.exe
File opened for modification	C:\Windows\SysWOW64\Ohaokbfd.exe	Oiqomj32.exe
File opened for modification	C:\Windows\SysWOW64\Aaofedkl.exe	Akenij32.exe
File opened for modification	C:\Windows\SysWOW64\Oiehhjjp.exe	Ohdlpa32.exe
File created	C:\Windows\SysWOW64\Oalpigkb.exe	Oiehhjjp.exe
File created	C:\Windows\SysWOW64\Lokceimi.dll	Bkcjjhgp.exe
File created	C:\Windows\SysWOW64\Hmijkj32.dll	Cinpdl32.exe
File created	C:\Windows\SysWOW64\Dhfcae32.exe	Djbbhafj.exe
File created	C:\Windows\SysWOW64\Bfgkjnai.dll	Nieoal32.exe
File created	C:\Windows\SysWOW64\Ohdlpa32.exe	Oajccgmd.exe
File opened for modification	C:\Windows\SysWOW64\Bgjjoi32.exe	Bdlncn32.exe
File created	C:\Windows\SysWOW64\Jmjkhghe.dll	Cjaiac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5620	5448	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjpceko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilcol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlmegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndlba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgmpkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnnlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niihlkdm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agnkck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjcmpepm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deejpjgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkelplc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqnemp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhlgc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkilbni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eieplhlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eldlhckj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohdlpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biigildg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfoac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjaiac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbnknpqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deqqek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oickbjmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhddgofo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbpolb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmghklif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maeaajpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhoind32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhfoocaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogmiepcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjgemi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbgndoho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaofedkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agqhik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oajccgmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oalpigkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdofpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafcofcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnopjfgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjeaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdlncn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdnkhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdklebje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahpdcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbknhqbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiqomj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiehhjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djbbhafj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enpknplq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppamjcpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnhjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akenij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cebdcmhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbfema32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfcae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdaqhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niglfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pklkbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqfolqna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgjjoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegnol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplkhf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkgqn32.dll"	Oinbgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgdii32.dll"	Ohdlpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgbkgmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjqakeon.dll"	Npjnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdiaha32.dll"	Pdofpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akenij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmbgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnienqbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djbbhafj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olikhnjp.dll"	Oalpigkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpefcna.dll"	Qjeaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkofdlq.dll"	Aqdbfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqnemp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgbkgmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbbjg32.dll"	Anjpeelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbknhqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoflodqh.dll"	Dgmpkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjeaog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maeaajpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidimpef.dll"	Agnkck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbpolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biigildg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foadqnoo.dll"	Bnfoac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbfema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjaiac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdklebje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjicplp.dll"	Pafcofcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegnol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplkhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oalpigkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnopjfgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkonk32.dll"	Aqfolqna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgjjoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enpknplq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgeph32.dll"	Npognfpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niglfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohaokbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbgndoho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nieoal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhfoocaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pklkbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agnkck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndlba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onccdj32.dll"	Dbgndoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbjeeion.dll"	Enpknplq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nipffmmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npognfpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oajccgmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjgemi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qhddgofo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinpdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akgjnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdlncn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjaiac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbgndoho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affgmbdd.dll"	Pdklebje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfcae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkilbni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjjjj32.dll"	Dlmegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfloio32.dll"	Oiehhjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppamjcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnglpdin.dll"	Akenij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 3344	4608	704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe	91
PID 4608 wrote to memory of 3344	4608	704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe	91
PID 4608 wrote to memory of 3344	4608	704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe	91
PID 3344 wrote to memory of 228	3344	Mhjpceko.exe	92
PID 3344 wrote to memory of 228	3344	Mhjpceko.exe	92
PID 3344 wrote to memory of 228	3344	Mhjpceko.exe	92
PID 228 wrote to memory of 4420	228	Mmghklif.exe	93
PID 228 wrote to memory of 4420	228	Mmghklif.exe	93
PID 228 wrote to memory of 4420	228	Mmghklif.exe	93
PID 4420 wrote to memory of 5004	4420	Mdaqhf32.exe	94
PID 4420 wrote to memory of 5004	4420	Mdaqhf32.exe	94
PID 4420 wrote to memory of 5004	4420	Mdaqhf32.exe	94
PID 5004 wrote to memory of 1176	5004	Mjkiephp.exe	95
PID 5004 wrote to memory of 1176	5004	Mjkiephp.exe	95
PID 5004 wrote to memory of 1176	5004	Mjkiephp.exe	95
PID 1176 wrote to memory of 4572	1176	Maeaajpl.exe	96
PID 1176 wrote to memory of 4572	1176	Maeaajpl.exe	96
PID 1176 wrote to memory of 4572	1176	Maeaajpl.exe	96
PID 4572 wrote to memory of 3500	4572	Mhoind32.exe	97
PID 4572 wrote to memory of 3500	4572	Mhoind32.exe	97
PID 4572 wrote to memory of 3500	4572	Mhoind32.exe	97
PID 3500 wrote to memory of 4952	3500	Nipffmmg.exe	98
PID 3500 wrote to memory of 4952	3500	Nipffmmg.exe	98
PID 3500 wrote to memory of 4952	3500	Nipffmmg.exe	98
PID 4952 wrote to memory of 4448	4952	Npjnbg32.exe	99
PID 4952 wrote to memory of 4448	4952	Npjnbg32.exe	99
PID 4952 wrote to memory of 4448	4952	Npjnbg32.exe	99
PID 4448 wrote to memory of 3988	4448	Nfdfoala.exe	100
PID 4448 wrote to memory of 3988	4448	Nfdfoala.exe	100
PID 4448 wrote to memory of 3988	4448	Nfdfoala.exe	100
PID 3988 wrote to memory of 1532	3988	Nmnnlk32.exe	101
PID 3988 wrote to memory of 1532	3988	Nmnnlk32.exe	101
PID 3988 wrote to memory of 1532	3988	Nmnnlk32.exe	101
PID 1532 wrote to memory of 2420	1532	Nplkhf32.exe	102
PID 1532 wrote to memory of 2420	1532	Nplkhf32.exe	102
PID 1532 wrote to memory of 2420	1532	Nplkhf32.exe	102
PID 2420 wrote to memory of 2288	2420	Nieoal32.exe	103
PID 2420 wrote to memory of 2288	2420	Nieoal32.exe	103
PID 2420 wrote to memory of 2288	2420	Nieoal32.exe	103
PID 2288 wrote to memory of 4864	2288	Npognfpo.exe	104
PID 2288 wrote to memory of 4864	2288	Npognfpo.exe	104
PID 2288 wrote to memory of 4864	2288	Npognfpo.exe	104
PID 4864 wrote to memory of 4236	4864	Nhfoocaa.exe	105
PID 4864 wrote to memory of 4236	4864	Nhfoocaa.exe	105
PID 4864 wrote to memory of 4236	4864	Nhfoocaa.exe	105
PID 4236 wrote to memory of 4656	4236	Niglfl32.exe	106
PID 4236 wrote to memory of 4656	4236	Niglfl32.exe	106
PID 4236 wrote to memory of 4656	4236	Niglfl32.exe	106
PID 4656 wrote to memory of 1648	4656	Niihlkdm.exe	107
PID 4656 wrote to memory of 1648	4656	Niihlkdm.exe	107
PID 4656 wrote to memory of 1648	4656	Niihlkdm.exe	107
PID 1648 wrote to memory of 2728	1648	Ogmiepcf.exe	108
PID 1648 wrote to memory of 2728	1648	Ogmiepcf.exe	108
PID 1648 wrote to memory of 2728	1648	Ogmiepcf.exe	108
PID 2728 wrote to memory of 3240	2728	Opfnne32.exe	109
PID 2728 wrote to memory of 3240	2728	Opfnne32.exe	109
PID 2728 wrote to memory of 3240	2728	Opfnne32.exe	109
PID 3240 wrote to memory of 3080	3240	Oinbgk32.exe	110
PID 3240 wrote to memory of 3080	3240	Oinbgk32.exe	110
PID 3240 wrote to memory of 3080	3240	Oinbgk32.exe	110
PID 3080 wrote to memory of 3688	3080	Oiqomj32.exe	111
PID 3080 wrote to memory of 3688	3080	Oiqomj32.exe	111
PID 3080 wrote to memory of 3688	3080	Oiqomj32.exe	111
PID 3688 wrote to memory of 996	3688	Ohaokbfd.exe	112

C:\Users\Admin\AppData\Local\Temp\704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe
"C:\Users\Admin\AppData\Local\Temp\704c73b69cf6d935bccee34ad1970aeea99cd610a6c847b8738c6fade8bfb2d1N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\Mhjpceko.exe
  C:\Windows\system32\Mhjpceko.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\Mmghklif.exe
    C:\Windows\system32\Mmghklif.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\Mdaqhf32.exe
      C:\Windows\system32\Mdaqhf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\Mjkiephp.exe
        
        C:\Windows\system32\Mjkiephp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
      - C:\Windows\SysWOW64\Maeaajpl.exe
        
        C:\Windows\system32\Maeaajpl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Mhoind32.exe
        
        C:\Windows\system32\Mhoind32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Nipffmmg.exe
        
        C:\Windows\system32\Nipffmmg.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Npjnbg32.exe
        
        C:\Windows\system32\Npjnbg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Nfdfoala.exe
        
        C:\Windows\system32\Nfdfoala.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Nmnnlk32.exe
        
        C:\Windows\system32\Nmnnlk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Nplkhf32.exe
        
        C:\Windows\system32\Nplkhf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Nieoal32.exe
        
        C:\Windows\system32\Nieoal32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Npognfpo.exe
        
        C:\Windows\system32\Npognfpo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Nhfoocaa.exe
        
        C:\Windows\system32\Nhfoocaa.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Niglfl32.exe
        
        C:\Windows\system32\Niglfl32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Niihlkdm.exe
        
        C:\Windows\system32\Niihlkdm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ogmiepcf.exe
        
        C:\Windows\system32\Ogmiepcf.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Opfnne32.exe
        
        C:\Windows\system32\Opfnne32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Oinbgk32.exe
        
        C:\Windows\system32\Oinbgk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Oiqomj32.exe
        
        C:\Windows\system32\Oiqomj32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Ohaokbfd.exe
        
        C:\Windows\system32\Ohaokbfd.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Oickbjmb.exe
        
        C:\Windows\system32\Oickbjmb.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Oajccgmd.exe
        
        C:\Windows\system32\Oajccgmd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ohdlpa32.exe
        
        C:\Windows\system32\Ohdlpa32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Oiehhjjp.exe
        
        C:\Windows\system32\Oiehhjjp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Oalpigkb.exe
        
        C:\Windows\system32\Oalpigkb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Pdklebje.exe
        
        C:\Windows\system32\Pdklebje.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Pjgemi32.exe
        
        C:\Windows\system32\Pjgemi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Ppamjcpj.exe
        
        C:\Windows\system32\Ppamjcpj.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Pdofpb32.exe
        
        C:\Windows\system32\Pdofpb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Pnhjig32.exe
        
        C:\Windows\system32\Pnhjig32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Pklkbl32.exe
        
        C:\Windows\system32\Pklkbl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Pafcofcg.exe
        
        C:\Windows\system32\Pafcofcg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Pgbkgmao.exe
        
        C:\Windows\system32\Pgbkgmao.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Qnopjfgi.exe
        
        C:\Windows\system32\Qnopjfgi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:492
        
        C:\Windows\SysWOW64\Qhddgofo.exe
        
        C:\Windows\system32\Qhddgofo.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Qjeaog32.exe
        
        C:\Windows\system32\Qjeaog32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Adkelplc.exe
        
        C:\Windows\system32\Adkelplc.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Akenij32.exe
        
        C:\Windows\system32\Akenij32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Aaofedkl.exe
        
        C:\Windows\system32\Aaofedkl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Akgjnj32.exe
        
        C:\Windows\system32\Akgjnj32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Aqdbfa32.exe
        
        C:\Windows\system32\Aqdbfa32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Agnkck32.exe
        
        C:\Windows\system32\Agnkck32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Aqfolqna.exe
        
        C:\Windows\system32\Aqfolqna.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Agqhik32.exe
        
        C:\Windows\system32\Agqhik32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Anjpeelk.exe
        
        C:\Windows\system32\Anjpeelk.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Ahpdcn32.exe
        
        C:\Windows\system32\Ahpdcn32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Anmmkd32.exe
        
        C:\Windows\system32\Anmmkd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:324
        
        C:\Windows\SysWOW64\Bdgehobe.exe
        
        C:\Windows\system32\Bdgehobe.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Bjcmpepm.exe
        
        C:\Windows\system32\Bjcmpepm.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:660
        
        C:\Windows\SysWOW64\Bqnemp32.exe
        
        C:\Windows\system32\Bqnemp32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Bkcjjhgp.exe
        
        C:\Windows\system32\Bkcjjhgp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\Bbmbgb32.exe
        
        C:\Windows\system32\Bbmbgb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Bdlncn32.exe
        
        C:\Windows\system32\Bdlncn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Bgjjoi32.exe
        
        C:\Windows\system32\Bgjjoi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Bbpolb32.exe
        
        C:\Windows\system32\Bbpolb32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Bdnkhn32.exe
        
        C:\Windows\system32\Bdnkhn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Biigildg.exe
        
        C:\Windows\system32\Biigildg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Bnfoac32.exe
        
        C:\Windows\system32\Bnfoac32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Bilcol32.exe
        
        C:\Windows\system32\Bilcol32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\Cnhlgc32.exe
        
        C:\Windows\system32\Cnhlgc32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Cebdcmhh.exe
        
        C:\Windows\system32\Cebdcmhh.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Cinpdl32.exe
        
        C:\Windows\system32\Cinpdl32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cnkilbni.exe
        
        C:\Windows\system32\Cnkilbni.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Cbfema32.exe
        
        C:\Windows\system32\Cbfema32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Cjaiac32.exe
        
        C:\Windows\system32\Cjaiac32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Cegnol32.exe
        
        C:\Windows\system32\Cegnol32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Cbknhqbl.exe
        
        C:\Windows\system32\Cbknhqbl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Cbnknpqj.exe
        
        C:\Windows\system32\Cbnknpqj.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Dndlba32.exe
        
        C:\Windows\system32\Dndlba32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Dgmpkg32.exe
        
        C:\Windows\system32\Dgmpkg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Dbbdip32.exe
        
        C:\Windows\system32\Dbbdip32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Deqqek32.exe
        
        C:\Windows\system32\Deqqek32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Dilmeida.exe
        
        C:\Windows\system32\Dilmeida.exe
        75⤵
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Dnienqbi.exe
        
        C:\Windows\system32\Dnienqbi.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Dlmegd32.exe
        
        C:\Windows\system32\Dlmegd32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Dbgndoho.exe
        
        C:\Windows\system32\Dbgndoho.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Deejpjgc.exe
        
        C:\Windows\system32\Deejpjgc.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Djbbhafj.exe
        
        C:\Windows\system32\Djbbhafj.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Dhfcae32.exe
        
        C:\Windows\system32\Dhfcae32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Enpknplq.exe
        
        C:\Windows\system32\Enpknplq.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Eieplhlf.exe
        
        C:\Windows\system32\Eieplhlf.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Eldlhckj.exe
        
        C:\Windows\system32\Eldlhckj.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 432
        85⤵
        Program crash
        
        PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5448 -ip 5448
1⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
1⤵
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahpdcn32.exe

Filesize
63KB

MD5
e0e2660e037db65c77a3b6b492977bac

SHA1
50dc6a8ace9aee3e71b17114fdb7a2a3acd8caa4

SHA256
c55a42d0abcfa9427b90d88fb184cf02b303681ddd1fd58126c70e6a188a93d7

SHA512
7ae4b2d1bb86d369db19622a34557fc43c4ced62fdce28784d47970e5c57618a7dd70580e93087b016d70d67e17a5fe662e4ffc1cab21a626aa124e72c39cd6e

Download Submit
C:\Windows\SysWOW64\Akgjnj32.exe

Filesize
63KB

MD5
8eb227fab3957477f221ed88728b155b

SHA1
4bdf2204e0944317b1ede2f60de8213794a20856

SHA256
c97987ce02797efc3fde24bb459644643228a6f68ec317fafde29d1fda8137d8

SHA512
6c3597955e41ad67a6e79c4b77d10b92765c0f24e37813227369eb70af9c67423a04679791c38fcac4bde601767f78be2b07f2d4d97f7de9c636eda225e834e9

Download Submit
C:\Windows\SysWOW64\Aqfolqna.exe

Filesize
63KB

MD5
ba96dd6d8e9ce9772d3b7d9023627252

SHA1
d9d13319bb5185e210e3b5738129dc0751cf5019

SHA256
33d81adf0a93c3d4412ec50eb9fba095c23f7d5da8cd6328d26a4b991a3eb059

SHA512
6480d41f5a1eba1526d97b29dc501f71c34e33438b48846d83a8a21f3f61e6d47761ffbb782645309186244945fe94c689d2d23cdfcaa481e89f773d32f5b7be

Download Submit
C:\Windows\SysWOW64\Bgjjoi32.exe

Filesize
63KB

MD5
347368ac1d9e9cc999c87580381a8d1d

SHA1
454fc449fa9655bb43c85e2c75418c226057abd1

SHA256
a6b8fd8df97cd3aeb9925cf8bdc46fb8ad3f5704a5c148c6056389f82a25ff3a

SHA512
47235baa1d148b95b1953b64cb93eeba6f5c3c8c93da164398aa48cfa3c22b53d92710036cdfdb288a54a0fe18db985c970319b17e71dd5bfa84fcb0dac55a06

Download Submit
C:\Windows\SysWOW64\Bkcjjhgp.exe

Filesize
63KB

MD5
2db64b128a1b5b9438f04ce4dcf960ad

SHA1
44148d1c39e34305aa59c43ccf31131311689c64

SHA256
39de971a31c5660ece1088cc50d004fe390fb8afc67718f7971c74c70c0b3bde

SHA512
9a2b30af50345c86c23697170031c14da53ffdf84e6a50a252d462dc4ac8716423b840cd0390677329533f5d6918c3a6553d40344136449a8720137908309578

Download Submit
C:\Windows\SysWOW64\Bnfoac32.exe

Filesize
63KB

MD5
7fcf0a52b467dbfe3888120997f927be

SHA1
05f00ad56ffe09d7d7e7d3b4b75fee7850171e95

SHA256
ee840406170b876f07c03b49b9a0b6297453ea8198b3b1ccbb79d8081b08f205

SHA512
421f2ed75141cc038464d560ae4208e511154b7b0b6ef8a00dca4b3e4c19fd6917ecbd1fcd1b61567fec59147697bc24b8e4529671be643b667eeaebe5ed9e75

Download Submit
C:\Windows\SysWOW64\Cegnol32.exe

Filesize
63KB

MD5
2584b261572f534cdadb56a4802fc0c3

SHA1
7542600db22f8e508248dec9d8b767d472aa0015

SHA256
9945c0629056e6acfc29b001d701fc1468ba8ee0b7e52117adbe09f6d07d93bf

SHA512
033d9c49f69a6e726cf81134818b576d63965d2eccdc6c00494e590ba566e428923ebd32e3696519bb9228ec791b554b2c5beb3b186ce7fba525b9fbdec220a2

Download Submit
C:\Windows\SysWOW64\Deejpjgc.exe

Filesize
63KB

MD5
faed7b9df035494a5f187444796682e3

SHA1
7a5b1a2b21544470df05cac550c8a0478eefcd5a

SHA256
9d102a41a18996aed63befd21113772e7887ca9dbb74f9cc71529a7619e57780

SHA512
4190ebaa9a0271f317ef6d0325768cea791607a00c8f574c2cc1c959f4c87a8c8eeab626a778406a3c31c7fd0b676562849fde3daaa6f392ea543225c67a448f

Download Submit
C:\Windows\SysWOW64\Dilmeida.exe

Filesize
63KB

MD5
eb95d377ac73a9ef80e72818bf3ade9b

SHA1
ae79b5dabec23b1ea63ec83857d5f48503e7348b

SHA256
340dadc8d588906a933bc7193fa5154d0ff7c7b569eb0881c48c0fc799479d55

SHA512
930a0515c12b9728d751fd889a6e5bfecc89e5a00b573e54b73238f6a47150f1861a62638ccc6c0cff6c63aa06ac3e35c04da3e740cda7ab1c9c3df3add95a08

Download Submit
C:\Windows\SysWOW64\Dlmegd32.exe

Filesize
63KB

MD5
d5ebcef1e6916a80ce5493f6a16d9065

SHA1
da5b1fdff049189c906c7375fcbd3c32aeaa1e7e

SHA256
abfa2179fa3569ba87b7ce65a11b88e1dd790d5b721ee638d1547c5dc3d71ab5

SHA512
b2c18ee7eeeb2a34a030cb26f8f1f4699bfbfffcfa61b7c0e2c2d3337bc5f4941e36e049188263c84f0e20365eabde9ad492748071e436819ca5414be17fc8cb

Download Submit
C:\Windows\SysWOW64\Maeaajpl.exe

Filesize
63KB

MD5
44414cb29063b4ab65aa75964964bfce

SHA1
5e0bd5339085c78ee5a5bbade0cec8b03d950e5b

SHA256
fc80c0b468c19ec8770e1fdbc97a3b955594e4d16506fca83d11bf76bf3021fe

SHA512
1814d8ed2daa0af72695594e40c8dd2c21dfa18c08f8e60f756ccc4424cdad15b2a8d1a9c9dca981d3d111be96550e4fc1e31fd587d1c7fd90741b7d3a37f546

Download Submit
C:\Windows\SysWOW64\Mdaqhf32.exe

Filesize
63KB

MD5
df9933918427378f53a64b94c7c5bfe3

SHA1
ab313f5462f0deb296670ebbf8c6f89c55c7c9c3

SHA256
c22de6640b11df5030ca09261bfb890636fe5a12a19a48f33fccf6ae4fb7031c

SHA512
12d7ede73cb24336999f59bc7e9dccd76dcfad7a476725f57c6a249501afaa7c65485243571f34fe0c8402d0fc03970f4939d52f5005885e35b004c0d4f6b43c

Download Submit
C:\Windows\SysWOW64\Mhjpceko.exe

Filesize
63KB

MD5
532b36959af2aedc16c9b27deb0c4bd9

SHA1
52260e1ad5ce823aba51b5162d0f966cc72ec54a

SHA256
f091c5e0487389c1b17bd88dcb14d0669069293ed5885832b7da8dc127a34d03

SHA512
90be8aa69f698ef2b6acb96db2b66a7942891930cf7af6f9c72e6f126f8910985161c2da30ece72f9e9a8f4722da85c7a43b5824795261dbf24cc1aea4fdbf68

Download Submit
C:\Windows\SysWOW64\Mhoind32.exe

Filesize
63KB

MD5
3dcf99e42b30b97807cb41bc6997e12e

SHA1
c4557a455c948886a478076cf5c5d8b4568c085e

SHA256
c6eba3cbca7b755fb44823165bd30c17ed47567577600603657ce1675ad62d2a

SHA512
c0319c7149661bd94ded330d9a30aa57696b19e3d41454d920997293e06171e36ece2ba4bf83ee8f1754f9ea8fba06d151c8670bbda4fdb9649b1e2c57ac24af

Download Submit
C:\Windows\SysWOW64\Mjkiephp.exe

Filesize
63KB

MD5
a42f62b4df24221bc8f9cc7ff63461af

SHA1
8b9124ee501af100d6dfc45594cae9901ccd2e03

SHA256
a0c0da04de258299961be9c3f780feafe5194670eea279e563b4375b6ffe91bf

SHA512
64bddd08d5a94ed988d78e2901d5a2926c3261b53ba675f25caf144f1a1781939df51363ed83bda979464e339bcf88ad9f643789629f433271965e0e6b100bd5

Download Submit
C:\Windows\SysWOW64\Mmghklif.exe

Filesize
63KB

MD5
7b07e60b4f538c018e1c9f245291b73d

SHA1
fe433deb114bd3fe149815495b44513857a44173

SHA256
0374415fde41b99f51d3db96dedd207d0d74a3bbc0743f58a3cfdf7e029dedb9

SHA512
c24b0433ab5e8431609f991b5d0895719c6c35481705010ceb5ce38eb0ed851b0efca3f5a238eaa5211b11bd427f3a87f1b7aa73230ad523cae3e643de72c1e4

Download Submit
C:\Windows\SysWOW64\Nfdfoala.exe

Filesize
63KB

MD5
45b918bb9b752e377f7f9de5ec8dbff1

SHA1
0a6e07e1560d55ea9f397b401fe7d02cce8cb1d4

SHA256
80c67922377cd824d06a7e0ea8505a10ba5e784035cc7789f88947458d965b87

SHA512
b68d7f18326d45ea92ab26678992ac054a1f4c102856634c6b9f4057365ffa9d1ffa2b3e98508d60e271f53df48599930e6ea8f25f840270b890cd726bd6f16b

Download Submit
C:\Windows\SysWOW64\Nhfoocaa.exe

Filesize
63KB

MD5
ba61e9b07fd2fd663580cd6307ec34d9

SHA1
f4283d8f514357dfd576c3281774eaedfab958e1

SHA256
90b590d38c19f59790991046e436bf3d3af023cb9346201189e44c39a5095d89

SHA512
c77360b0c31d7c54ca9328e1e1100d217f3b6368fde006830821fccc738eb0ffee81e0f18b0f7e1be440231cbbdbdaafc7cda848d8c4e234ca1565227f6e9b96

Download Submit
C:\Windows\SysWOW64\Nieoal32.exe

Filesize
63KB

MD5
2d663cc1f708f60978d5fcecb87bae5d

SHA1
49c266d5002ee5b2a4daddba334d9e8342b693f5

SHA256
98861e2abe72860496474199afcbe5b3c91f47a5de70c63b278033c9e570746e

SHA512
2f9db708cea18b4b568604fdd2c89426de5b35560a2895461ca8b85af536e69a399e3b54e21364813854690f66becd8d302b92878f10949854a0d8a1c33c8b2a

Download Submit
C:\Windows\SysWOW64\Niglfl32.exe

Filesize
63KB

MD5
4d438207d84c569712a5786028b3f461

SHA1
483583a9678c89967e58980c7e3959fa7d619484

SHA256
fa5d912d5ff6c827ef66ee6ba58451357f6474f19649fe7b0c6f9efb6e30732b

SHA512
28204341268a4f5f2dc2150ec9e5f0a44c56aeaa82a25d5c3b4ec778f0db4d528335467e07e4b01959995b4e605a42b514b27c5ea1e19763a7967e7c4d1c5269

Download Submit
C:\Windows\SysWOW64\Niihlkdm.exe

Filesize
63KB

MD5
32876dcee2e26ec5c4e27be8d6cce5cd

SHA1
a24aec531bacff9df44ffc44a0acb02fe2d1d749

SHA256
b78da5dd77f1c3e0cd31ca96c23f623bee882a65181b0d26a2f10a31c389aad8

SHA512
2d23e6fd01f47069a8bcc787feb3dec2702b3c2454cbaefd0d3828cf12b199d41a9713c78518f0f1ef22fa42846d6f2a318903c965b3cb1fc89a7b744c89b24b

Download Submit
C:\Windows\SysWOW64\Nipffmmg.exe

Filesize
63KB

MD5
c92501449fed041e54896625d60c26d8

SHA1
518001e4332ef21b08827b2d63acc85dea0d2cde

SHA256
57c595bcc7ed3cf4d59b60f128bce8cb46878973ac356bc7a0206fc7f9620943

SHA512
0c05fd5bf4b4962d6fcb837b43bde6a14d7fa491a8f72400b4617a7b109c90698c26eed5ff48cedd5661d219e158451da1091478c0b176c47e69bcc273314985

Download Submit
C:\Windows\SysWOW64\Nmnnlk32.exe

Filesize
63KB

MD5
1247eb860345baa96875dfb7e9447b6c

SHA1
960333740607ebbdd929ad0ca282314b1cbf5215

SHA256
1f240032624cfaa3a354bbfd0d2db66cb1e1328d71c1ffc073e69d4b208dfeba

SHA512
149110a6da20feb334aa911125b9acc2c349db0f9a3e5f7cc43aa9a4175a48a8b3047301715a88b14b50adce302edd26cdd2626a295132cc3ff8c48f55ba0195

Download Submit
C:\Windows\SysWOW64\Npjnbg32.exe

Filesize
63KB

MD5
2d2dd933b0ace2b23a4b4683c17eef24

SHA1
487a3aa6bd2fb38e8850a1c2a1a30bf828599c8c

SHA256
6f28b3be7cb85345f743198958e21042b60ff0a9823cdc56e9b5e1de44dab7be

SHA512
553c3665c32c1176b89dce44dbed8edeaab9f65e5f24de29681664054316a08f64995e477474b70b9d661c78e0bcf0ae257847b8998bb45d6637b5e6b2e68ef3

Download Submit
C:\Windows\SysWOW64\Nplkhf32.exe

Filesize
63KB

MD5
27eddfd19e808845a140e3b4203d312b

SHA1
ca3a2eecd4e452d471a35a94ed7bb7a9cb97fcbe

SHA256
51605b2e3b8a3e1c456c4f82906f83461b424d2de6fe5fd08f5a0796bf5a430f

SHA512
96f254408a83ce7dc30397dc7971c903311a6ecf0cfeb42ba49311fee382bd62b7021430e68047a57ab9dff47fd9056ab0ae16df47a0a01193b7a2e375c41bed

Download Submit
C:\Windows\SysWOW64\Npognfpo.exe

Filesize
63KB

MD5
6cf5909bedfcbec40d96d0a177d36f46

SHA1
2ce050df070f6f433145199d280c38cecea117bd

SHA256
88817b5b58d3321d9e027e435afa14002505ac4d168d70fc7603644395dec00e

SHA512
2bd20f301394327b0bd118a6e4048d5a034f7106286116b643c94b2d461baf192f3ce891f49b628ccc7355049f4c5a2be5522c86a5a859c11df8c200c60fece0

Download Submit
C:\Windows\SysWOW64\Oajccgmd.exe

Filesize
63KB

MD5
ec8a7463741471f623d67e9f14901035

SHA1
43ed952cf1e9fd6a2117969d660adc6f320f67b5

SHA256
22d309f1fc888d72e4d1fbdb28b6959405b7ddbd9a7a3d60b386134190a8abc3

SHA512
0772de558bad36ede3949d0825268d80d893634546e072132fb41539c09b77e23d977a1625a21a6483bf5a7d147f44e4d40b2ccc0c1176a9f3dfcb4ad75406c0

Download Submit
C:\Windows\SysWOW64\Oalpigkb.exe

Filesize
63KB

MD5
77713f5ea5f6cfe68db080b8285ebbc5

SHA1
4955a590cb2136dc5f0f0f7af3444d24ba1b5cf6

SHA256
2db2e5fde8ff85f6ee2180dac27410d942b89e04b4a0d66e8051507e99837a9e

SHA512
b700858d52264cac31b951b6b119da7ea57d7b456412af482f7bf58440134142a14855b345c7a2c307683862058582a695f938e7b6ab8b57efa4f01a02214a9a

Download Submit
C:\Windows\SysWOW64\Ogmiepcf.exe

Filesize
63KB

MD5
0202a3acd89d007cef5834f3b45e07e3

SHA1
3a013820999e8780cfde0d5d8dc67fe23342c802

SHA256
bd9af20e677a7c5876c3c4db3ef29baaefc6a18870f7214c69eb8f7879899ed0

SHA512
9962404d54bdeb595feb85fa5daef554691bda8b1e33803c473509cbe2d8a5fbd7fdaf9fb37c75b605d590fb6fd787dde09f1abef7da15f01d95697657ee13a1

Download Submit
C:\Windows\SysWOW64\Ohaokbfd.exe

Filesize
63KB

MD5
2ff82cdfda25a2a56980674450ecac06

SHA1
af69234fbff938550bb499d3b15101ec25ff470c

SHA256
13c181aa8512f4f281ee906f61fbeeabd5e7077a7e9a2e6c2c0f6fd75c3b037a

SHA512
80e490cce4e039c927a62a1b7b51b72427902226f65fdc78d3434db9e01dfd754d55d386e10a4d9dc8258f522261532a196eb58d52caad6cdcea5c770d93e2c5

Download Submit
C:\Windows\SysWOW64\Ohdlpa32.exe

Filesize
63KB

MD5
f2d2c388779cbcbefd975ebb8ce4ca3d

SHA1
4dae0592d32a2cc3ade039fd6db74c61da224d2c

SHA256
686c1a6d3d5d0481024891be5ee5f0a82f3141e8378800d429b71b7811890bd2

SHA512
fd1af609b6eac8664196ed8ad308463035435b40952de7df7da59c8ed3b2b8d67dc2c09c9a411f55da51dbefd00cbaff4f83d5932681e00c87b2031000e88596

Download Submit
C:\Windows\SysWOW64\Oickbjmb.exe

Filesize
63KB

MD5
b9e877a6d29fd79637f92f30b5263b31

SHA1
d5da31c365f8d37044dff9616cc4c0bfb3aac875

SHA256
f97c75a980ebbe00370f7aa37fe9cebb523ad08441fc5e0b470317f677203ea7

SHA512
097670b08b3e9881e67fbcb3da2f84c1d2b74f9f33edb0a84cbfd320eddbade26c5d4cb63a5a36fee3cb9ef419dd73a10a3a804c046f03c54695acc412698d04

Download Submit
C:\Windows\SysWOW64\Oiehhjjp.exe

Filesize
63KB

MD5
1e0d395ebae3801f5193b25362265f2b

SHA1
b9cdc6d337fc42c22f6efb3847e99b7a9ce81f9f

SHA256
d159f51a4d8df67d8b3478fea598e6244771cdcdb7b2927f3a29c6427817ffa0

SHA512
cd1bef55bd434288bb2c14cf43237bba30b6bc0cf6a875ee9ba7bc893b6a1d79f6f6e5599889b81eba18363a0906a1022bdfeba59f96e17661df0285c542ad77

Download Submit
C:\Windows\SysWOW64\Oinbgk32.exe

Filesize
63KB

MD5
10c979ee9501b4a6b76e26ef8e3eaf8c

SHA1
16d514c249504f4100d336305cb457f2d6059e38

SHA256
4566118243536a73c19b3a31e57ade28d9954f56f922bcfcd937e17168d71fcd

SHA512
8cc46096bbc25111617e7379eeda04941c12103343d0be4024a8f9a7087602a4e08a94919bb8a929265087ca66580e8d17dedc222fc22bd03d86292cdb576c5f

Download Submit
C:\Windows\SysWOW64\Oiqomj32.exe

Filesize
63KB

MD5
ca641ca273ef73eee2e211dd43d30bbe

SHA1
6838f24952679c12d1c592ab790357a77d0903d2

SHA256
e01b3be51b4c2b19e53ad561d16025356e1effaf4391cad0dc22d5f46bcbee36

SHA512
1408df04bb78f0ad0c199536c42bca3667316f56fbd8d7300c11241904f6def80048bcd7a457743de4f9f8faa2126856b20029c8d0559f1c9bed225a0d28a3cc

Download Submit
C:\Windows\SysWOW64\Opfnne32.exe

Filesize
63KB

MD5
fac66b8ed89d379238937e94373eff05

SHA1
c742cff81c7685bb64d95ff5f049a9aab59f914e

SHA256
6e1fe50f2619f6c70236d9675fa9734225d5a2a78413dfbf536fc9aa4211d252

SHA512
dc509ab3e80a0dc7349805df93f6848fa9b9f2bdf4f0bebd7e36efa6aa9b0bc76a835eaac25025fd12cfb237e27213a72330f131cafa51217c29db17023cc732

Download Submit
C:\Windows\SysWOW64\Pdklebje.exe

Filesize
63KB

MD5
cc0612c33d5294b850ca06c6cb40978a

SHA1
ae0cf493b4ba5176e57b4413138768aef1f29f09

SHA256
02867a0e884fb796d77a6c9d705b76677b9a57af809e840177fdd3c40e239986

SHA512
3ea41bb92f52b5eb8a938d4746c9f02b8d3d27e42b9c5aec10629fef2256ee8ada0bb56273f483164878126df789d8619299e496a637bfc3793a049713e8cba5

Download Submit
C:\Windows\SysWOW64\Pdofpb32.exe

Filesize
63KB

MD5
b3c9005edacaa1f40111b668af5fa1ea

SHA1
c9f418361b4e0815701e36fa242f287371b8040c

SHA256
f79ce54765b56a3c85e7f60ea4798707b0f4715d077d0a163206e75e3fe5f4a6

SHA512
1cc6d7f4f36dfe444b06b223e00871e4776f98ec137e8d2ed01871c522cde0ac2627369cfb5ecf9560ed46a282adf00b5a10c2685d0520c5ffa957a66bac1d5b

Download Submit
C:\Windows\SysWOW64\Pjgemi32.exe

Filesize
63KB

MD5
7bb538cc3352d09997cd9736410600f5

SHA1
bfcf56b6e3a138fdf17f129fdf686a91bd28d036

SHA256
fb975282ef0932a4cd2dc705e18c33681085834cd378d1ef92cfc3e5e0079525

SHA512
ddf7c11ed239e3f2a18e04dbc981d344762f5ea32b27184214a19d05bd4e2a1f687a85aa338f4cf8c0d895c4699392681e45235001e7addbfc0511bbf9efda58

Download Submit
C:\Windows\SysWOW64\Pklkbl32.exe

Filesize
63KB

MD5
bf57c0590ab0dba831ddb552905f1fbf

SHA1
66370fc2a82eb00391d0a9f83f0fec020ebbe3ed

SHA256
6cbbac5fbca366edff37310934f6bae73727696480e7f29f58a4b6a62a7e22ab

SHA512
b0ae5bfc2f193cf438f2033cb32704985b0994967ffa0d18d4b4982f235556b844d0a09cebe8ce82ed533b4ad857b573d72aafc2d4fcc5f7d9b77cdb58849290

Download Submit
C:\Windows\SysWOW64\Pnhjig32.exe

Filesize
63KB

MD5
3f7b9ec7fb66eba55bcc7b9e513a8fab

SHA1
e3e51fd1f279373b92ed937410955dd8381634a9

SHA256
d4ad89a78a9d24cb81beeef54d6f21f07b18362a9a20c6d437a76d6589e340ed

SHA512
0fe42deb48b2ed2a2cb494acd0f15e86e1e6d00cc06be98768a41839614fc8faab3c8e7680b60428357ddfb1cd600aadc7b1d19bfc388d7b01092cba6dc7f24a

Download Submit
C:\Windows\SysWOW64\Ppamjcpj.exe

Filesize
63KB

MD5
88d84a7b7c930ce8c1db05c98f994356

SHA1
638befbe4f2c00d2b1775a697a0b082e87e16335

SHA256
c2c0f06cae4bb3bccdc56c43cdaf1e15dd357fc1e71a261556b5ace40593f105

SHA512
8c35dd6cc6c6d0ef95257a0132d90ff0ea781c929784e411f35b8017086b73d3bf55c5cf574393ec3c5958c146e952bfd8846ad2c75ecce38a2ed10a844aeabe

Download Submit
memory/8-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/212-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/228-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/228-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/324-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/336-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/492-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/660-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/864-515-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/972-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/996-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1140-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1176-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1484-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1488-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1516-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1636-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1736-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1800-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1848-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1924-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1956-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2128-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2728-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2884-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2916-602-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3144-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3240-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3344-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3344-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3736-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3988-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4020-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4060-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4068-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4236-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4244-206-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4248-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4304-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4448-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/4608-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4616-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4656-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-593-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4900-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4952-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5004-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5008-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5096-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5160-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5160-578-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5220-576-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5220-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5272-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5272-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5320-572-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5320-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5396-563-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5396-571-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5448-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5448-570-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads