berbew | 3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93b

Analysis

max time kernel
101s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe
Size

94KB
MD5

ea63b3469361253b8856a3c0b45dc830
SHA1

6550eba1e3035831075cd7963e0702a645867fb6
SHA256

3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93b
SHA512

6ee5563a24d574a1df2238f6bb9cf73fde5ecc921fba30a9ff7efcb0373d4181d0ae8cbcf59beebd94330d64e3cff3cfbeb0e4395fa85c547e1519b0465e771f
SSDEEP

1536:sN9eoKqNAypOC1borMRj14o2LmaIZTJ+7LhkiB0MPiKeEAgv:Bqb5borqG5maMU7uihJ5v

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcelpggq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caageq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfcok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njhgbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhpimhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkqjmdg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcifkf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akblfj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocjiehd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqagcag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcehdod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pffgom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnojho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bacjdbch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1708	Mcelpggq.exe
3668	Mnjqmpgg.exe
3496	Mqimikfj.exe
632	Mgbefe32.exe
4696	Mmpmnl32.exe
2000	Mcifkf32.exe
2968	Mfhbga32.exe
3216	Nnojho32.exe
316	Nclbpf32.exe
2632	Njfkmphe.exe
1672	Npbceggm.exe
2276	Njhgbp32.exe
4660	Nmfcok32.exe
4532	Npepkf32.exe
1912	Nmipdk32.exe
220	Npgmpf32.exe
2532	Ncchae32.exe
1968	Nagiji32.exe
4956	Ngqagcag.exe
3212	Omnjojpo.exe
2268	Ogcnmc32.exe
3316	Oakbehfe.exe
4868	Opnbae32.exe
5096	Ombcji32.exe
676	Opqofe32.exe
4968	Ofkgcobj.exe
3468	Oaplqh32.exe
5080	Ogjdmbil.exe
644	Ojhpimhp.exe
3340	Opeiadfg.exe
816	Pjkmomfn.exe
3532	Ppgegd32.exe
3948	Pfandnla.exe
4404	Pnifekmd.exe
2440	Pagbaglh.exe
4576	Pfdjinjo.exe
4904	Pnkbkk32.exe
1576	Paiogf32.exe
2928	Pffgom32.exe
4632	Pjbcplpe.exe
1416	Ppolhcnm.exe
2744	Phfcipoo.exe
1064	Pnplfj32.exe
1264	Ppahmb32.exe
4996	Qfkqjmdg.exe
1624	Qaqegecm.exe
4380	Qhjmdp32.exe
5092	Qfmmplad.exe
4016	Qacameaj.exe
1192	Ahmjjoig.exe
4752	Akkffkhk.exe
3740	Aaenbd32.exe
3156	Ahofoogd.exe
4480	Amlogfel.exe
2484	Ahaceo32.exe
4064	Amnlme32.exe
2788	Adhdjpjf.exe
2072	Akblfj32.exe
2544	Apodoq32.exe
1380	Akdilipp.exe
4684	Amcehdod.exe
5076	Apaadpng.exe
4252	Bgkiaj32.exe
2416	Bobabg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hgncclck.dll	Coegoe32.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Nnojho32.exe	Mfhbga32.exe
File created	C:\Windows\SysWOW64\Omnjojpo.exe	Ngqagcag.exe
File opened for modification	C:\Windows\SysWOW64\Ofkgcobj.exe	Opqofe32.exe
File created	C:\Windows\SysWOW64\Ppolhcnm.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Bphgeo32.exe	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Npbceggm.exe	Njfkmphe.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Paiogf32.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Oaplqh32.exe	Ofkgcobj.exe
File created	C:\Windows\SysWOW64\Mqnbqh32.dll	Bgbpaipl.exe
File opened for modification	C:\Windows\SysWOW64\Npgmpf32.exe	Nmipdk32.exe
File created	C:\Windows\SysWOW64\Mnokgcbe.dll	Ofkgcobj.exe
File opened for modification	C:\Windows\SysWOW64\Conanfli.exe	Ckbemgcp.exe
File created	C:\Windows\SysWOW64\Enfqikef.dll	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Bmeandma.exe	Bobabg32.exe
File created	C:\Windows\SysWOW64\Chdialdl.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Dannpknl.dll	Nmipdk32.exe
File opened for modification	C:\Windows\SysWOW64\Omnjojpo.exe	Ngqagcag.exe
File opened for modification	C:\Windows\SysWOW64\Ogjdmbil.exe	Oaplqh32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhpimhp.exe	Ogjdmbil.exe
File opened for modification	C:\Windows\SysWOW64\Pnplfj32.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Oglbla32.dll	Oakbehfe.exe
File opened for modification	C:\Windows\SysWOW64\Akblfj32.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Bmjkic32.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cocjiehd.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Dpiplm32.exe
File created	C:\Windows\SysWOW64\Opqofe32.exe	Ombcji32.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Conanfli.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Lnmodnoo.dll	Npepkf32.exe
File created	C:\Windows\SysWOW64\Ojhpimhp.exe	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Cpmapodj.exe
File opened for modification	C:\Windows\SysWOW64\Chdialdl.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Fidhnlin.dll	Pfandnla.exe
File created	C:\Windows\SysWOW64\Jnfpnk32.dll	Pagbaglh.exe
File opened for modification	C:\Windows\SysWOW64\Bmjkic32.exe	Bogkmgba.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Bphgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Nclbpf32.exe	Nnojho32.exe
File opened for modification	C:\Windows\SysWOW64\Opnbae32.exe	Oakbehfe.exe
File opened for modification	C:\Windows\SysWOW64\Opeiadfg.exe	Ojhpimhp.exe
File opened for modification	C:\Windows\SysWOW64\Pjbcplpe.exe	Pffgom32.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Qfkqjmdg.exe	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Bgkiaj32.exe	Apaadpng.exe
File created	C:\Windows\SysWOW64\Bobabg32.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Dojqjdbl.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Ahofoogd.exe	Aaenbd32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnhgjaml.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Nmipdk32.exe	Npepkf32.exe
File created	C:\Windows\SysWOW64\Akblfj32.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Plikcm32.dll	Bmeandma.exe
File opened for modification	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5160	6064	WerFault.exe	200

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncchae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcelpggq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnojho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnmaea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pagbaglh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqagcag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfandnla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjdmbil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmipdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfhbga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npgmpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nclbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgpcliao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqimikfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcifkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpmnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qaqegecm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cglbhhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oakbehfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnplfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahofoogd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogcnmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njhgbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcehdod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkibgh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpmapodj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpfpo32.dll"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pghien32.dll"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll"	Dnmaea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppahmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bacjdbch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cglbhhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npbceggm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkbkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nagiji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqofe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppolhcnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll"	Ahmjjoig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijjhbli.dll"	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkeajoj.dll"	Mqimikfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjijid32.dll"	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	Apodoq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjecbd32.dll"	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmihfl32.dll"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfoaecol.dll"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnojho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnddp32.dll"	Caojpaij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnjqmpgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opnbae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhjmdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgpcliao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfnagdi.dll"	Ncchae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll"	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgjimp32.dll"	Phfcipoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfefigf.dll"	Qfkqjmdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Qhjmdp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 1708	3284	3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe	84
PID 3284 wrote to memory of 1708	3284	3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe	84
PID 3284 wrote to memory of 1708	3284	3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe	84
PID 1708 wrote to memory of 3668	1708	Mcelpggq.exe	85
PID 1708 wrote to memory of 3668	1708	Mcelpggq.exe	85
PID 1708 wrote to memory of 3668	1708	Mcelpggq.exe	85
PID 3668 wrote to memory of 3496	3668	Mnjqmpgg.exe	86
PID 3668 wrote to memory of 3496	3668	Mnjqmpgg.exe	86
PID 3668 wrote to memory of 3496	3668	Mnjqmpgg.exe	86
PID 3496 wrote to memory of 632	3496	Mqimikfj.exe	87
PID 3496 wrote to memory of 632	3496	Mqimikfj.exe	87
PID 3496 wrote to memory of 632	3496	Mqimikfj.exe	87
PID 632 wrote to memory of 4696	632	Mgbefe32.exe	88
PID 632 wrote to memory of 4696	632	Mgbefe32.exe	88
PID 632 wrote to memory of 4696	632	Mgbefe32.exe	88
PID 4696 wrote to memory of 2000	4696	Mmpmnl32.exe	89
PID 4696 wrote to memory of 2000	4696	Mmpmnl32.exe	89
PID 4696 wrote to memory of 2000	4696	Mmpmnl32.exe	89
PID 2000 wrote to memory of 2968	2000	Mcifkf32.exe	90
PID 2000 wrote to memory of 2968	2000	Mcifkf32.exe	90
PID 2000 wrote to memory of 2968	2000	Mcifkf32.exe	90
PID 2968 wrote to memory of 3216	2968	Mfhbga32.exe	91
PID 2968 wrote to memory of 3216	2968	Mfhbga32.exe	91
PID 2968 wrote to memory of 3216	2968	Mfhbga32.exe	91
PID 3216 wrote to memory of 316	3216	Nnojho32.exe	92
PID 3216 wrote to memory of 316	3216	Nnojho32.exe	92
PID 3216 wrote to memory of 316	3216	Nnojho32.exe	92
PID 316 wrote to memory of 2632	316	Nclbpf32.exe	93
PID 316 wrote to memory of 2632	316	Nclbpf32.exe	93
PID 316 wrote to memory of 2632	316	Nclbpf32.exe	93
PID 2632 wrote to memory of 1672	2632	Njfkmphe.exe	94
PID 2632 wrote to memory of 1672	2632	Njfkmphe.exe	94
PID 2632 wrote to memory of 1672	2632	Njfkmphe.exe	94
PID 1672 wrote to memory of 2276	1672	Npbceggm.exe	95
PID 1672 wrote to memory of 2276	1672	Npbceggm.exe	95
PID 1672 wrote to memory of 2276	1672	Npbceggm.exe	95
PID 2276 wrote to memory of 4660	2276	Njhgbp32.exe	96
PID 2276 wrote to memory of 4660	2276	Njhgbp32.exe	96
PID 2276 wrote to memory of 4660	2276	Njhgbp32.exe	96
PID 4660 wrote to memory of 4532	4660	Nmfcok32.exe	97
PID 4660 wrote to memory of 4532	4660	Nmfcok32.exe	97
PID 4660 wrote to memory of 4532	4660	Nmfcok32.exe	97
PID 4532 wrote to memory of 1912	4532	Npepkf32.exe	98
PID 4532 wrote to memory of 1912	4532	Npepkf32.exe	98
PID 4532 wrote to memory of 1912	4532	Npepkf32.exe	98
PID 1912 wrote to memory of 220	1912	Nmipdk32.exe	99
PID 1912 wrote to memory of 220	1912	Nmipdk32.exe	99
PID 1912 wrote to memory of 220	1912	Nmipdk32.exe	99
PID 220 wrote to memory of 2532	220	Npgmpf32.exe	100
PID 220 wrote to memory of 2532	220	Npgmpf32.exe	100
PID 220 wrote to memory of 2532	220	Npgmpf32.exe	100
PID 2532 wrote to memory of 1968	2532	Ncchae32.exe	101
PID 2532 wrote to memory of 1968	2532	Ncchae32.exe	101
PID 2532 wrote to memory of 1968	2532	Ncchae32.exe	101
PID 1968 wrote to memory of 4956	1968	Nagiji32.exe	102
PID 1968 wrote to memory of 4956	1968	Nagiji32.exe	102
PID 1968 wrote to memory of 4956	1968	Nagiji32.exe	102
PID 4956 wrote to memory of 3212	4956	Ngqagcag.exe	103
PID 4956 wrote to memory of 3212	4956	Ngqagcag.exe	103
PID 4956 wrote to memory of 3212	4956	Ngqagcag.exe	103
PID 3212 wrote to memory of 2268	3212	Omnjojpo.exe	104
PID 3212 wrote to memory of 2268	3212	Omnjojpo.exe	104
PID 3212 wrote to memory of 2268	3212	Omnjojpo.exe	104
PID 2268 wrote to memory of 3316	2268	Ogcnmc32.exe	105

C:\Users\Admin\AppData\Local\Temp\3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe
"C:\Users\Admin\AppData\Local\Temp\3f749a859be6fee5f8516898f614a6d292a5b2ff7260e5c192c57d461af6f93bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\SysWOW64\Mcelpggq.exe
  C:\Windows\system32\Mcelpggq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\Mnjqmpgg.exe
    C:\Windows\system32\Mnjqmpgg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\SysWOW64\Mqimikfj.exe
      C:\Windows\system32\Mqimikfj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3496
    - - C:\Windows\SysWOW64\Mgbefe32.exe
        
        C:\Windows\system32\Mgbefe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\SysWOW64\Mmpmnl32.exe
        
        C:\Windows\system32\Mmpmnl32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\Njfkmphe.exe
        
        C:\Windows\system32\Njfkmphe.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ncchae32.exe
        
        C:\Windows\system32\Ncchae32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Nagiji32.exe
        
        C:\Windows\system32\Nagiji32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Ogcnmc32.exe
        
        C:\Windows\system32\Ogcnmc32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:644
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        52⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Bkibgh32.exe
        
        C:\Windows\system32\Bkibgh32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Bgpcliao.exe
        
        C:\Windows\system32\Bgpcliao.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        72⤵
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        77⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        79⤵
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Cpmapodj.exe
        
        C:\Windows\system32\Cpmapodj.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        83⤵
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        84⤵
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        87⤵
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        90⤵
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:612
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        108⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        111⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        112⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 336
        113⤵
        Program crash
        
        PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6064 -ip 6064
1⤵
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Amnlme32.exe

Filesize
94KB

MD5
23c51b6d4c5a79ec7497e3441df92656

SHA1
033582b1579d0bbc7aba8e0e3d3744191b7face6

SHA256
0f1e39e90b035e5a4f1244c825b8c8ab22d3ebe6d377eef40e2a1ab5103b1519

SHA512
1e51a3e95afc30833e0e6f6061b331580dd1a2a443b8490af2641e718b9679f378a5c6c5095ad0842777c0abf083a2331a57a4b2c35e65333654e55652ff05f7

Download Submit
C:\Windows\SysWOW64\Bmhocd32.exe

Filesize
94KB

MD5
854ad62adbe7a4f9c74a449f2a6a8eec

SHA1
94f829f9b6575dbd3b23f608dc545712bedd0a28

SHA256
2c714e463d16c7fd3665e079e91021f161ab8c337984c1e56d4c1c1916544515

SHA512
2759b6a78b7864b919080b6458854333a9f41d3ab2cc4e193003b0d89c039d811860e44373aefa45aec7b0efad148cb3afde7722102b1df8a34051ce1d8a3c7d

Download Submit
C:\Windows\SysWOW64\Ckebcg32.exe

Filesize
94KB

MD5
c73e3a9a5d3f9cf8c3ae8aff58722973

SHA1
203cc12bb16882c035c308032a0997359774eb0d

SHA256
211d16dc169e2bed85aecae5eca5d220f5d6e5fbb0e3b8965eec6e82bb5fa1a0

SHA512
94775f4620c84cf89810d8489b93d8efa190f18c910516096c3f59580090f917a5a2a3db1ff5f89559899c2db5fdab7d4c0008ac1e457a293be4fcbeca946798

Download Submit
C:\Windows\SysWOW64\Dojqjdbl.exe

Filesize
94KB

MD5
197514b8597f30229f7f0970aa81388b

SHA1
1ae645f08d60b1e0c807c1c6b42feeb35da4e0dd

SHA256
a979a408d4ff1f530dc9242acd0163a86f1b17390b6e78ad0bee3c661ebb409c

SHA512
9b275d3f854a568300f73263632a75fab8cf1954e3c6a5238d88bd7fab72d6cbe5ad9d138b1c79a149ae607f0c40e265d5a8a0401f8e026fd4421ffd22bc4ecc

Download Submit
C:\Windows\SysWOW64\Mcelpggq.exe

Filesize
94KB

MD5
f1b0645d6fb2d04a2bffc62e3c150f0f

SHA1
66c7b0195ed1dce40fb3d1ab4368add019010189

SHA256
2ea57d61d568f04bf27b995dd187913b42be089c001ca461ca82367d9df540e1

SHA512
fd3d59cad53db1a7bc19796dc89bce1c32b47ca0d160f67ab730ac73b41b092381ecc34659cb39d967538b95d15c54fcb108bfdc92d1c21f92ca7bf33cf9f71c

Download Submit
C:\Windows\SysWOW64\Mcifkf32.exe

Filesize
94KB

MD5
3c4c96b69e65f1ad1772038462dfc30d

SHA1
d5be75af1da6eb66554491a7c77dffc770f21504

SHA256
3649479054a7493243110c07d79494e3ec80e9863f99499fe2dd8b207630d4de

SHA512
5e086629b8784f56ac536c3ec46e6bdef7df4bdd55a16f6b7cfefd14b5df6799d0c0b02612577733da571dc7a21b3012d468277ebb6e14ccc0ed98d0ab336e16

Download Submit
C:\Windows\SysWOW64\Mfhbga32.exe

Filesize
94KB

MD5
d92026d7390f92aed0fbca0e30ec1859

SHA1
0acc1ae5caf8eb7a84213f05b902c77ff261c7ac

SHA256
af53bacc2cef47f77b310e22b0e61761505bc9bb3e084635f0fbfb58df3f42f3

SHA512
ea34c923c2c423d5d1f91d373f34516789722e6b2184dcdcd19b70fc95077d75522928653ab9fdb5e1f1fad94b4e79af605f66f79ea8c8e60483ca3b294317b2

Download Submit
C:\Windows\SysWOW64\Mgbefe32.exe

Filesize
94KB

MD5
f843417bd21dcf4673cd16ecb62a700b

SHA1
30b724cb756f759a532692343bd9477306bf1851

SHA256
df8a22bfb4822be52891c659fd683843db7553f1db21c653e211b398b1d3f7ef

SHA512
d5f2cee861bcfeafbf10e2877d4b6862851f6f0f2b6405d06cb531b6cd2653074c143168154e2dcfdc1017f5effbaec5138bf60f9f302bf8f282b3426a83d71f

Download Submit
C:\Windows\SysWOW64\Mmpmnl32.exe

Filesize
94KB

MD5
3c3d3fdf1a55d71fc24302393d984b3c

SHA1
271dc904ecd03bca087393a1bd1dcf9ce2fc8dde

SHA256
a6b1c9dace9dc7ec0e620c3cc64725aab258b668ab59d1fda17a007650c3a270

SHA512
c93e69e5c512a3b66457956e3af27c66c6dee2a844e8588c20bc0785cd8a9828aed6ccc85ffe3933fcb9be290ba913c8443a997d47b60f66d828c2302044d12a

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
94KB

MD5
1061e499bc9bf65a765bf3a5b48bda81

SHA1
5a26e6d2b551361fe92e136f026fb1e0a3c89720

SHA256
05636994fdce6521dbfc23c39f6f2ebad19695b8ed3298bb7a2bc85cea2618f5

SHA512
47014c57518fd0f545ca85f7202129fb0decdd0e1fb690eded4ba411e597c85a8472b17836758d602c8acbe10425b157870a81199b52d07fd665ad7eaaa898fc

Download Submit
C:\Windows\SysWOW64\Mqimikfj.exe

Filesize
94KB

MD5
7a8e8364758dbf418bc2c7336e784893

SHA1
60873938a8375cf18f09fd2ac4a8f5476dca2598

SHA256
f1309d8ac9e9f91106e64af25e7db59fa5771fffa5ee54cb2ffb7c71710f350a

SHA512
7ff4d0c2d485272a85521c7ec150743eb3b2f27873305d58adbb1c775b6284818a4e50046a925c27558f7336743483bbe684f4ff240aaf08d0acc25c00f85eb8

Download Submit
C:\Windows\SysWOW64\Nagiji32.exe

Filesize
94KB

MD5
0e392bcf6de4756b9aff29b915f8abd4

SHA1
46a90db3f3ad4490839b562129d9f0013dfad600

SHA256
d47e995c1d637cefc487747e902c281e24998d8e04be2256326b940f41ebd92a

SHA512
efe93ff2dcc78d810f2032f9a5fcf79950556e8e17b8981ffc566a974e132dd22186704c42928543f435e73a68ee4b47da94083b703fb4eb9cfe35331a958583

Download Submit
C:\Windows\SysWOW64\Ncchae32.exe

Filesize
94KB

MD5
782f940628ee17f5b8ed94e8341a3be4

SHA1
55437abbb9f8ed17b099d725a54240b4f6b1d5e0

SHA256
92f58f09ae72849feb27c1091c85063c27e6307a199f9c83c098303eb72b9e92

SHA512
03a9f8b903280d62c6585ca6821a57e6931938818f6b508ca548164af6c8e6776886aa8459298d1066628a80b2db433dcbf1dc998e180cb6be2b15d48f3b8716

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
94KB

MD5
140ab49369535cc8e98b21d52cdcf02e

SHA1
77b9540f6d05846c3d6caf9b6b975a354ccbc3a0

SHA256
c1e5af8e1dc831a1ec5b44fe989cedee60437058651caec2bbfbd635471f9d09

SHA512
e8b491839e9a155cfd15169ac55b394ad797e33c40cb99f46fc182877a5cb1fecf9ba81f483465daedf3e9de75fe8c6f59fd04ac5aba5c07356d414bdd5c0a8a

Download Submit
C:\Windows\SysWOW64\Ngqagcag.exe

Filesize
94KB

MD5
5f34f17c55693ad9dafbdc5b7b3003c4

SHA1
4b4316ceb4c17d636a1c9dd42d35f2c33cd1c238

SHA256
ce431d1f9f4f1bcba67ca490ca7617401904d8574f8d8c7ea889207d53363def

SHA512
e5339f9bf37cf9f153e6e98feb9159a5672938da176855d8d65153d85dabc88ffc158bb9a16bd339b98999c2b9cb51e56f08652965e28f3fd36362171b84865c

Download Submit
C:\Windows\SysWOW64\Njfkmphe.exe

Filesize
94KB

MD5
b72a892a9012d77aec9fb366373e0b74

SHA1
2469ad7b5a8724320bde451cfd9d01a364f37a59

SHA256
1c305e2c3c3549c587349ddeff2df1a583af70f10d139a1096c31e0dd8425cb3

SHA512
b05c05f00ad8741c4c93cd87728c9e83e24a9c8a9b07c6a000a874489702e5b85c01bc260af3b6c211cb6d48e1a4c39a661220ddd0b7076726f34e4aaa336154

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
94KB

MD5
3dd108efa4f977179238a17ef834f7a9

SHA1
f213555716084cca728f92d854665914256337f7

SHA256
f4ce8e9239bb105d37c298f2060327be3f34a4f6acbadb26d249b7860d678315

SHA512
22431ddb5a20eada72c6e85c6315f90f4b6f1496ec5d856e8abc03092821408d52193274ec18594c8d570a13004dfe2b5ba35ce22d2c947b8883ec22f6d4a7e8

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
94KB

MD5
dd48c3c07fb9ef696e2eaf79b743aa0c

SHA1
4a56201a774952b89620366e6776fe2fcfae1b2a

SHA256
343b2331bc7faede963247987a10004022e7017d7fa5b63fa0ddd03336818ce4

SHA512
46e606a10057320758763354f142c70642aa9f30f662f15dd9067942ced93b406b278615e7e9808b617874150d7bc5bb6d76909628af6f6ab4e04f3131c634c1

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
94KB

MD5
d35cc9a040ffdd30af6a3ea3223ab392

SHA1
106f2445cda80bcb46945f92e17aa2f61d523ab4

SHA256
bbced9ebe2601393ce5e8cb979d6bccbef6323a767e6b7c0ae958fa0bfd92ec7

SHA512
279fc355ed1e494ae777939c30dadcaf9f85148920e88f94f0d24f484d959b40b56c8a6945dacb2fc627703fce754ce5daf0461a331b880eb8a823c95bfd8554

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
94KB

MD5
62b76f1c546c5798e670e1306f35ad4d

SHA1
83c7d23627fda76391b31db15323c03d854086e6

SHA256
c28170e9f84f263fc1e1b4ff9e70a35768a84f1396751e9a51698473ae900144

SHA512
12034ec52e157af4e03ac95beb0eeffcb8bd590b75fe555b1464022bafaad95658952ca1585bd6f110e0522581adfb91e4d95abd0765ee031614ef7cebda78d4

Download Submit
C:\Windows\SysWOW64\Npbceggm.exe

Filesize
94KB

MD5
48bf9fa1628a568f6aea6d824b0a775d

SHA1
1cceeb65ee77cadf4751a6840c5486aed28ff127

SHA256
37ce09ca1bd83cdc50239374b472055e4be30b81a695e140223d7a7d036e88d8

SHA512
76b1a718d3d603d4d9d9d622fcf2d39ac773bc1a4990a26a428de190a03f73e463a1a1089024e42ed0e6304fc405224b4f49bfba8fa8eb18215fab1facc4b784

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
94KB

MD5
4d5c2d2a2e04ef771cd2beb129a58836

SHA1
6c7a68b115200d5d4309f256c0bd13033e12fc45

SHA256
fce4e0d78698ad7f50fdb82a0c7ddd9ae7cea1e388fa8a4687faad2d3c89b645

SHA512
f2d26d05aeb25d7dec9d47a9c5f11491c4762aa180161f057cbaad203d8cafc76cc0f313a4b8294478e64e76b2f98ed764b8f7062b8fbe96d361c4bfdddf6009

Download Submit
C:\Windows\SysWOW64\Npgmpf32.exe

Filesize
94KB

MD5
b1f53b05f5edd1855546f319618855af

SHA1
b7b27655126c13e9b870bab59bbfa6ecc6b7213c

SHA256
cef48c09e3454acbed63d121fc3c179a4ac650d907965551b45e0c8fbfdc0c4c

SHA512
67d81db419a3b3a32af5acfacfe93ea625e5c74f01bf693262b75cbbd0b0dd9c7b6e417e559fbeefa74f6ac62c4452e8bb41d67a5a1d1f5f46759221eba9c3b3

Download Submit
C:\Windows\SysWOW64\Oakbehfe.exe

Filesize
94KB

MD5
153e96b5668e45285a4b2d172ab5fc7d

SHA1
425294169dde97daa332296ff5479511f2cddf4c

SHA256
20596cc15ed5161eb1dd76f6ee164978b745cab75a2d28ccc6d6837dc367bf26

SHA512
17165e208df54d0d31169215c9111c70963f5099caebdb5fb90de2b2f2ee4e20179e9bfe6d93c619744e19bec8f21bb1736ad6d5bdcf11e2de439b0a92068a74

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
94KB

MD5
2b163452e1a5b7886a27d722470ebdde

SHA1
022f44f1bd6632529aab4796929e245044cca64b

SHA256
9a87d508cc4bc244518d87f624491b277ccea7bb94a4d7a6b9d8d71b0d391ee6

SHA512
55fcf77039892db69c09303542ad47a23e47a87b3e5e9754019bbe2a89e271f2b31f701f7bb9374cbe402a52b92ed25ff0eaa71df6d3a663431a23b552dee65f

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
94KB

MD5
e7ec259c301f7547b78f54ef7c2f28af

SHA1
c52a899b536d59559c3b9ca291650328649214de

SHA256
a2027edc7daa76eea7b0efa06008a2145c9575aafd31becce8c17c1f5ffd13af

SHA512
fde5a10f8b30354806a29ed4882a80dada58f6cc5629fd11fe49bfaa255d085d1c06ad9ab997b4e902b8564dc5cb63883007a3af899b67c6224bab57966e2c9e

Download Submit
C:\Windows\SysWOW64\Ogcnmc32.exe

Filesize
94KB

MD5
660a388179433357d2bca2793217e657

SHA1
1fd57d80a6e55d2318a8f0b5d8f96f11f81cae38

SHA256
40d68c01e8b3f99f2ad1a9a9ad0368e175b2b48e1daad43b99d0de891b6468ff

SHA512
2e9e55156ca48c6fd0d1ffc9a41953c05c899fbaa4a46d0bc76ba8b1f515060179851a203565bd154849e990804f3cdaa06d97076ac97b64e80bbaf4d834bb78

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
94KB

MD5
ad41b9bdef45dbc6e84323661c327e51

SHA1
0859cf0d3247f5a7cfbe2657dbea511fd26c6a53

SHA256
44b9027bafd9fe86c367044f983f2e13218da70f4fdfca73269a006740d023a2

SHA512
8b02cff4f0e63bb1a718fee9f4bf7bd78ee2ad86d2000de791797100fbd56a04640adca468297ceead17f2238a61430a877792ed6e9fd0409bc7547b51591b9c

Download Submit
C:\Windows\SysWOW64\Ojhpimhp.exe

Filesize
94KB

MD5
05543216de3c3674e3da1e74468a0d4e

SHA1
ec142e69805ce5bb43026ce413f7fa2c3dd8e9a0

SHA256
09107b3914d2ee1dde6b980501d60d22745c3370322b1312ab9f80f122a910ba

SHA512
47e981e02e2f577e200a1217341e8e64e1b915ebf5f8e93e90115f88bc6967b55f6a9e53be6e5d59a2056741dbfda45fb87ca267c0d89db18da189931b8e927f

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
94KB

MD5
a4b87eba68e173cbae465529edde78b1

SHA1
b194e42716f1e8cd7f740241e8d7c9363a81fed9

SHA256
f8ae38a1aa6f7d9e9013476420d7ce7ce0170f87500a9df5297b59e0625265dd

SHA512
cef39e4ebad0d44b2190eaaf010b5504e40a74ef349d863292e4b2b69dbd4534018954427e9f1842074408b60be7237bc1556cd59bc50fb75734fad546ee3bb8

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
94KB

MD5
f8b9fb0b770a5b12ac82dbe78cd98836

SHA1
818c2ed6dd88209ff2a2e74936a87d25a9707b24

SHA256
5fe9769e3664cfa35f822dfacba56556b79a9f6c0bd8cd0ad23dac1b54280c36

SHA512
2d0704f3847f02725d5d216ee7230c0b6540c82cd03ff73b17f32b569381aa3dabb784754c5c5a3d0b53e67fd22b77d80b26614ea7d9d3c54401da982466ee3a

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
94KB

MD5
33f697e226c3079095c03d57ef355da3

SHA1
bf09eeefce93c082e3d346574ce52aa40a32d9b6

SHA256
2eb936a29a87c02092a2874c5051724905e87ba71890d34fdd80a3f06d031850

SHA512
4637f8235f5d8c40db7aca33d6f21dc81e7d43bc2ede2bb82d1c51ed09567beec21fa371049b133d1f1fcc159c9c31545a036906e28652c8f586d91974a5b052

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
94KB

MD5
efc3e746c6c8d8b2d9da0d71fe2e630a

SHA1
33d657b3bbae22f8a3891d8dc0bab23e694d1259

SHA256
6d13ac2e486de15b794afa99cafa9dea95684608895c3519ff99d7cab6e99b6d

SHA512
1d1f6b0f08c353c11cfb979ae358b64e3f92bf61b482d324d12eb3b8bb38a2d0b1c292481c2637e55fcfb5548bc6ba9640afb692f1a549ebbc5f9d3b32823777

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
94KB

MD5
929c5edd9e77c6f0b3c5879bea8e6161

SHA1
29fad3905b0a9ac25bfffd992329037b9a0ef328

SHA256
fc389a0c6851d00b0801d4914c5397d271f930bdb40252b770d71ccf3d59f70f

SHA512
8d9b570f72f7ac739f5842296b07d3f1895de2f000aa6ad73073742d5d12ed83e56aaa871aaef464755cda21e5271660d8685b206722bb2bd8c0281bd3763f91

Download Submit
C:\Windows\SysWOW64\Pfdjinjo.exe

Filesize
94KB

MD5
eb4cebaf48209c38b1ab33ad70052872

SHA1
3af13228c496378cd30180a26654b588c275ff48

SHA256
d753332dbbe2a15dbf6cc19b41e5c4a84118c9ae40650af1cf5acabc0f6dbeaa

SHA512
ff1b7eff568042c8c45ca58eb8cc20e0760e55c6a10e773feb876621e458a31f136d7444a914c4004ff1bad2d757f185d7db6a9260ee9e073e2dfd6a229b1a33

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
94KB

MD5
1344b7f6e541c85ad05d4bf019cf5e95

SHA1
b8dbb2c2b4083fa4f74c867d4b4b8f21b737638e

SHA256
c288b546a2946f2df5009fb41db72682e18489dfbbb7862095305620e294733f

SHA512
c75e08529a1cb6f90b93063cd3dee3501485e5e25f21d3f1849a34e20d85c4c8149d83d177756a578f6bef28a553be27833083580ca872206eb790a2c56117ee

Download Submit
C:\Windows\SysWOW64\Ppahmb32.exe

Filesize
94KB

MD5
aeb376b6f1e154c0f205fc9a30190cf4

SHA1
607a0e2592c33e78b5a9736d6434bccc3967e1a5

SHA256
df991c9b12f414a13c6aa1d16bfd8cb5ba8e7a435117e5f99702400f34c4c4d7

SHA512
14c7be4acc024951aea99ea167529b231957cf4def76914818472172f1becd92cd424b74c9b2e635ab8fec930bfd1bc7cd0211178a82503cac1f04e222d93355

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
94KB

MD5
b29b1a4c7c31271642f950ea329afc77

SHA1
032c4a509b557d9604359518222076376aa9df63

SHA256
f9b299b59025d124821ff70884cc23a26718c26a4973616e5c19db0c3de746de

SHA512
e5ce5a49237ac4234f714cbd06f68368454ba47eb85b772d29cd49b8e228d6cde84a6852a1686ba35cfa32583c7591517fae1e12a15f3e021334aa0ec6e35d97

Download Submit
memory/220-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/220-222-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/316-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/316-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/632-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/644-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/644-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/676-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/676-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/816-267-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/816-337-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1064-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1192-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1264-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1264-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1416-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1416-338-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1576-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1576-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1672-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1708-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1708-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1912-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2000-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2000-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-265-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2440-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2440-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2532-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2632-176-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2744-345-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2744-414-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-324-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2968-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2968-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3156-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3216-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3216-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3284-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3284-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3284-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3316-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3316-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3340-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3340-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3496-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3496-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3532-344-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3740-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3948-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3948-351-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4016-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4380-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4404-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4480-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-210-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4532-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4576-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4632-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4660-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4660-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4696-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4696-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-408-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-285-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4956-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4968-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5080-316-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5092-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-211-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads