berbew | 65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466b

Analysis

max time kernel
94s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466bN.exe
Size

390KB
MD5

deb7088b6722f6d73d5c9073f46ab920
SHA1

ed1aa7df1a0828a80e9b56ad6bdeaa3b2ddfc335
SHA256

65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466b
SHA512

7ad88445e7bcc0f7a42c5ae786452a430e1c9c6ee41ef5cd2d4da2fd4d7992f4506f6f56fbe6084578b8574c8207772f6343598d66368c5d37b3e45cb8fb90e4
SSDEEP

3072:sV5BvFNhI6+bWQALHLQGAZzasJR/X4a+SFkVsYtTHTMT5NeVWmjjGF:szB1I6CbArLAZ26RQSFSTHAjhV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466bN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3500	Mpoefk32.exe
1220	Mgimcebb.exe
4232	Mcpnhfhf.exe
4656	Mlhbal32.exe
2904	Ngmgne32.exe
3004	Npfkgjdn.exe
3516	Njnpppkn.exe
4272	Nphhmj32.exe
3940	Njqmepik.exe
1812	Npjebj32.exe
1632	Nfgmjqop.exe
2104	Npmagine.exe
3332	Njefqo32.exe
4464	Odkjng32.exe
3632	Ogifjcdp.exe
3100	Ojgbfocc.exe
1864	Olfobjbg.exe
1192	Ocpgod32.exe
4544	Ofnckp32.exe
4816	Ojjolnaq.exe
3952	Oneklm32.exe
4236	Opdghh32.exe
3704	Ojoign32.exe
996	Oddmdf32.exe
2572	Pmoahijl.exe
2720	Pfhfan32.exe
1656	Pnakhkol.exe
3944	Pgioqq32.exe
3560	Pcppfaka.exe
4456	Pgllfp32.exe
2660	Pdpmpdbd.exe
3492	Qqfmde32.exe
5084	Qgqeappe.exe
1404	Qmmnjfnl.exe
2252	Qcgffqei.exe
1596	Ajanck32.exe
2184	Aqkgpedc.exe
968	Ageolo32.exe
3336	Ajckij32.exe
2736	Aeiofcji.exe
1440	Afjlnk32.exe
1584	Ajfhnjhq.exe
4376	Aeklkchg.exe
1172	Afmhck32.exe
2316	Andqdh32.exe
3768	Aeniabfd.exe
4364	Afoeiklb.exe
2996	Ajkaii32.exe
2240	Aadifclh.exe
1720	Accfbokl.exe
2976	Bfabnjjp.exe
936	Bmkjkd32.exe
4732	Bcebhoii.exe
1924	Bfdodjhm.exe
4872	Bmngqdpj.exe
1368	Bchomn32.exe
2420	Bffkij32.exe
3220	Bmpcfdmg.exe
816	Beglgani.exe
772	Bfhhoi32.exe
3668	Bnpppgdj.exe
400	Bclhhnca.exe
868	Bjfaeh32.exe
4148	Bmemac32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nfgmjqop.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	Mgimcebb.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Mcpnhfhf.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Njefqo32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1396	3504	WerFault.exe	172

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 3500	4856	65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466bN.exe	82
PID 4856 wrote to memory of 3500	4856	65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466bN.exe	82
PID 4856 wrote to memory of 3500	4856	65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466bN.exe	82
PID 3500 wrote to memory of 1220	3500	Mpoefk32.exe	83
PID 3500 wrote to memory of 1220	3500	Mpoefk32.exe	83
PID 3500 wrote to memory of 1220	3500	Mpoefk32.exe	83
PID 1220 wrote to memory of 4232	1220	Mgimcebb.exe	84
PID 1220 wrote to memory of 4232	1220	Mgimcebb.exe	84
PID 1220 wrote to memory of 4232	1220	Mgimcebb.exe	84
PID 4232 wrote to memory of 4656	4232	Mcpnhfhf.exe	85
PID 4232 wrote to memory of 4656	4232	Mcpnhfhf.exe	85
PID 4232 wrote to memory of 4656	4232	Mcpnhfhf.exe	85
PID 4656 wrote to memory of 2904	4656	Mlhbal32.exe	86
PID 4656 wrote to memory of 2904	4656	Mlhbal32.exe	86
PID 4656 wrote to memory of 2904	4656	Mlhbal32.exe	86
PID 2904 wrote to memory of 3004	2904	Ngmgne32.exe	87
PID 2904 wrote to memory of 3004	2904	Ngmgne32.exe	87
PID 2904 wrote to memory of 3004	2904	Ngmgne32.exe	87
PID 3004 wrote to memory of 3516	3004	Npfkgjdn.exe	88
PID 3004 wrote to memory of 3516	3004	Npfkgjdn.exe	88
PID 3004 wrote to memory of 3516	3004	Npfkgjdn.exe	88
PID 3516 wrote to memory of 4272	3516	Njnpppkn.exe	89
PID 3516 wrote to memory of 4272	3516	Njnpppkn.exe	89
PID 3516 wrote to memory of 4272	3516	Njnpppkn.exe	89
PID 4272 wrote to memory of 3940	4272	Nphhmj32.exe	90
PID 4272 wrote to memory of 3940	4272	Nphhmj32.exe	90
PID 4272 wrote to memory of 3940	4272	Nphhmj32.exe	90
PID 3940 wrote to memory of 1812	3940	Njqmepik.exe	91
PID 3940 wrote to memory of 1812	3940	Njqmepik.exe	91
PID 3940 wrote to memory of 1812	3940	Njqmepik.exe	91
PID 1812 wrote to memory of 1632	1812	Npjebj32.exe	92
PID 1812 wrote to memory of 1632	1812	Npjebj32.exe	92
PID 1812 wrote to memory of 1632	1812	Npjebj32.exe	92
PID 1632 wrote to memory of 2104	1632	Nfgmjqop.exe	93
PID 1632 wrote to memory of 2104	1632	Nfgmjqop.exe	93
PID 1632 wrote to memory of 2104	1632	Nfgmjqop.exe	93
PID 2104 wrote to memory of 3332	2104	Npmagine.exe	94
PID 2104 wrote to memory of 3332	2104	Npmagine.exe	94
PID 2104 wrote to memory of 3332	2104	Npmagine.exe	94
PID 3332 wrote to memory of 4464	3332	Njefqo32.exe	95
PID 3332 wrote to memory of 4464	3332	Njefqo32.exe	95
PID 3332 wrote to memory of 4464	3332	Njefqo32.exe	95
PID 4464 wrote to memory of 3632	4464	Odkjng32.exe	96
PID 4464 wrote to memory of 3632	4464	Odkjng32.exe	96
PID 4464 wrote to memory of 3632	4464	Odkjng32.exe	96
PID 3632 wrote to memory of 3100	3632	Ogifjcdp.exe	97
PID 3632 wrote to memory of 3100	3632	Ogifjcdp.exe	97
PID 3632 wrote to memory of 3100	3632	Ogifjcdp.exe	97
PID 3100 wrote to memory of 1864	3100	Ojgbfocc.exe	98
PID 3100 wrote to memory of 1864	3100	Ojgbfocc.exe	98
PID 3100 wrote to memory of 1864	3100	Ojgbfocc.exe	98
PID 1864 wrote to memory of 1192	1864	Olfobjbg.exe	99
PID 1864 wrote to memory of 1192	1864	Olfobjbg.exe	99
PID 1864 wrote to memory of 1192	1864	Olfobjbg.exe	99
PID 1192 wrote to memory of 4544	1192	Ocpgod32.exe	100
PID 1192 wrote to memory of 4544	1192	Ocpgod32.exe	100
PID 1192 wrote to memory of 4544	1192	Ocpgod32.exe	100
PID 4544 wrote to memory of 4816	4544	Ofnckp32.exe	101
PID 4544 wrote to memory of 4816	4544	Ofnckp32.exe	101
PID 4544 wrote to memory of 4816	4544	Ofnckp32.exe	101
PID 4816 wrote to memory of 3952	4816	Ojjolnaq.exe	102
PID 4816 wrote to memory of 3952	4816	Ojjolnaq.exe	102
PID 4816 wrote to memory of 3952	4816	Ojjolnaq.exe	102
PID 3952 wrote to memory of 4236	3952	Oneklm32.exe	103

C:\Users\Admin\AppData\Local\Temp\65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466bN.exe
"C:\Users\Admin\AppData\Local\Temp\65fd969b354c412423a7ff0ea145ec986e5bfdaa2f4585541731787048e6466bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\Mpoefk32.exe
  C:\Windows\system32\Mpoefk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\Mgimcebb.exe
    C:\Windows\system32\Mgimcebb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\Mcpnhfhf.exe
      C:\Windows\system32\Mcpnhfhf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
      - C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        67⤵
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        74⤵
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        82⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 212
        93⤵
        Program crash
        
        PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3504 -ip 3504
1⤵
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
64KB

MD5
2560be0a6b5ef7e0cfd1b03df35ebf30

SHA1
6af94b1aece141335b9323ae75cd3dbe9e498472

SHA256
1aa5671bd88535481cae4ca7d7902b53f68cb509be48c98859f8c9a2fcf2548b

SHA512
34f412ef3aa07161083b0bdf84d05c4060015a990acaed1e4e76f6584fadf4d1611bf7b963254831d4595b85dc910890d5c666729fd3b8f06126b4ef65405034

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
320KB

MD5
f03c8d876e8783e47c9fa180e03cf17c

SHA1
1de6d282024dff0c5dc6fbb21c7315a91a8e67bd

SHA256
2ee6af4377a75000776c255014ca3ba9b1eb39a309e9565807efc005b956c7a4

SHA512
c5420785a4c12f72c2e9c59cd23c14d7e0e96b5eb0aff426a617ead5bbb428aeff138b91df27ea0166afdbf9c3e4fae210d4fc8c40dbe8054d4691c40e827829

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
390KB

MD5
5561a00d922d6c18a297fcfc34d0c599

SHA1
8dbe27d355cd37d9cecdb255b08e967ae5c7a22e

SHA256
7138efee7a3304650b5fdbcc56e2766fcf5f2d5c88e12158e25275a68e6d7802

SHA512
4c980cb72ee3e08ba432191069c1c73b5802d05d97b7ebd32ce3a8104743bb4e30bdb5e2a7d048e2efefe179bd72c5d05bc5c6f63b0e7243a9613fe51403efd1

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
390KB

MD5
1f203ed0dd4273811b620b039b07b394

SHA1
b7a875b1f559c00e5e6c3e5cd8cc2e2e0a3e5734

SHA256
b4277ebe18bef6543a9723cfbfe19504edbf8e92c16aad62aaa526088848bed4

SHA512
f88af0b2d15132a64f9b9cc764804745ac6bd08e1c1315ce816dd665e7722d001d20b86e6953bca8aa9fd9f4969e04bc7074b65148f3baf566cb835ba4d3b429

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
390KB

MD5
f8ae87d34986f4bfb44d589254b33cfa

SHA1
87490efd0a0e708bbbbdd8a3825a8da69d39e211

SHA256
968003d398f85a06149f8c4037604c354b7e62940ac803a82da93e39f8af96ef

SHA512
4d859644d71c7d7021f4759132f6cbf85ae7adc83a04ffde214e938be6c55e6171ef03aa3743d38e383e87699030bb85ed8f767b3bcccb5b18bf67765276a82c

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
390KB

MD5
68826ac4a0dd18d648b1473b5215e28e

SHA1
77f81c5e281b0bde1096e6f7b357cbd4c253a013

SHA256
0c83335f0ff3b67136de2aaa07fe26eaed858b5d201e3a6c2d8276b0580b40f7

SHA512
e5ffe713689f73d46cf4879647e5149bdd946ee10ac009a8133c7780a60d94d5a85284fd7d31e3d9e64fa7b6a811c8c319e3d769f12725c34bfaee98863f0afa

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
390KB

MD5
23cdc60a0bb85c9fa2e0f32d0fe64415

SHA1
0d73b2bb7ad8d156bb7c6d9fa5ece3169a40c173

SHA256
f87dd78d54db1847654943b25e0b4559cabd05b8402fc08c04ade3e34d7f62b7

SHA512
690b9f0b529a4c63d4649470b56c118a610e1e1e4f0d664215535f4c6d128f076b1581376c56efeab01ba2e675764b328ee61bf670271357878ac28b1c447d69

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
390KB

MD5
4c3cd0298a21cade1a62ae0e7dae0e12

SHA1
69fb09469518fe25fcad5beb3ae97946c8955019

SHA256
e59a2ea6434ad1187da446ff2f93390997719188a7cd73695381483bf5ff0c2e

SHA512
7bf7a2c4982e199638c84ef0dcd61b47baa620fc8ffb19fe3ef46f17978eb3138b30c66b94f25413adfa87d21fb7e2be6657d482cdeadfe1e9dc5f83470c0861

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
390KB

MD5
4d6c10c78ad376e2b955ae9a87929f17

SHA1
3af9dc0627d9a39dee0f7b4f7f6d6ce1cd1da15d

SHA256
b2fef062c0f3e8b4e09b321a32a09a44c0ec3e7505dcb44fde783f925d231d85

SHA512
2eecb3186f1503ac02c1305b591c38630cbfd085e2a63a620274a8cc5bf1f587191e92436a57858b960d2c5641621e9010d16d5db36e114d09a112264e87d2cc

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
390KB

MD5
f7ddd496e1fbe2cf81d2539aa3366dc0

SHA1
780a1d9bab36f3acf38fee11c89465751ccdcf45

SHA256
02e643ef22c33d2fbb0f7849f49c916644e565c6f93792828197e891e51f00ff

SHA512
fba268c1a72c1b6a882a05f18c5cf90db7e91507ce5ac149b0488982d92907795b04d39d78eee4d3102e9ce403ff95bc2b2cbb01cd46beefc4caee914e64f332

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
390KB

MD5
a92c916023ecc43aa6977cf6c3bc4051

SHA1
422aba8d71e073ae436f4b181aa898d63a14e6c3

SHA256
e2449dcde81c0f235feb4076d53331b6ebe81ce632021d3b8481001031bc9159

SHA512
68e4a3805497ebe81cd3f58f26cbc3eafc816908439f6e01f0848e6c6c846d117271b34adc17340c49fea54fe54b219bedada6429135df470a9330d317ef248c

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
390KB

MD5
eb446f599f214d8044d1861ab60bbac3

SHA1
419f38b5f57f7360226abb1e23ecaf6592421b6f

SHA256
33613757b3faa0d1ba2c0f3d835785b0c4651a9f9841b772335f768f0ec4abf2

SHA512
b811dcd27c7d8101ad1dc8f8fdccd5f0fb13a7640f388cce73c89c4dbb7417ae8251b07d845cdf8b3ca66e512372877d5e23eec77034e2ea9243ec6831be21aa

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
390KB

MD5
c74dbb2da5616a51c11ee57f3850ade4

SHA1
7553453f844d62988bd6cb15e427614163927e81

SHA256
ce2dcd0fa24f10484c64af9210ddce352e018849ab5566d078c284a4f9e013ca

SHA512
4ab0caa403caf8c7c4822fdc4c747e35492e48f2a7b4d1a1aaa2f9c444b6747a577f66f2e2a8db225547aeedc4becc99e742a90c39f518c3e410926f50ab9115

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
390KB

MD5
d011390ea236dd89cd9df1a473237423

SHA1
51284b474eb4d48d75f5cf1e191387f27a25cfa4

SHA256
dada940de5a857f318348e5c677d18b79946294d2f9f6deb8bae9c7d41576904

SHA512
007e9d7c7301dc14b4f8ec6b3728a374c312f8c2039f47efb8dc3a499257b737d6624348878a984872fdf2fa560d03ab572db413bf8461bb80bfc598709af420

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
390KB

MD5
0dd8fb82f8ffd18c863ff713f7b50deb

SHA1
01a17e678faf948dcf73743dda995e7a47b3af55

SHA256
0ed20acc74c41bdf61c34cd2c620e4dce65adf2a9541a04087e3cc16ceff59d8

SHA512
7e800eba6bcf9aef0b080a7a5e58507998ffc7f571af96ff16234bbabbe068c984f3986c6e289841c942f82037b9660d7517efb7e50792f726c9e6864a894f99

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
390KB

MD5
b44b153d07399735e4ed237f9230415c

SHA1
bbed00ac473c5df39a87c6f590b241f60cb09796

SHA256
3a957aed6ce4c9fd37def5c53d5e2f1c2d2ccde40aa1228c5d7bfb170bce203a

SHA512
7ec803faf49252969139eabbfdcda86c3f4bb4c71c5e9b8c94398af9327b8cccaa8d9a3037ab4a3e6bf98ca8a67ca70236b0461800f56006e631144749f1127e

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
390KB

MD5
ebcb4eb4cfbee5088fdae0fe051a1bbf

SHA1
b404a1b580999ea2395f7f312a05a9f2fcfb5866

SHA256
5bbd05cc309d301f1b20d4c88d8b6f993f81d66e2cbf6060270cc497fca13b90

SHA512
a1f218e0bba4284c513e3310f2e53d539f8942377250eb26763872ed68f2414228b86dd519bcc6a9b46f30109f9f52c3b5cd366a35e311910db4f2005a0d0218

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
390KB

MD5
63837196705a8bc4d2a3361094a8b08e

SHA1
5991e9d7fba1d9c19ccf798bff75d5c45cc6d3dd

SHA256
da5486392543d3d84f585e346421eb0000c593a7306d28f2e57b84b1f037ff1e

SHA512
2278adf6dc47298fefefd8400659ac4259050b18461e0661346a1e70292c661f6ce6a44288bc97e7b13933332a4d89a28fd9c759d87f2c86046cc27d304e289d

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
390KB

MD5
3d5ff06612b62a5e3fff080409ca9ffa

SHA1
e2e5ea9bfb0cbf887afaf3254904885d19c37609

SHA256
647e47895edd7ee4e2eb7222f3a5b21cb8afd94fd90f19bc2efd45f310df2acb

SHA512
c650cda46bf525f6b46c44565800d499826823e992980d6dcced8310c8e1ee602fd0d007ac22dd2cd1c58307da9d5d4d7abe5dc895862fd4e9a3e55dab2cc0a3

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
390KB

MD5
b95ac0520363d6a3634ebeafc51e9447

SHA1
c90c6d6db7250e316c620bec9fc9788062c49db3

SHA256
2964855ec9b97dd1871abd10b2be63ba0c3c0eb24ea187b2faac258f85adb0eb

SHA512
b208bdbc1e0913766cd6125d66dfada68725020478d5c3a0e137ebd655ec71ccac26b9071ed63f463cd21e66f96ed03d22026e4d7ae223501cb61d28c248acbb

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
390KB

MD5
93cfe53b335cccb03ca6b152c56ef1f2

SHA1
c02640e6e36098f7333b87db2722b82affbb3aa3

SHA256
a8c83ca8a639b7dd77b5ed39a2217c615a393ae453febc674b0f79c7356f36f7

SHA512
bcc8e11d4ad9d83cdc9b7d955d30f17e027471c9077e17bf953aee95a21364656fc9e0c4d269c1d2b4b871a0d7483a8daf8c47cd451acb0d7b083bdd3fd72113

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
390KB

MD5
27dc1dae1e53d43a6c3ffb24b376b2d3

SHA1
9781b3b6325c59d12ffc8bdd10057e2871131690

SHA256
b07f3c23eff99117a0ff5ace07053e8eec2e111179c4e2de62a22373c43386d5

SHA512
7985af38d1d80831998f824aba71e7281d5a0fbf0de2c72bbf631bc7f552eb5bdc4e968570cb8dca1ab4b17d102e743a06a1c4bbdbfd87be5b9bc845699a1e53

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
390KB

MD5
06190540d17246656b43ffb1ce651aa8

SHA1
2ae501b03c8ffb525f9034338c95614acd5d54c8

SHA256
ff290e982f229aaf608066f7bad61c1b3c9a41a9250aeb6265744ac35b5ff26e

SHA512
3e5a12a27806171194727b875d77a064699f93b9fabf696bf2f3a517a8a8b7a5120e860f701603518d5612063c1c1a4ecc4608aa4bf541962fbd046a56039330

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
390KB

MD5
9f17bd1ed2f1a44eacf0f9a06550f315

SHA1
599575329d3424f365e6fb2ebde17553c43c1101

SHA256
8048fed7ae9ee8ac4e67c271f5dcb2ae30053ece6af14e6d97105ea4f19ad0eb

SHA512
a1ffa852d360b97a2725541bc4f2d946befe6b766c46ea7a7600eaeb2f94b4444a9b9609aaf8ca30eeeac77a67eed1e122ba967d79f4c9c300211da21128f348

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
390KB

MD5
89f4261393df04fc41f4c638f83642cc

SHA1
19058cc9518d915706bdbf8b08b53cf8ab5e5013

SHA256
8fd15d014e61a17e2e5f47e653493baf312ef1faa16fd86d2b046d70e4df5dda

SHA512
5f3eb41050cc3275825428022d76f5df10f0212f933ff0781dc9801752d24048e01fc2df7508ad8fd64c3fc1071a8c68600908162df7a492688ccc0d79fbb222

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
390KB

MD5
b712c2439f58cf21cc2b4fbde998692a

SHA1
c7c09d29d74450160efe0901f0c1acaa8b230db7

SHA256
7d7cc2c89ad30a01c80ae9f00163d4fb475b1d21dcade42a642cf73f283a5146

SHA512
2e6724763357806ff19145cc1d65cbf5c177fb9f2b1bfa6517a48f5e5b4e7af47e76dad30f84a914bc4bc8301b60a1b59286470c3244510f26a70d4780efa4b1

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
390KB

MD5
b3c867bac55232325ca84c493f8bd797

SHA1
741242e17cc13ff35538c99c5e11a7c5d797b7d6

SHA256
78ac378c8d61a6dc75e41e0edbb976c75b8cfc4fe72633b232cfa93cfc6da71b

SHA512
8aec1c2c0c46ab5f462f8f11d9fa8936ae555407abfef7146df6893bd5129aa8fc4dc093c6ac1b49402500653b65d27937b2bc0c5184ad8126fa4a58b2aced85

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
390KB

MD5
ab69d3187291046b6decfaacdb6d6606

SHA1
d641b2bc7446ea7743313b46a8877c7b428fa893

SHA256
a3165a3931113f8677b696fb42b0555a71a621c83b89f84df10369f8639149d5

SHA512
2a29907f209b8c289fd91ee09ba0b94f1330d5f1b815f9c17438f89dc8e0cd90c6a37f7ff192bf1e4030bfb059506594825d142bc4d7a4e759c8543af863e49b

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
390KB

MD5
29bb3db9ab8e9f7ebd73928c67fbdbb8

SHA1
1b84f38393501991fd1a1f3911dfe5f065127317

SHA256
d2a652203ab7d875733f7b5603818e7f1ee77fb7e50c781ea105e046dd79a2df

SHA512
6a5554df1b39b3e1c54f5e5a0f833e2113275db85aff257628fbb54469d3eccf324d0fb564de39f225506077e7f92dde5ecf111b7c09f48462bf7f1f8bc756c4

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
390KB

MD5
069575a73e306108035ac41e9179cf38

SHA1
4fb49a3b0819c892ff1f898960a780e64a8c4d22

SHA256
b3dbf37df20dd6431cc905caf6d0acfd197aebfd450f9f60f10dd788b0152b9d

SHA512
6289e04bb49f24ae06381e6d1a750b11a1397df3e88276771e62a08166cd02743b08782d4034d7de2985d4a64821dcb0077d088de1d3e4c81cbd314cece1ade7

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
390KB

MD5
1f0fee69477976f119cb0e5d571f57bb

SHA1
c7d33efed8ae06b462429c768c95ae8db2bda504

SHA256
c7e5a20144ba2a380b35d61a281f54165d36861a667a0e231f83d0e84e68b5f3

SHA512
0e374e7a39f3da93cf59d1f973b78bb0b1c62badfefb00cd97bb5a5299f7d82f49b2a3789b92aa6619e4622fb6652ffef758dc6bd9ee1f0b4056d4addeab341a

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
390KB

MD5
7f61a3c07501604c907042926cc2605e

SHA1
687959e7938be12be7c50f69ecfb44cf9474a60d

SHA256
fb664b3aa6536d10e701ba0bb3149d9807f2071ff26781b179b3f9efa22ed208

SHA512
bd0d0bcccf542972858c3fd18c2600f881ff2f31f990e97addb09dfd55fcca94043d522768264f54f8d558d8c9cba386ad268c03a3395dce29c22c2beb993407

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
390KB

MD5
083ae4b926193c022f8e7544af3cb896

SHA1
0ca5db773a0d22d0ea349853856f8fac018bfbfb

SHA256
d4376c1098b263ef5e0350aa161a45e1e7935d6116369cc177fd34142e9fc929

SHA512
88fd0b1a2d851e65807a0cb7153a21a8e300dabf57fcf45f2b069097afdc49392ef75bd87e9c9433e5d2b4b5a7f11febc7a40f4010ae73aa0a227d697198f420

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
390KB

MD5
230f91fbef5e03880cb48e13704b2591

SHA1
08cbec62aa11eb01fa9c0b72f5fedd7fbfbbd9b6

SHA256
89f9b4153dbd5d39108372fd913a3a00d900022e3988e73170ba45f9814c2333

SHA512
1592110b74d2843fa037767482aee303e7a935b6b7be5bc55f46a1fb897015d4f6326a63f84853ac749266cea27f61d450efeee69d95dabb69d52fb997433c3e

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
390KB

MD5
6c22425113ac8903cd32a1f71893a121

SHA1
bdb80387369ee637bc22b9786612e896d4a60a2a

SHA256
1e86725f20cddc4b4c1ec931ce69476701c7f5143059530a41eb81171c3a52fe

SHA512
0ecd6ee7eb487032d59bb77f2e87eaf4dc9e823fd30c817a8f4c93b25fb288c6e400c80c4c03929b5f6e41f5d9bec1bf418d2356cf376400819f94a25c9cb447

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
390KB

MD5
b2852fed1a79e1de5c0e0def5a99d233

SHA1
fe494fd72bf050262e5f941adfa08b8f6923730e

SHA256
665126fed9994f7711c6c457e10de972a9990b32fefd56e30733273f97b8519a

SHA512
c4096523dfa188503a93b220adc4a439b56717a2d5e0af4924a5e23591d7c12dd25d8443a2aa9ce53ba131c1f1c4ad966c07bc35e8e1b10b6435073ff52e816b

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
390KB

MD5
7481f6b630cce746cfa2fa37a278cbf0

SHA1
de64fa2445b600d285c4e881dfce326947f640ae

SHA256
8d81e58fa58c12e0fa49de0b0c8309cbe703dd847d55eb2e7d0f17f2c7b6e3cd

SHA512
641488c3695ae519a85668ed4d9a47bdf3519b1228b9476dad3fb481f93aa7d26607a3339c844091ac4bd1d15f13f00a3bd22a169a00cad0d90aa4b7186400e1

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
390KB

MD5
8f69851a940924e57b35fbfa8028ec7f

SHA1
c4f555041485dabae097c196eb8abfdc1863a5f2

SHA256
3289cb663180754345ac5a77be0ff8e4f61aaa6b228cb4fb2db43a0e990ec5b2

SHA512
593026d059eb635876e2c9386cc33f796d7e17f2a928654555fa50f4bf48b3c46da57ac5afa7263baec0e81d01f65074766823eeca780ffc85123e253ad02e9b

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
390KB

MD5
8168333f3fa58942c9f6d1b037d6897b

SHA1
578f810d1d118d12b3f49afce1bb7e35cd5e735b

SHA256
e1d8a2d1e66dbf4053d1e74957159c6153e3366ce01784f85d34c7a5b8ac1823

SHA512
5e93e68a703a57f2e7ee233a4d3db7ead2fb1de6dec66437986855f2850cee1cd487d1c4df45f8208361e7814e3f459468b06c56564c14e956ac2b84ea076aee

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
390KB

MD5
7e679b67d0a193e45b024d6072ac7f69

SHA1
04aa88289c5e0495cdc547840980b572f9eab013

SHA256
a49cf6694e5c711c771cc7de505cd75157adb87b9a529bddf004f4972d91206d

SHA512
b6e96489d84b547151f7c53583021da0d49cf8a15e35f45edaf573117b9561370925ce022cfbcabf7d97a1316b3733fc71956c89f237accf4c7a3c286d52a26c

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
390KB

MD5
dd68bf219a76dfc101a53e36a1463839

SHA1
774034c2279ac4f8beaf2b4c0474a916a785451e

SHA256
7358a054577ad5f7574109c9efae03f5a63779267a1d19743c0faabb2f242838

SHA512
5d4aa511945252963bd602a31f2bbe0b436f8fcdd5c41b1e87a57e2f7db0c1456ccdc112426c726d9367d8e2b63abf757b5708e79232bf042f38ea2e9722ca71

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
390KB

MD5
5134eca8b326df55e378c9c155631d05

SHA1
52fae65e7cfc3b2b577828f8ae1346e24d43084d

SHA256
e21211821350fe84833d758fab8d159debad251da66d01010b72d2f80f677506

SHA512
3212cdf711025a5fb4efc0c8469be3982a07ca1d061ca98e3757486c8f960b087b6d8eec99650684ccfc0d594bbca719b46890f1ac88721ecc506666283b87a2

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
390KB

MD5
5ee248a8b91d3eeae07b85d1fc57e1a7

SHA1
e36876fb9c2674850549a6ab2049fe0d21aff2f6

SHA256
03cd1554c204c53dbcf29ec19b50128025451cb46761b7f5aa33bc4be0de4e24

SHA512
6bc7c854eb7d3b9fdd21b836e15442e7aaa6232c1d91963084a04351bb4eccdc1570f0cf615255a819f62dcd755079953d5860175118169ef67bd71948ad3424

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
390KB

MD5
8dabec17d2aa0eded3be47f95be04f73

SHA1
57612e343e7bcea87741565dcaa67f743bfcc76f

SHA256
ae92bbfd449a8d4a2f005440575598c8523565b4ae4a2220de479f4ba90128e4

SHA512
0f69b1bfa2026c6e07ca0094bda280887ee18862d69548b4c7e69d43d99ca71847661f1db1dce99ec3183c08522285fdb43ce7983ea95d4e9d07f85f2d96f7e8

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
390KB

MD5
c9fb4a4a080bb79b92d6b9eb760c8b22

SHA1
d70bee11dd445382db07e0684ffc4c0646aeae6d

SHA256
3e92f01a72368b2eb298c0a0c422c4d39781b3b7cc6dc5de5f790337d846867b

SHA512
535b5e108f0a31e48a1f196cc73194dbc536e9c3b42b95facadce702e0034f0467d1ebdfd9183cc716d28f6a2532c7d54a9367b6e41d040e279c59fc53eb81e2

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
390KB

MD5
aadfd6f54f8a3971e83f7bfd8df68263

SHA1
45f97a9ca410be2c79f56142b3b846299608fb21

SHA256
2ca5945a230949f31657aafd947b82267c7c5132f038d8c297ca40e677be8520

SHA512
577d8cd0a93cdeee7d8a5baaaea8e20d2aa69742f97218cb444157c7107ba47b40a2bcb31ee8e4971f070a7aded2920d6e61809c2085e4afb319babab5f4dc4c

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
390KB

MD5
4d5764f51edf129555d22d88d81c7ab3

SHA1
1c0d050d8483f21b55b8f8503617d8bd38a2db3e

SHA256
22972f691fce032b6f1acb288a581272bb5067e6f5db2a38316fbf1b2e1db4d6

SHA512
9906f0160df89d332c953b41b961d0ee5a87545080f76a9be8889d06932342ba282eb6cb9e0bf12ae46a70c565f33123e6ef0deb41ad31295cc229c6bbb8c627

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
390KB

MD5
e0a6f27de9aff96d163043086081ef3a

SHA1
1846b976ce341241bf6da745afb0aee16cea9ac8

SHA256
104d3472e1df524f6f73a3c23229441bf31ce2116f51ebfe6ab4fe99867fe2de

SHA512
5278a49bd327e6a237b928b206a71d463534587de63f491c818023c12a17eca9f7210360db29cfc889d76fe4da110c8d17df14ca86c219d7972b07396b6ca01d

Download Submit
memory/400-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-644-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3336-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4872-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5084-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads