berbew | a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
Size

59KB
MD5

4c8b5cf7aba014abd1e54e6686f9aef6
SHA1

88ae2f8bb5482eb6c87a971fb818c4afe2e2d461
SHA256

a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597
SHA512

7d3620ebfe0e94a8eed97724145101585e5a30506418b9028e5cf413c989a095ce1d3400ce5f212d3cb2094586d13edcceb10fce92d13b142df561d86916e132
SSDEEP

768:bgaWF264gfgyxUXSBd8wr2TpJVS9WqiL2JLcMHEpl8lELlb/1H5A9XdnhgPD4N:bgCQxU+d8wlbHEplPPi3h

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1540	Njqmepik.exe
4840	Nloiakho.exe
1396	Ndfqbhia.exe
2096	Ncianepl.exe
4572	Nfgmjqop.exe
4424	Nnneknob.exe
2660	Npmagine.exe
4608	Nckndeni.exe
3772	Nfjjppmm.exe
4376	Nnqbanmo.exe
4092	Oponmilc.exe
4528	Ogifjcdp.exe
4844	Oflgep32.exe
3372	Oncofm32.exe
3896	Opakbi32.exe
3984	Ocpgod32.exe
3264	Ofnckp32.exe
4676	Oneklm32.exe
2948	Opdghh32.exe
1088	Ognpebpj.exe
4664	Ojllan32.exe
2028	Olkhmi32.exe
2472	Odapnf32.exe
5056	Oqhacgdh.exe
1240	Ocgmpccl.exe
208	Pqknig32.exe
1028	Pjcbbmif.exe
1316	Pdifoehl.exe
4332	Pggbkagp.exe
2296	Pnakhkol.exe
2680	Pqpgdfnp.exe
3540	Pgioqq32.exe
1468	Pncgmkmj.exe
3788	Pdmpje32.exe
4008	Pjjhbl32.exe
1888	Pdpmpdbd.exe
4752	Pfaigm32.exe
4204	Qnhahj32.exe
3584	Qqfmde32.exe
4308	Qceiaa32.exe
3300	Qgqeappe.exe
1444	Qjoankoi.exe
4556	Qmmnjfnl.exe
1628	Qddfkd32.exe
2452	Qffbbldm.exe
4040	Ajanck32.exe
1616	Ampkof32.exe
2276	Adgbpc32.exe
5000	Ageolo32.exe
3028	Ajckij32.exe
2368	Ambgef32.exe
2160	Aqncedbp.exe
3632	Afjlnk32.exe
2648	Ajfhnjhq.exe
1708	Amddjegd.exe
508	Aqppkd32.exe
2596	Aeklkchg.exe
3760	Afmhck32.exe
3152	Amgapeea.exe
800	Aabmqd32.exe
116	Aglemn32.exe
1344	Ajkaii32.exe
1692	Aminee32.exe
4796	Bmkjkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5196	6072	WerFault.exe	196

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ambgef32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1540	1408	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe	84
PID 1408 wrote to memory of 1540	1408	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe	84
PID 1408 wrote to memory of 1540	1408	a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe	84
PID 1540 wrote to memory of 4840	1540	Njqmepik.exe	85
PID 1540 wrote to memory of 4840	1540	Njqmepik.exe	85
PID 1540 wrote to memory of 4840	1540	Njqmepik.exe	85
PID 4840 wrote to memory of 1396	4840	Nloiakho.exe	86
PID 4840 wrote to memory of 1396	4840	Nloiakho.exe	86
PID 4840 wrote to memory of 1396	4840	Nloiakho.exe	86
PID 1396 wrote to memory of 2096	1396	Ndfqbhia.exe	87
PID 1396 wrote to memory of 2096	1396	Ndfqbhia.exe	87
PID 1396 wrote to memory of 2096	1396	Ndfqbhia.exe	87
PID 2096 wrote to memory of 4572	2096	Ncianepl.exe	88
PID 2096 wrote to memory of 4572	2096	Ncianepl.exe	88
PID 2096 wrote to memory of 4572	2096	Ncianepl.exe	88
PID 4572 wrote to memory of 4424	4572	Nfgmjqop.exe	90
PID 4572 wrote to memory of 4424	4572	Nfgmjqop.exe	90
PID 4572 wrote to memory of 4424	4572	Nfgmjqop.exe	90
PID 4424 wrote to memory of 2660	4424	Nnneknob.exe	91
PID 4424 wrote to memory of 2660	4424	Nnneknob.exe	91
PID 4424 wrote to memory of 2660	4424	Nnneknob.exe	91
PID 2660 wrote to memory of 4608	2660	Npmagine.exe	92
PID 2660 wrote to memory of 4608	2660	Npmagine.exe	92
PID 2660 wrote to memory of 4608	2660	Npmagine.exe	92
PID 4608 wrote to memory of 3772	4608	Nckndeni.exe	93
PID 4608 wrote to memory of 3772	4608	Nckndeni.exe	93
PID 4608 wrote to memory of 3772	4608	Nckndeni.exe	93
PID 3772 wrote to memory of 4376	3772	Nfjjppmm.exe	94
PID 3772 wrote to memory of 4376	3772	Nfjjppmm.exe	94
PID 3772 wrote to memory of 4376	3772	Nfjjppmm.exe	94
PID 4376 wrote to memory of 4092	4376	Nnqbanmo.exe	95
PID 4376 wrote to memory of 4092	4376	Nnqbanmo.exe	95
PID 4376 wrote to memory of 4092	4376	Nnqbanmo.exe	95
PID 4092 wrote to memory of 4528	4092	Oponmilc.exe	97
PID 4092 wrote to memory of 4528	4092	Oponmilc.exe	97
PID 4092 wrote to memory of 4528	4092	Oponmilc.exe	97
PID 4528 wrote to memory of 4844	4528	Ogifjcdp.exe	98
PID 4528 wrote to memory of 4844	4528	Ogifjcdp.exe	98
PID 4528 wrote to memory of 4844	4528	Ogifjcdp.exe	98
PID 4844 wrote to memory of 3372	4844	Oflgep32.exe	99
PID 4844 wrote to memory of 3372	4844	Oflgep32.exe	99
PID 4844 wrote to memory of 3372	4844	Oflgep32.exe	99
PID 3372 wrote to memory of 3896	3372	Oncofm32.exe	100
PID 3372 wrote to memory of 3896	3372	Oncofm32.exe	100
PID 3372 wrote to memory of 3896	3372	Oncofm32.exe	100
PID 3896 wrote to memory of 3984	3896	Opakbi32.exe	101
PID 3896 wrote to memory of 3984	3896	Opakbi32.exe	101
PID 3896 wrote to memory of 3984	3896	Opakbi32.exe	101
PID 3984 wrote to memory of 3264	3984	Ocpgod32.exe	102
PID 3984 wrote to memory of 3264	3984	Ocpgod32.exe	102
PID 3984 wrote to memory of 3264	3984	Ocpgod32.exe	102
PID 3264 wrote to memory of 4676	3264	Ofnckp32.exe	103
PID 3264 wrote to memory of 4676	3264	Ofnckp32.exe	103
PID 3264 wrote to memory of 4676	3264	Ofnckp32.exe	103
PID 4676 wrote to memory of 2948	4676	Oneklm32.exe	104
PID 4676 wrote to memory of 2948	4676	Oneklm32.exe	104
PID 4676 wrote to memory of 2948	4676	Oneklm32.exe	104
PID 2948 wrote to memory of 1088	2948	Opdghh32.exe	105
PID 2948 wrote to memory of 1088	2948	Opdghh32.exe	105
PID 2948 wrote to memory of 1088	2948	Opdghh32.exe	105
PID 1088 wrote to memory of 4664	1088	Ognpebpj.exe	106
PID 1088 wrote to memory of 4664	1088	Ognpebpj.exe	106
PID 1088 wrote to memory of 4664	1088	Ognpebpj.exe	106
PID 4664 wrote to memory of 2028	4664	Ojllan32.exe	107

C:\Users\Admin\AppData\Local\Temp\a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe
"C:\Users\Admin\AppData\Local\Temp\a1230a5a9a28c902f5693c6a6aef0c648cbd22a91f1e5f42ed6419868ee63597.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\Njqmepik.exe
  C:\Windows\system32\Njqmepik.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\Nloiakho.exe
    C:\Windows\system32\Nloiakho.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\SysWOW64\Ndfqbhia.exe
      C:\Windows\system32\Ndfqbhia.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3540
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        37⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4040
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        53⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        54⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:508
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        70⤵
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4252
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:880
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        79⤵
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        82⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        83⤵
        Drops file in System32 directory
        
        PID:4848
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3020
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3892
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        93⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        96⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        99⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        101⤵
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        105⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        107⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 404
        113⤵
        Program crash
        
        PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6072 -ip 6072
1⤵
PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
59KB

MD5
904a44e108f2a88fee0cf49c05aac59b

SHA1
2ca99d18f92276326cc35b617ad341411ee2d910

SHA256
7092c36c2f27a6a826c693e084b475c8ad61c91fa3cd4454904ad7b77513f6d0

SHA512
bcce9f9110b579ca5b2c0abcce842cb9c89f7b0c05d4145d2d6c6ce1d78585c4ecb1d30597119334fd845b3f9822420e2fb471887e2e9fb599b56508fc6edd46

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
59KB

MD5
ce470fe9e61219444f33c7de8f8465f2

SHA1
0e5b907706b782833ede301f421049141c7dff9c

SHA256
b84a52cd3246b50f0b598414f4066729f030a95c0dc36c962cd195d4a65149e2

SHA512
c4eb7ee66b45702735a886ca786dd2d053ccb49f0b2a22205b11f59bd4aa8fe8c3c9f02825d0e39af4268b0d5e5e5260023e7667e64d8f5740985f99b5be7fdf

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
59KB

MD5
afc64bb950e42947b419d39cb4e268ad

SHA1
ac89650c3dd9cb551043709050cb5e370cc88b34

SHA256
a49d6916833eba6c7baa45c926b7918cf8388f2ba55450e4c1bf1980bc156c75

SHA512
efbc5c223d6ca9f5a2bcff3973d7a66dac3ed8c625715fbbda87ccf16630820c298337fe440113f71591b650f390724af702ee9303bfa57623d4ff67f4f00af1

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
59KB

MD5
61342d15cb30ce13fa9c5bd2e159beac

SHA1
1e4a4ad2e0beb3b544ff61c468fb9669b0f8abc5

SHA256
57cc9e9cdb90cbb43bf58038cb5380a06bfdfce56cb41a18eb3ee28afb80b989

SHA512
3274ceed0433ccf5dd1e588ce8fe8cbb075dca6fdaa7be16945a94df43ada6ad77adcd85d10684eedde5f807de6c3b73f6c39dc2d6fcb7016e0371302681885b

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
59KB

MD5
87ebe1c9d61fc6faccb27635616c3b6b

SHA1
a34a94bd0cffc78c5600695d50df73944679c03e

SHA256
848a845e4338c5bbd2f5d6905c6e46c5655f1c3acb6047bd168fc5f46907f362

SHA512
1fd78c577466525e74027df339665c8e5dcae3827c962b1dcda044e750b2f70c154b6e267e47a4eb5b207a7bfac490a7e6fcbd1f3f9c7e1fc3a2acfc4bcd42f8

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
59KB

MD5
bca9ddbe8b9617fa2c273bc24a8deca1

SHA1
cf0da34ee73a2e0d43cc472ccbc53d2f3b77bddf

SHA256
75f4e4eef03f06c817d6055e9d178dac39acb342f8cee35e0330ccbc3520bf83

SHA512
54baf24f75e40335f8270a468e14fc6ae919234f8cc1fd0c39b7df8f4af6d04b5f5f3ca49592cc9c2a2de5f1ca334e4c0b33da79f09cd67920e844bc5c39d065

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
59KB

MD5
ceaae94b327aeef8cfb65d1fd2a5baa4

SHA1
c85c013ec992522688dfc4ceba2c9aeb9a1a4c76

SHA256
fe0225161ace0d258f7492f46068a6c764cc8eda1120ebd08e6f19870a12bc38

SHA512
c889937d2f67342b317230f6f00fd40f741f36759d3a23121d43bc1ef50a96ce13c08265e9bd1c3d76b266d93a32e871becf24626e0080c782a8779eddc64d95

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
59KB

MD5
3fc81e571dc992d27c2a4b95365aff8a

SHA1
311ea8c7485f801ab19eb2541ade01977e107cd8

SHA256
fff6a5551b7dab3e6ac4aafe82aac503108131cd7bc25ea6eae4a2d73055a91a

SHA512
86daa1585d11bc9764bfadabf07904b83391286c2b57510371e7c6bfb8257bce12cc153e210cdd410160a868bc33d58db2cddb3bb48a06180495821e35ea042b

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
59KB

MD5
332e8edbc782d5edca3779362f506dae

SHA1
41c55a89844b3c3452f2a0c2e5bb2a785880926c

SHA256
3077a431bd1b00d7058e11a572289aa56edf0d0999af68fe270834d4d87d74db

SHA512
064f01d576bfcaa76720b2317faae882108b6122f6c2d1ef372ca7dc5074dce73c33f08b57bce952b480d57e91ea6887cf265285a513a2b0df7e4646b9d19468

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
59KB

MD5
30504be18d560480187ae3d3bd16f65b

SHA1
0b76f384db84f4259d4ef177fca6bf0e413b6641

SHA256
8cbc1ed8bac0826b0f94e0b775e1ca21fe05706aa636fab16c8cb403c61fb955

SHA512
a0ac79bdd40fbb9980129a7c7da85e10e3120814df8a89f31835a7a8a29ca3a8413a83d4ba34a8ba9837999cadd71ee8cd6ef5f2616351ddd0b7112ed8f20226

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
59KB

MD5
a02bda0b775901c7a29b2c0195e4cb76

SHA1
a8aa731b50731a938b9d80d2544ae304ca916865

SHA256
ea97e0660f4db496dec9bda443ac5b95989240d5a2cdecad0570cbf75d1f7320

SHA512
1f748449cadd6284801e076df57de5f14685fd05a3aba87a2443bdaff97824b20ef4e3676f83e20a24ab44bce50aa5fd2b526ada0fc5cec39c26efa3bda423fe

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
59KB

MD5
18379d46bec307b613fea364aafe1daf

SHA1
cfe29f564750f84daa7939c32bb43861a1812c44

SHA256
9b3aeae378113d5bb7a2adc74e694f2330064d32f1ce7e5621239bb17eecc521

SHA512
14f6911476978ace14baec45b572b5e74f801baf38b01cfb1c1ad4d2e00752ac1c9c740eedd83b0ca158b1355632fd64e1dda608d44daa22488c197cc2f1334d

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
59KB

MD5
f663748a54c1544cb8bfc2cd18c39956

SHA1
2f92f05f0f864f2f5bcbec39617a81d5e2c61cf6

SHA256
9086f630aec81aa9fe1bf81a7f49e7cfa1d6028a605eaea12afb9d1345a72519

SHA512
587b736282ef218f4502ef3f8b73ecbc33e05b03f60dcfbe0e96982722728981fcdb6247fdd7b18db4dda3d68ea651bd2c61b52d27bbb9ba212e4e6acb24adab

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
59KB

MD5
fbf12e96984538e96170a5da9c434dcf

SHA1
8020b79bbe5bb80dfe114e92a3b4d69505c2551e

SHA256
2a4e86b737248427e77715ad4a67a3b6632553ea7ad425b4ccacafa8e512cd4e

SHA512
66b8126ee84aefc070aec7495f667e2e5ddd6eac4505903e904782fe91d1e8ce695ac71e3e044279ca7c028b55b61588cf2a686e4a13bda85bc4ac852ca86c52

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
59KB

MD5
9f0e53cf021aedbda1a772580158850e

SHA1
55b221aa85e2aaa16835c9eb22eaf2fe6018d8b2

SHA256
bd89a532517022efc31e567fb8cfc98f62f92eb8dc49b2629e3a3fc824bfbb30

SHA512
dd3ef439202af3535e83ecda2b0e9eb16f13057d18ac8c4da58c892b0b6c81dcc9967f29feb81c2c91a0a2eb5ed251ad63c4fc0c2500f4a82cfd119beaa62340

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
59KB

MD5
c26077cde8346093d33945173857c058

SHA1
b4d31f8cabbd3daa3a63835af44d785ab3bf3bbc

SHA256
23634ee3208458ee593313538452b0957097c198b08203bf59d8f5098dbdc8bf

SHA512
84ef9fc339c07b05a3d67ec0b3c79717b6e4c1cc72c22d99c1867c29d08dea8e5b3e2a556bbecf62b8b211c05f6165c7f51d1bb043cd5d06603eb17ea619c75a

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
59KB

MD5
5284f458b8061c732114f46d923723de

SHA1
02387004a8e7ae1a30303d11a8cfbf542d012d20

SHA256
45e0e53e0a2e549c1b0f4794de48faedf455128dec7db417ac10d2c7ae0f858f

SHA512
3fa10516230547d23badf5d2e1db5b9d6b7bb950fac0569d4b36c43329a42fc5a46003a258a25d8c55136b34929ff3ca8f997ae3f33058c7a392349ac8c665da

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
59KB

MD5
c5d8c45a92b10f12265a207c8f220505

SHA1
ff2f17d3432b85d1eb49804abb09622ca3da1587

SHA256
0037a02e2fe27332aa61053a3651f68686c5bd8f7774aa886d98fc9d53d04531

SHA512
28c4cd1230c38ae93c71a5fd7b517a76b8245864490cd2e72010df4fe36c9e9b3b0c7fd68d4d0df5265757086cad962ebcf93a79c159785fcd7f90f1f27b44a1

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
59KB

MD5
84cce75dfe1bebdfe37bd6ec47d63634

SHA1
71d1d30c89b1134e214f7039d4263b94a647c59a

SHA256
0f4823480051fc116f43406f4f7b8c7e88b3aeb67a8f5b8a04ef74e8e1bd70fc

SHA512
7cd1e79f0500854be197ffcc39c3bcb7f7ada9517becca9cc296f4b423630a1d4eac4e09346c73bf081d71b9d4c513166ee25d632fae0188767a6ec1b12cd24c

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
59KB

MD5
c169a3ff44c6e89f1e2cbf941c18e0f3

SHA1
0114a77f709e334748b2613aca975e00bb07d996

SHA256
2e63201d3e1ef55fe9e6cda1fff28c18446d16cb3bc5eac9d48128edfb24b0a2

SHA512
aea713b586bca6c7cf0cdd7e8a0a9129fc5e8d6663d8da944ffc40b19e3f9abe83b213d303ce925ee1b24f5adb5cce98b7a9f62d1fd0495ddfe2666de7cb8611

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
59KB

MD5
7ba4896be30c1785cc50590ef31490b6

SHA1
6f271c95ba1cb6f9ea5fbd9375acac70b25d4283

SHA256
33e21c7845edec2159801e4f19b63074ba6e7477be06098f3b2477b435700230

SHA512
27d8988615ac6ab211b37c4dce93566691a09762f2c984deb656f0cfb54db6111cfa330fc9c7170e5f29ed6047e3ebb466800e9ecd4c3d2642096c9d1a32c2eb

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
59KB

MD5
2ce4d7fbc4b06f4ed2c319e5269734f3

SHA1
9278fb2193e30304ac4e956a4a391b37bd2a40e8

SHA256
f9269ba6dcad229de11bc1c1b333d150b1ac9c0ff7041c8c6b99f1e682f7a559

SHA512
378ac10acd7451db8d9982532a2455cf59b0ca071a8d81494ee731903f9550d18affca3a49ad2c028a68e2a14d92913ee043745f088f9c58fb0b75b77fb2d835

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
59KB

MD5
8049991247146f28b65ca2e531828167

SHA1
3d81c56cf7174f2d78118041a2da244452d5fef3

SHA256
4d3dd3c012ccdcc3bebb1933e9eb18abd7c26a998a0f6f6fc159ecdafc87425a

SHA512
56f55ab4837ae6a4f21551862605cec9a96c3d468d7666675dfb345a7b9e5bbe8309ba14c1f35a4c55dfe58b5e5a1e508f4d0b9360e17c3ecd9684ce084c6798

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
59KB

MD5
58c72a701fdcec523807d80475afb57d

SHA1
0714fba3587965fe69e486e5b1698268b8d0522e

SHA256
d4f6f5c2686a5902aaeec1d6d1edd6ef45e1edff60a2fc0c78fa6fb64214c24d

SHA512
f1275ff9fc9e22b27e7a0ae5e85d5fdaff4d75ecefad6a57810aff6d8a89cdad3bd71806769c4a54570b9031577df0e79eaf62dfce506a03886a53d81106b750

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
59KB

MD5
d91bfd91bc14e9f17545189a4f95a35b

SHA1
7f4df17bb615518c8fd56fc7f739bf28d5b3081c

SHA256
93cbb4439ea37361bc64380cdc9cafc96fc129ce881cd81765fd051202296994

SHA512
599479eca634a7613ba0b75b7e591871f0177225b4a26d4ddbb39b72321889c54a4510b96aee611435c652da42c951c1923a177ce0fa01dac374f5bdf818b152

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
59KB

MD5
ec06c5a0a1e53ffb82694a84d2a9dada

SHA1
7bbd1afd0f3452712c1cc18719743382174bda2a

SHA256
9801c39182562be8dd1c4501b6084e81738475e332053c55dfd08130ddea2f1d

SHA512
c3d8fafd163ef8a08c9db14d0f7c6072e377f6badcdf1fc57088816cdb79c1a2380d6f91e4ebc738ed36a54c514a60787892bd43e0048024ce249c43d06c508b

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
59KB

MD5
5537cb744841a63175fb337308d1253e

SHA1
95a9837dde8bed7acb96a788e9de12e188bd5626

SHA256
1dab80f69be80b3fc6aaa231aea819b3f6477ff3b36c43ca3bbe18d9c406112d

SHA512
3274c56a3d828b39ab3b21c548b2f7bac0258d983f5ecb3066b8ce73d86ef88197676101b1b6569589381299c78948b4f88fe3cb15c244d26a41e61144057066

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
59KB

MD5
1836a9f472e7ee9d0190e98c113add10

SHA1
cb3ced4287e9219ddcc28f9ed9ffd2c85ee5477b

SHA256
a0798898050290bb506bc4a68cd44d09c88b18f77d3648aadf398c7066d39ca2

SHA512
c04cf908af693b07c1450d5bc642c83a2700f14b213cca5ef47212ce1f756d3fcf8932b3e2994a953aa82acf86ec6fa157852b7d31e002acae9f4a3236e5ff5f

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
59KB

MD5
96dbdb4a19a8c21a11bad006612e200c

SHA1
a08c95c168fe88c32af20eaec13d7a5a7589f7d9

SHA256
5b2280555fbdfb9fed3a6a869fca89a1def6dcc38ca72ad37f1e148b409a3113

SHA512
e57c639a5e5003cb19c6618f48c8190c85e04c74bcad8386f473d3c5ef71763f8bdc4d55328860eee2cdf5458e9c40a8c8b0e2b1441ba4d5bcd0b1de56d6d77a

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
59KB

MD5
3edd3eb29eca46a37ac70bd6c6b3efd5

SHA1
8b299fdd0a487cb3b898bbb185ff7946483610e2

SHA256
f24bbc086b07aba17188bff4e219335b7337c6a6386f86dcf0b04810c7d602b3

SHA512
af02e1ed0faf20469342dbd18a7d92552cdeade3696cf2ef378748b10dafba00479d907ceb9685d6922805fa17817ec1941b9b3bf8a2cd12eb36e1ddd57e61c1

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
59KB

MD5
50f7c341c6522d55cf754f014f0148eb

SHA1
d4a8df0f799c8c179e918706c58b6e3aec3e09df

SHA256
557eabb69828e6834d4f26175cd278831a335f867c5bb3ea54532bca75cf74b2

SHA512
07a4bf1ff90a6f2a6cf672bc63e5d9ed7ae2772a705fc06d1eb381c8fdc7af34a15bdc7b45789fa91c108bf680837d0a6af27610beb6bd7dd968f9a32b610af7

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
59KB

MD5
a2766879029e8664d2f1a87830da3b8f

SHA1
24cb33d4dd2dd42959a0e7ce61abcf4f271a7d8d

SHA256
60de149239325b8dc92783a3daa992d286973a79ad1cbd043d408cc3b8e6a418

SHA512
46093bd299009e3477fa3f5609138a53b5b796955b1d19dabbf91f00b84da61561c376187c9d865fa216d704ef8da58751a8629faddbe7d6bf04e0d2f355520a

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
59KB

MD5
95736ba746b4a850e91ebdd7575e856f

SHA1
fb4d7fa1080fdb9923f78586b0ab123a2d662019

SHA256
188e63eb56bf069dbc4f666090fe916106ab2a96901df67d10539d8e9e32c692

SHA512
898703de58d9fbaea3d4fe4375f61e3a44d1f29ba6ff0a353900fd7dd835f71dcf6a68317337c6388e2e1d7ed8ce6582855f4f206c675e3f512f7774a0d1967e

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
59KB

MD5
9ac45ca234674b9119f52e878e1bd35a

SHA1
06294202365af608cc27d05618636ae1ebc8a6e1

SHA256
d982c6e6043b243059b4cd990d29770d6fc86c44b1152648f6d571703adaeb2c

SHA512
1a827a30622591841c8ec7448556324f507d772f72bdea918879ae84afeb56867b6688d9fbbd786be4d7793aa80aca1265922c3f7c44ae3f3baf081324f593ec

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
59KB

MD5
fe01310171b11e2c3e2db02afa538ea4

SHA1
504fc52edd66869b8e29791f99f19fbe2ef1760c

SHA256
0de597cf274fa5d139171eba0d3c59345f36d47a2b2adfa1918b2c60045dd2a6

SHA512
ef4dd7ae13366e7f3096f8bcec736fd3b3925a22ed4f08d6c6c1416175b5c0d080a7e5131893b12317fb62ee71596fd18dc8be88cc27e1af68350adb3cedb7b8

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
59KB

MD5
eeda26b22db2f4ca1a4792e3173cbf12

SHA1
de9760280ca5e0fe0411fb9130505dd35a6d511f

SHA256
3e3e5d2338e9e652a336bc9f5d199233d56a331ef439665aa87c6a336d8f98e3

SHA512
1a8108c6a0fd1d631092e1982279863e2a453a446d260f70efde951d232c4c04cff8a295ec15b13dedb55076c428d317d674c3ce8d68fb70b6b1a65860ef5f80

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
59KB

MD5
bb8637cf7eab483b59ea787109a8753f

SHA1
9240f2fbde19c6188a534adbaace770c89c2f700

SHA256
5448bc4f3de5cdb664b3b437cc9145ede7cf4cc70a98a091f81aa107c9672800

SHA512
519af5c7827ff5644f224531aaab79f6a45827e57b8fdc59d6909cc3c134329dde004d4d0615686a2e19af95c21f670eb962c242145c35b40383fdebabe8085b

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
59KB

MD5
9c81021a070a49df377fdb75c0109430

SHA1
231e484ae5271ffebbc8a27a0b7b398d26feac9c

SHA256
a002f4f263f984d51e429997040544aea7d4e56822242a5252203a7aa9fdb659

SHA512
dc43c7073a5c37ff8ec6c6ea3f61a1a8a1b5d6dc2f2353358d2f2c3a55e394128482b47250246d0660fa0bcd71e1fc0be7740d6a6619d73b63cf7d32d09208b9

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
59KB

MD5
cc7594882e8192ea3321cb3c1448a46f

SHA1
cfb1143448b9ddfc1efb53556201144354692029

SHA256
14687d247a32455c31e1c325000d9af83ee217c24f553f4b018bf9b28bd2b32e

SHA512
5f0ba200be94edcf71913dff03579219773c31e76d24c9d70f7df4fd1f5aa173d1231af230a19993e700e3c8c6628cfb945d65639c8e15fe65800e659131070e

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
59KB

MD5
ce923370d5c4ca2b2b24ee6735ee7895

SHA1
f542a71315ee024b88413fec5e9925fd8ab2653a

SHA256
36ec0058f7aaad563ad73d0ec4b5bae8edc5e94a20fdc7abf239b6ada0f752f7

SHA512
8602ba3af172adf80e5822dab17d75c98db1935ab88ec89892edc98325d2f7434a973b57d7f5360f66f8e0dac6b9bd8517484c207a31a41cea76a617988ef417

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
59KB

MD5
a8383ce3a0bf2106c36ba7990276b4d1

SHA1
1ac822d7ef2b7e74e0483cab1aab5c4344c005fc

SHA256
a5a8cb4009a5211b581b29203422c7939f83f4a995d5b57df44cb59e8bce5471

SHA512
d37a92f2d88e7fa249babca6fc33b881bdc305b1d1f11460215c8a66ecc7a3ca4d2058b5c0df83b11ccbc89ff37028608ea84433c0ae6f5942c2d3e021f16f8a

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
59KB

MD5
c516e2189b0b3dd7b041c52430ee74eb

SHA1
c6d1e9bf3cc4b5c9e9f06aca8280fa30889a8ba1

SHA256
77c3dba695362b0a97c6da4909878e9a82aa0d6eb10e13df9a8460c4a37a47ee

SHA512
f09b2e11c0a46ea59a6522a2b5dc152afb30f816c527690ba535d990dd945e3897e544c8cb93ad3480c18bb9cf8628c5729827fc6271764c877d6c5a39b81fc0

Download Submit
memory/8-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/116-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/208-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/360-583-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/432-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/508-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/736-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/800-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/880-504-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/904-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1028-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1088-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1240-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-561-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1396-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-534-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1444-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1540-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1540-547-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1692-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1708-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-541-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-568-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2160-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2276-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2296-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-576-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2368-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-569-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2472-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-589-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-535-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3020-562-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3152-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3300-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3372-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3540-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3584-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3760-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3772-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3788-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3896-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3984-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4040-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4252-480-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4308-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4344-522-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-486-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4376-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-582-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4528-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4556-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-575-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4592-548-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-528-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4664-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4676-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-554-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4840-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4844-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-555-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4968-498-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5000-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5056-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5104-510-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads