berbew | 90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7

Analysis

max time kernel
93s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7.exe
Size

72KB
MD5

32d900432871992b2abb0ce47fa1cdc2
SHA1

994e6f05912c5efdce3190a8fa7a8392d9bbcf7c
SHA256

90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7
SHA512

79e1e4d781f1ba75419562edabfa6999325aa1e1988d28cd78360d80bf5b477ed722f6a9e61fc1bf77b76dda8aa3a899c9d2fc7cf90bb3d4e5d149f7dd5cb2a8
SSDEEP

1536:Ua7UjPWSu94fS7Cq1UnV6000000000000009u4NPgUN3QivEtQ:WPWFhWA00000000000000NNPgU5QJQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pccahbmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fealin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hipmfjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jocefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocjiehd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnlkedai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jokkgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncqlkemc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omnjojpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chdialdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omnjojpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmeigg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oanokhdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emanjldl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnoiqdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifomll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adhdjpjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Felbnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gehbjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geaepk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkmjjaa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3100	Emanjldl.exe
4616	Felbnn32.exe
4624	Fflohaij.exe
3484	Fligqhga.exe
5096	Fealin32.exe
4980	Fechomko.exe
1808	Fiaael32.exe
1108	Gehbjm32.exe
5012	Gifkpknp.exe
3204	Gbnoiqdq.exe
1400	Gmfplibd.exe
4544	Geaepk32.exe
1912	Hipmfjee.exe
3492	Hoobdp32.exe
540	Hfhgkmpj.exe
5104	Hoclopne.exe
3292	Hlglidlo.exe
5056	Ifomll32.exe
336	Igajal32.exe
1752	Igdgglfl.exe
2404	Ilcldb32.exe
2000	Jekqmhia.exe
4784	Jocefm32.exe
2892	Jgmjmjnb.exe
3076	Jokkgl32.exe
2864	Jnlkedai.exe
4216	Knnhjcog.exe
3452	Kpoalo32.exe
4996	Ncqlkemc.exe
4380	Nmipdk32.exe
5088	Nmkmjjaa.exe
4588	Npiiffqe.exe
2560	Omnjojpo.exe
2964	Oplfkeob.exe
1324	Ojajin32.exe
3236	Oakbehfe.exe
4928	Ombcji32.exe
648	Oanokhdb.exe
2608	Oghghb32.exe
4628	Omdppiif.exe
3404	Opeiadfg.exe
4120	Pccahbmn.exe
4652	Pnifekmd.exe
4712	Pnkbkk32.exe
348	Pdhkcb32.exe
4104	Pffgom32.exe
2316	Pdjgha32.exe
2192	Pmblagmf.exe
1680	Pdmdnadc.exe
4116	Qmeigg32.exe
4088	Qacameaj.exe
2176	Afpjel32.exe
2088	Afbgkl32.exe
4820	Apjkcadp.exe
4384	Adhdjpjf.exe
2320	Adkqoohc.exe
464	Aopemh32.exe
4132	Bhhiemoj.exe
1560	Bobabg32.exe
2932	Bhkfkmmg.exe
2516	Boenhgdd.exe
4828	Bdagpnbk.exe
4976	Bogkmgba.exe
2572	Bphgeo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dojqjdbl.exe
File created	C:\Windows\SysWOW64\Kofmfi32.dll	Oplfkeob.exe
File created	C:\Windows\SysWOW64\Cajdjn32.dll	Knnhjcog.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qmeigg32.exe
File opened for modification	C:\Windows\SysWOW64\Jokkgl32.exe	Jgmjmjnb.exe
File created	C:\Windows\SysWOW64\Nmipdk32.exe	Ncqlkemc.exe
File created	C:\Windows\SysWOW64\Kpoalo32.exe	Knnhjcog.exe
File opened for modification	C:\Windows\SysWOW64\Igajal32.exe	Ifomll32.exe
File opened for modification	C:\Windows\SysWOW64\Pffgom32.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Bobabg32.exe	Bhhiemoj.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Dafppp32.exe
File created	C:\Windows\SysWOW64\Gdaklmfn.dll	Fflohaij.exe
File created	C:\Windows\SysWOW64\Binlfp32.dll	Kpoalo32.exe
File created	C:\Windows\SysWOW64\Pghien32.dll	Coqncejg.exe
File created	C:\Windows\SysWOW64\Cklhcfle.exe	Cdbpgl32.exe
File opened for modification	C:\Windows\SysWOW64\Emanjldl.exe	90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7.exe
File created	C:\Windows\SysWOW64\Hipmfjee.exe	Geaepk32.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Adkqoohc.exe
File created	C:\Windows\SysWOW64\Bhhiemoj.exe	Aopemh32.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Fligqhga.exe	Fflohaij.exe
File created	C:\Windows\SysWOW64\Jchdqkfl.dll	Nmkmjjaa.exe
File opened for modification	C:\Windows\SysWOW64\Oplfkeob.exe	Omnjojpo.exe
File opened for modification	C:\Windows\SysWOW64\Oakbehfe.exe	Ojajin32.exe
File created	C:\Windows\SysWOW64\Konidd32.dll	Fechomko.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Gjecbd32.dll	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Okhbek32.dll	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Cpfoag32.dll	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Oakbehfe.exe	Ojajin32.exe
File created	C:\Windows\SysWOW64\Ilgonc32.dll	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Afbgkl32.exe	Afpjel32.exe
File opened for modification	C:\Windows\SysWOW64\Bobabg32.exe	Bhhiemoj.exe
File opened for modification	C:\Windows\SysWOW64\Cnaaib32.exe	Chdialdl.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Cdbpgl32.exe
File created	C:\Windows\SysWOW64\Ckjinf32.dll	Gifkpknp.exe
File opened for modification	C:\Windows\SysWOW64\Jekqmhia.exe	Ilcldb32.exe
File opened for modification	C:\Windows\SysWOW64\Oanokhdb.exe	Ombcji32.exe
File created	C:\Windows\SysWOW64\Hoobdp32.exe	Hipmfjee.exe
File created	C:\Windows\SysWOW64\Ncqlkemc.exe	Kpoalo32.exe
File opened for modification	C:\Windows\SysWOW64\Apjkcadp.exe	Afbgkl32.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bhhiemoj.exe
File created	C:\Windows\SysWOW64\Gbnoiqdq.exe	Gifkpknp.exe
File created	C:\Windows\SysWOW64\Boenhgdd.exe	Bhkfkmmg.exe
File opened for modification	C:\Windows\SysWOW64\Omnjojpo.exe	Npiiffqe.exe
File created	C:\Windows\SysWOW64\Ilcldb32.exe	Igdgglfl.exe
File created	C:\Windows\SysWOW64\Hicakqhn.dll	Jnlkedai.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Boenhgdd.exe
File created	C:\Windows\SysWOW64\Mdkgabfn.dll	90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7.exe
File created	C:\Windows\SysWOW64\Epopbo32.dll	Bhkfkmmg.exe
File created	C:\Windows\SysWOW64\Dddjmo32.dll	Pmblagmf.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Lelgfl32.dll	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Akcoajfm.dll	Hipmfjee.exe
File opened for modification	C:\Windows\SysWOW64\Fealin32.exe	Fligqhga.exe
File opened for modification	C:\Windows\SysWOW64\Hfhgkmpj.exe	Hoobdp32.exe
File created	C:\Windows\SysWOW64\Jgmjmjnb.exe	Jocefm32.exe
File created	C:\Windows\SysWOW64\Pdhkcb32.exe	Pnkbkk32.exe
File created	C:\Windows\SysWOW64\Pdjgha32.exe	Pffgom32.exe
File created	C:\Windows\SysWOW64\Lmnbjama.dll	Pffgom32.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Hojncj32.dll	Emanjldl.exe
File created	C:\Windows\SysWOW64\Jnlkedai.exe	Jokkgl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5128	4608	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlglidlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkmjjaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jocefm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knnhjcog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpoalo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Felbnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmfplibd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhkcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emanjldl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hfhgkmpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbgkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fechomko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnlkedai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkbkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhiemoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fealin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gifkpknp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifomll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boldhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fligqhga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgmjmjnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmipdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chdialdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igdgglfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghghb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmeigg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fiaael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoclopne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jokkgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pccahbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hipmfjee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoobdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oplfkeob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gehbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omdppiif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chdialdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jekqmhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cajdjn32.dll"	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Adhdjpjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbnoiqdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Geaepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npiiffqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfoel32.dll"	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boenhgdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoaeldi.dll"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfokn32.dll"	Gbnoiqdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojajin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knnhjcog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apjkcadp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajimagp.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobifpp.dll"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dojqjdbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fligqhga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fealin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfhgkmpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll"	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Felbnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogmlp32.dll"	Hfhgkmpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll"	Bobabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimhbfpl.dll"	Fligqhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilcldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbek32.dll"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afbgkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjinf32.dll"	Gifkpknp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll"	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igajal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgmjmjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpibgp32.dll"	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhqndghj.dll"	Boldhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmfplibd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fechomko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igajal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adkqoohc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emanjldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll"	Pnifekmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igdgglfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkbkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jocefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpicj32.dll"	Npiiffqe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3100	3508	90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7.exe	83
PID 3508 wrote to memory of 3100	3508	90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7.exe	83
PID 3508 wrote to memory of 3100	3508	90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7.exe	83
PID 3100 wrote to memory of 4616	3100	Emanjldl.exe	84
PID 3100 wrote to memory of 4616	3100	Emanjldl.exe	84
PID 3100 wrote to memory of 4616	3100	Emanjldl.exe	84
PID 4616 wrote to memory of 4624	4616	Felbnn32.exe	85
PID 4616 wrote to memory of 4624	4616	Felbnn32.exe	85
PID 4616 wrote to memory of 4624	4616	Felbnn32.exe	85
PID 4624 wrote to memory of 3484	4624	Fflohaij.exe	86
PID 4624 wrote to memory of 3484	4624	Fflohaij.exe	86
PID 4624 wrote to memory of 3484	4624	Fflohaij.exe	86
PID 3484 wrote to memory of 5096	3484	Fligqhga.exe	88
PID 3484 wrote to memory of 5096	3484	Fligqhga.exe	88
PID 3484 wrote to memory of 5096	3484	Fligqhga.exe	88
PID 5096 wrote to memory of 4980	5096	Fealin32.exe	89
PID 5096 wrote to memory of 4980	5096	Fealin32.exe	89
PID 5096 wrote to memory of 4980	5096	Fealin32.exe	89
PID 4980 wrote to memory of 1808	4980	Fechomko.exe	91
PID 4980 wrote to memory of 1808	4980	Fechomko.exe	91
PID 4980 wrote to memory of 1808	4980	Fechomko.exe	91
PID 1808 wrote to memory of 1108	1808	Fiaael32.exe	92
PID 1808 wrote to memory of 1108	1808	Fiaael32.exe	92
PID 1808 wrote to memory of 1108	1808	Fiaael32.exe	92
PID 1108 wrote to memory of 5012	1108	Gehbjm32.exe	93
PID 1108 wrote to memory of 5012	1108	Gehbjm32.exe	93
PID 1108 wrote to memory of 5012	1108	Gehbjm32.exe	93
PID 5012 wrote to memory of 3204	5012	Gifkpknp.exe	94
PID 5012 wrote to memory of 3204	5012	Gifkpknp.exe	94
PID 5012 wrote to memory of 3204	5012	Gifkpknp.exe	94
PID 3204 wrote to memory of 1400	3204	Gbnoiqdq.exe	96
PID 3204 wrote to memory of 1400	3204	Gbnoiqdq.exe	96
PID 3204 wrote to memory of 1400	3204	Gbnoiqdq.exe	96
PID 1400 wrote to memory of 4544	1400	Gmfplibd.exe	97
PID 1400 wrote to memory of 4544	1400	Gmfplibd.exe	97
PID 1400 wrote to memory of 4544	1400	Gmfplibd.exe	97
PID 4544 wrote to memory of 1912	4544	Geaepk32.exe	98
PID 4544 wrote to memory of 1912	4544	Geaepk32.exe	98
PID 4544 wrote to memory of 1912	4544	Geaepk32.exe	98
PID 1912 wrote to memory of 3492	1912	Hipmfjee.exe	99
PID 1912 wrote to memory of 3492	1912	Hipmfjee.exe	99
PID 1912 wrote to memory of 3492	1912	Hipmfjee.exe	99
PID 3492 wrote to memory of 540	3492	Hoobdp32.exe	100
PID 3492 wrote to memory of 540	3492	Hoobdp32.exe	100
PID 3492 wrote to memory of 540	3492	Hoobdp32.exe	100
PID 540 wrote to memory of 5104	540	Hfhgkmpj.exe	101
PID 540 wrote to memory of 5104	540	Hfhgkmpj.exe	101
PID 540 wrote to memory of 5104	540	Hfhgkmpj.exe	101
PID 5104 wrote to memory of 3292	5104	Hoclopne.exe	102
PID 5104 wrote to memory of 3292	5104	Hoclopne.exe	102
PID 5104 wrote to memory of 3292	5104	Hoclopne.exe	102
PID 3292 wrote to memory of 5056	3292	Hlglidlo.exe	103
PID 3292 wrote to memory of 5056	3292	Hlglidlo.exe	103
PID 3292 wrote to memory of 5056	3292	Hlglidlo.exe	103
PID 5056 wrote to memory of 336	5056	Ifomll32.exe	104
PID 5056 wrote to memory of 336	5056	Ifomll32.exe	104
PID 5056 wrote to memory of 336	5056	Ifomll32.exe	104
PID 336 wrote to memory of 1752	336	Igajal32.exe	105
PID 336 wrote to memory of 1752	336	Igajal32.exe	105
PID 336 wrote to memory of 1752	336	Igajal32.exe	105
PID 1752 wrote to memory of 2404	1752	Igdgglfl.exe	106
PID 1752 wrote to memory of 2404	1752	Igdgglfl.exe	106
PID 1752 wrote to memory of 2404	1752	Igdgglfl.exe	106
PID 2404 wrote to memory of 2000	2404	Ilcldb32.exe	107

C:\Users\Admin\AppData\Local\Temp\90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7.exe
"C:\Users\Admin\AppData\Local\Temp\90378c64076269b7997469c5d54c9e401328b340164763d9dc536dd2bb68f4a7.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\Emanjldl.exe
  C:\Windows\system32\Emanjldl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\Felbnn32.exe
    C:\Windows\system32\Felbnn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\SysWOW64\Fflohaij.exe
      C:\Windows\system32\Fflohaij.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\SysWOW64\Fligqhga.exe
        
        C:\Windows\system32\Fligqhga.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
      - C:\Windows\SysWOW64\Fealin32.exe
        
        C:\Windows\system32\Fealin32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Gehbjm32.exe
        
        C:\Windows\system32\Gehbjm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Gbnoiqdq.exe
        
        C:\Windows\system32\Gbnoiqdq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Gmfplibd.exe
        
        C:\Windows\system32\Gmfplibd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Hoobdp32.exe
        
        C:\Windows\system32\Hoobdp32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Hfhgkmpj.exe
        
        C:\Windows\system32\Hfhgkmpj.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Igajal32.exe
        
        C:\Windows\system32\Igajal32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Jocefm32.exe
        
        C:\Windows\system32\Jocefm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Jgmjmjnb.exe
        
        C:\Windows\system32\Jgmjmjnb.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Jokkgl32.exe
        
        C:\Windows\system32\Jokkgl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Jnlkedai.exe
        
        C:\Windows\system32\Jnlkedai.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4320
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        83⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 404
        84⤵
        Program crash
        
        PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4608 -ip 4608
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bobabg32.exe

Filesize
72KB

MD5
3ff87d4c95fb08c793ead0d4dec7d670

SHA1
05ff899bf56be15621ba696f65ee86baefe4dae5

SHA256
824b1878245bfd498ae9d6d4902d48e925553638497a8693b47777bb3803ba99

SHA512
fbc662b064f80978261e752b0008adaff317d9a87abef9b7f54871cd0c754372ce598b58954852a6e69fab6055b25e1a5375fcf4888dd41f70f74cc5dd24dd4f

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
72KB

MD5
f0fa3aa4340702fb167bc30be7f7a2fa

SHA1
5fab291a6981c0252f43aaf6de4aeee67d064f5b

SHA256
05174963bcd64d703037400877ba71ca4a5bb1fb533d3b54242c054ebbe9f4da

SHA512
4544f9a0debae85848dc0795cfcea5291bdf324442865439e95d8a8e5f4f09953d0002ea69800ba0d38e13c59cf44163afa3c34c93f43ad7483edf193dd78379

Download Submit
C:\Windows\SysWOW64\Emanjldl.exe

Filesize
72KB

MD5
82064857e0e3cbea97a971a88ff6f2fd

SHA1
58a41fc7d8c306209935afb13e93341c112fb5f6

SHA256
405612c4e0097dd458e823975483a4329dacf6a9899d88bda64c5699740e123c

SHA512
da5aaaf1c8a9c1480d841a56c2159bb78568bc86df1c68d07c97b5a9f9ed57bc40cb0f5d81358d07ee7c28c1f137febf3a225b00821fc339bdcf012f8b1888eb

Download Submit
C:\Windows\SysWOW64\Fealin32.exe

Filesize
72KB

MD5
c7e9d4173b4aa5e61fc3b587122f2aab

SHA1
e5a55e6b999d29ce9477f0fffcd336512782aad8

SHA256
72da9e523b1bf02e2de96b94ef569950cbfbefd895937929b2392d4a95b0d9ee

SHA512
696e93a5f5a1329fbfe8955108f6b70a013fa1e6d5a0b24512918205f0cc00d6b061aecff0d8915639432fc71ef33432f997f8cca1b67bec951eaf07396f9d92

Download Submit
C:\Windows\SysWOW64\Fechomko.exe

Filesize
72KB

MD5
0c3fa4c175ef2179c90b5cac51a3199b

SHA1
c3db03ab96f38459273e89bcc3cfd5b81e59127e

SHA256
aad76e8588c992f50e739160548fcb2ec3b9564aca8ff74f5cc13e20c6337ccd

SHA512
1ea10e63c45f0338ff48edf9ae5e3366416eb073aed85428433405268ed799a8670f14c2a4eb6996a77af8178326a494b4b247a26d065dd510b7cf49896535a0

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
72KB

MD5
206eeaf44bd39b5687d709cc8b057e7f

SHA1
36fcc2ea41612004aca1f9bf0de743a95fb18df1

SHA256
37bcc95d310b3629c597ffcee279ccc0f993337c5ee840a988b2f20e94ed95f6

SHA512
2df28252464755b812013840c90ced8dbe5e1116d5403d06fdc9d8b1afcc78a4134e0f5aee70c3c80ca5280d8c906fc345b4e8af43e4817bebcbd0d3768f2538

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
72KB

MD5
997c9741d9364b6bc299068225759a84

SHA1
8cf4823751287c98f47bf2fc76104b842e170d36

SHA256
2a09011176414a5ae2df4e4ff85ad08422af7d15e59a553a5c852b1acac2a4a4

SHA512
406801d64849ce9c07779a29f61afc1a65d20355b027c94cd872e1e389d7dd59078b15a08478b4811cb34dfdf8e0612477a7468ff0aa7d89d965fd22c1f3cbcd

Download Submit
C:\Windows\SysWOW64\Fiaael32.exe

Filesize
72KB

MD5
a749132bbafec1f663a5117606a9ba6c

SHA1
13e4fd152b58f6741e4ef6055428dbec374dfa6e

SHA256
d0cdcca11b6e0e22c43f3ebeeeb47e9021378cb3999a881ed8f948954b8c508b

SHA512
720f9f7cac522d76fc3c61ad8a9da44c0b49d98d4524811d0c601a1a7a52919e2a84c99f67f1dc01a70daa85a597678cc53de0cbfda6ea7a5ba791e8fc329a35

Download Submit
C:\Windows\SysWOW64\Fligqhga.exe

Filesize
72KB

MD5
686a5b523e54efc3d9b27af610fe2cae

SHA1
381d578d688dfbe93a48ff70a1538f17ea60f34c

SHA256
9d3c3f4db36512aac23deec7bea26971f7215532a0119f332ee40be1ea4aff91

SHA512
020b4758e8186815d4df7864ca2b3e923dc3ffd594838e1cae4635d6b5b994181f2685a86139055d4973de26f235e2f3b44dc562dda7ec423775ab8ae721861c

Download Submit
C:\Windows\SysWOW64\Gbnoiqdq.exe

Filesize
72KB

MD5
487b998129186d98800816ac41322ee6

SHA1
7722529f86f244fc5862e2da17fb43f0aa2402ed

SHA256
b0255c6c80a5f81aefb674d15d02344d645a5a1d66f37f9778f1c7e2f307142e

SHA512
659c8e721f6238e1f9f827af137008ddb46c65c5805b720b883d7be302fb036530cece85eaa5702dc6c9cd4140f14c5c0234ec8b69089b89073437e1baed775b

Download Submit
C:\Windows\SysWOW64\Geaepk32.exe

Filesize
72KB

MD5
af546e7931148a9c9032b2c75d18e094

SHA1
5702c0aff1efca2dcbc971614dfa577aa3e18777

SHA256
a036998ac8bd16f28e1c62fe5261cc3bd171f7cf1fea923e4a8c828ffec17b88

SHA512
093ed61d951f869876bccb9f371d26d4de0f33034499e16185494eb86ae17f5da96847451f4ccf506e5dedd835eef224999f983249c1faf68596e299bedc5e84

Download Submit
C:\Windows\SysWOW64\Gehbjm32.exe

Filesize
72KB

MD5
fde17d6c79d8c401f259f04a380a8152

SHA1
00162689da9b41011e8373e6e4b10520b2b98375

SHA256
7a0c1fac571d819b02230884ae788c1dcdfe5235df1d1b15867135d96c269711

SHA512
3f95ba2f59c2dc63288ba7063bee3bff0c387fe3e369439b5cd97c70acf7c8890d82ebdb0bcbc8f80a15c65c164ec16496d2b07e7985a7e7803db5201090f986

Download Submit
C:\Windows\SysWOW64\Gifkpknp.exe

Filesize
72KB

MD5
3d1bc1e42b0ca842b12ae60a87a3eb7d

SHA1
fe61cf6ef6753154ec3b95e69b92b61031b7b4d3

SHA256
358554370729a090f7cfa377a640874c652272ff93987a800c767ca6263e48dd

SHA512
1a69d9dec55ddcc5238bad30e7021dcfaca27a62464a5b458d66de454de84c5a329310110c3e5514e76a3eef5136ac3c334c584edb24ee6757b3a7b2b7466635

Download Submit
C:\Windows\SysWOW64\Gmfplibd.exe

Filesize
72KB

MD5
dabeb942b91ad2bb24181db282884a19

SHA1
af99d158c15cb7b7755625a6548888ce2854a953

SHA256
881c295dca4a050ea2504750a21e134315cb6f667e910ebcad111102982fee90

SHA512
3cafe44f9fd6185b1d316aed77e5e0b2351fa8c1ee02122467f6eee55e4772a98c7a65f9237df9839f0367b051055593106254496ef8497a3a4a35922187bc59

Download Submit
C:\Windows\SysWOW64\Hfhgkmpj.exe

Filesize
72KB

MD5
1523139d84ef79517a0ee1a702ada36f

SHA1
48cd04755857aac042c45ed8d3380dad65344082

SHA256
56f87e1fcb2ccf9d966c62ec3c8d5a432672607920c8fcc55b68a82226d128d4

SHA512
ddd6f23e8d0c160193a0552d15996bd046a151414a320be2c6de3ec3c01a06962c1e463dbe95319ad83dac0504218e005ca0422c0322086676dd14d42d437dea

Download Submit
C:\Windows\SysWOW64\Hipmfjee.exe

Filesize
72KB

MD5
f1ef25a54b7382d20c4f2565cd76ec7a

SHA1
472820e7071cc6cd1035f849d48f576c8baec7a6

SHA256
29b8ab89bba7e7f9b07bbf0d62ae7ffd82e2c0963ce40f07b6f21c4795300a58

SHA512
8d8a7762bd6b309f83190b1721ee3d08b39717222628573713f08f74b43b5b45ad77ce40659c0678a9aaac7c5e265de5c2ac54ed3d4b9e01f363f6757eb7f7ed

Download Submit
C:\Windows\SysWOW64\Hlglidlo.exe

Filesize
72KB

MD5
e41ab2793b62f734e6e4c854fba59d6f

SHA1
be514513d081a27ff9540180364fb050aaca76a2

SHA256
afe4659043a6b18a6de1ede6993058386cd2a01c597dd6432e561c0ad18a0b45

SHA512
f95efde745ae244e1be86ac7419b6c2a7e960a82251de71a609c4d6b5556f2290e62b60be0c3f2130d3f036dca2047ba3451b77ed7c186616b0279dcf007d472

Download Submit
C:\Windows\SysWOW64\Hoclopne.exe

Filesize
72KB

MD5
7d5d4b3ede4404d8db1f154b4cdfcdcc

SHA1
7c10b4ff9b95516ad9605d6f2ad518fd674c3149

SHA256
4c0674c757f1910d24ce9347bd9fc7f414f0c98a88c5d2d02855d7fa2d1ed7bf

SHA512
0309e3d016a1b1c271e8f7152b4f15891889793fee65a9dc56f24902274b6fa2184686e55198305c01f4ae47fe1ba713d80f4c36c2799ebfe22942c253ed0bec

Download Submit
C:\Windows\SysWOW64\Hoobdp32.exe

Filesize
72KB

MD5
e706c0e9b7c2d899b2c6d5c07bf07b1d

SHA1
90fd0114b4b4634e51e72ed58cdce2cab6cc9482

SHA256
5aa0aa9f6eaab1b90646b9e6c3ffed83d046b132d1a8899fd3a8c0e9f6fcd87b

SHA512
73d179a3ac03dc1561d732f385d55d54a16eddfcb7f6b35e08ad2b9d09df4500d9d278a68f500f7686a62c18e21b12705d6730d1b1ea99b13230bcfe7851fd07

Download Submit
C:\Windows\SysWOW64\Ifomll32.exe

Filesize
72KB

MD5
42e313e1937ec3cfbd200d0dc40a1df1

SHA1
d0e709f70c85044ec96c8c8734a04f53d58ee10e

SHA256
b697c195d352835b8da63812ca3d6ec09a64f684182eb47f9b9e82c8664a516d

SHA512
43cd411d206388dd257ef53939d51df9cf09265ad5d0bca678d2e63e37ce7bff565573833cd0997daa78c11892b8c45423cc959ef47b80e9fc99e018efaa3bf5

Download Submit
C:\Windows\SysWOW64\Igajal32.exe

Filesize
72KB

MD5
e6ad60d5a660b6d71e19daf016dcec3f

SHA1
1fbd5a9e2292dda68b650a3083ea4a84c5ddc880

SHA256
409b2834cd0af83887de971f92bc8693ed7dcfcccfbb8f9657999771ff7e3822

SHA512
7d6d3d413d2cb6ed4572cf0f1ba110b7670d94781179914920d779a96fbdac287749c10b67696e25992aa34e9c40b09d689a4345a1a80ede31bf8afa40b56fa8

Download Submit
C:\Windows\SysWOW64\Igdgglfl.exe

Filesize
72KB

MD5
4b8578c0143cc0641a508d83463aab30

SHA1
08edc2cb30d095c878d8807778779715ac2ce1d1

SHA256
fe97f8a18df2e0789fd751eacd67c7004a2e039011f7a07658eee781cbb1a54c

SHA512
6eb12de147425f3b54542c513793bfe27599bd59db0f2bd255519ba7747a58e6338dbe31df38cacfa46e1d61537923f150051ad280e831433979c48f1274d982

Download Submit
C:\Windows\SysWOW64\Ilcldb32.exe

Filesize
72KB

MD5
8ea16115168c189ea5cc8b930cd45671

SHA1
0e3bf6c312fa30bb939d679c2bc8b9408ae51eb3

SHA256
58f09dbb6cd81ac4a3d1d7bb188c1c8c90bd0a229707c48e3636622ba724a26d

SHA512
c2f726a683eeb05b0a43aeae15c059bbe5622e7bc418eb261db26618a971df877a429500c12fdf6036d8086f399f970da4eb4d67b0f24fdfbd28df8194e02bf1

Download Submit
C:\Windows\SysWOW64\Jekqmhia.exe

Filesize
72KB

MD5
21bc1241b2c3f40c9213506c090d26e5

SHA1
e821ef6183344da369c112d2060716f9d9ed5158

SHA256
b5af9c3a30f724bcc59e7cb9edd61bbbdbb7fbfebae23b3fe473dd699a8effa2

SHA512
2bba95ce8698cbfed94779081892325ceca8f05524932c6111bf3d47b76ed02f9d65b1d04e6fdbfc08a69424121fe120eb4daba12764f93d2d962bf653b10e40

Download Submit
C:\Windows\SysWOW64\Jgmjmjnb.exe

Filesize
72KB

MD5
401a8d2811987ffd450d0e88689f47a1

SHA1
6a022aed60863466f566dac6cde8ba65dfd9d6f4

SHA256
1776eb1080c6fecccbe2a2a6b88be765693b9582afd5334dc29bbfaaf70753b4

SHA512
f839dd526e62159eaa27244ced9d18e5c8d0651fcbffd226121979601c7d8b71f4754e0978cd1bd889674554bdf31d67a8db9c17d1bdd649cd0a8fbe8fac596a

Download Submit
C:\Windows\SysWOW64\Jnlkedai.exe

Filesize
72KB

MD5
eb8e095eb4e588dd0fdad96be28c797e

SHA1
78f64eb54a93e64da841d5d609a406552ebfa7b0

SHA256
df671dfd9913125d8e9bf99123235f1e299c7aeecc035dd572adf7c9b07f9ed9

SHA512
5b669197a2108acc8dbbe768d12b2d178f26eced37fff1c5c6d2c56c6569c3d2fe41d799dcacfb266cfb606af0e33e826c008fb9de2972b8e73ff5a00b482931

Download Submit
C:\Windows\SysWOW64\Jocefm32.exe

Filesize
72KB

MD5
94fae9db06c940601cac2829f9d98c8d

SHA1
e07c73d58506cbd49ad3fb38cda08fc7bfe6a081

SHA256
2a0c7f010379eff3156fe5e77f4b0df79117ff4fada14fbe4551d7ff3160a24c

SHA512
ce28848f1f1ebeaf72b9c85d110652e413230c8aafad4c1daf005596821fe889d7f7d76d31b3ee9a01f555b838dff81f2906af58940be813e069c244809510c9

Download Submit
C:\Windows\SysWOW64\Jokkgl32.exe

Filesize
72KB

MD5
3a0fec66acce1ed8888d4a9e85e61f98

SHA1
5ff271b5d5646419ad2163e6c1393c08c44b1ea3

SHA256
d0c0bfb17fabf0866b9f737270a8cb7b7f7c1c5eaa90b6f7857a1f723aa49c9f

SHA512
4d94dbc3709eb5d2b8568a745c2b19227b79d6902a94a33448cc96f75134ead944b589cecdcf0cbda46ae6d16fadd013929810f1e7254208f59cdfcb278c44d7

Download Submit
C:\Windows\SysWOW64\Knnhjcog.exe

Filesize
72KB

MD5
c43dcb4e3f0c7704243087a98650c01e

SHA1
75faf6d9249414d16918604120c2d5a48930fc3e

SHA256
b80e4f64ea11f48bdf0d6fd2904e16c40690c329ef5e8c24e7b91430bc16a460

SHA512
d620293e22b232970712ee3e12213cb724be7300733dce9d1d023ef6c3c2558fe57de34cedcec4652dff7760bd1866e7c404dab946ce9d5658d630bb998230f7

Download Submit
C:\Windows\SysWOW64\Kpoalo32.exe

Filesize
72KB

MD5
45185e918ea4041fe3a88f8251c28338

SHA1
feb46cd66a25a8ac7f9aa5af2c300a67b0cba9d9

SHA256
2cce5416fa4b4ce248af928170d3b47d13c50b088b286562f243bc75159bbec2

SHA512
8dbe41664a9d992ebb7ec4c5cfd2748d9d0c829480079bc4c041f31af87c89cd4f58a0a5c4ea5fe908759634676306095c1a40f460fc245e0f6ec713b07fa6d4

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
72KB

MD5
96df92fa2b3583b37458ff0af6d5f290

SHA1
c97c284d9c2bed9ce91aee9c0147f7831bd6e9d2

SHA256
aa2201bd6cf11eef8760e788e0222dc052675cb89eba0a761fa5f56324b334e8

SHA512
016a1cbda7cd31be6917c06f3afe2cf49d6a50126f5fa455e480dad5d729e7ef8b6ac2d2ed09601292405455fb36b0cbd3ece8d7e5a53a03d8b772d08a36bfb2

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
72KB

MD5
5581e2a72006847df7731c0903e84e66

SHA1
ba27aa5497de246e93b70787eceaf762094a3d6b

SHA256
a87723a2ecc4de5ca12431d6cdad7b42a2e69d30ca8695e6a958bc6cdf7fbea8

SHA512
1c97760b6c68a58565c7a275eedb0b64efa2b604ef79df6588f96612bcac690f5ed2c04bd9d475bde96facd4579dd19e439fd553dd598b60b1f9aabc12f7279c

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
72KB

MD5
0123253a346ff5521d92b91ed033ec4e

SHA1
b6a0a225c2230ba72ee6389b59b1b9694dcce23b

SHA256
5997ec4db127b6f5a013e7d976be6ace2200b3c59143d9d7675a3532fb97e026

SHA512
0a018f3530fda717e883a043f53474a3f6eee96b47866a8810ad49ba1c3a5691d1269229fa48506ac7e13570b617f131865d6e41ec8d7478f9462aca188aa29a

Download Submit
C:\Windows\SysWOW64\Npiiffqe.exe

Filesize
72KB

MD5
18216a30bcd11a6381de6c56eda90471

SHA1
963ce812356eebb4c7823eab5fdca16e4da98529

SHA256
23bc6825dea2bfbf9f72ac8d75ac9504f97041887bfc4058eb6c915a3c6cb737

SHA512
ff03199dd7c140f57cfff744faf2c0ce64a6c2dce012361842126b33628d2cac2e37b499bac69c38a73f2ef36fa2d9a74ec208e715cfb89d60f7329bd77afaf7

Download Submit
C:\Windows\SysWOW64\Pdmdnadc.exe

Filesize
72KB

MD5
ef5063ca61295f793a9adc8ab51853da

SHA1
141634aa86fbaefb70c58c230fdf03bbfc46dae8

SHA256
b2cfe7332550934d4b32ce0d0ace1390023e9dd2642dadeda837660c4cd15ee3

SHA512
c96d446e29c413ebb0afc1c9d80c3495274ce83ce5d760250a5b3b9b3468099b609ace917eb3163fc871886773501b81f4956a15394cdfadfd34ff8abe7801c4

Download Submit
memory/336-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/336-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/348-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/348-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/540-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/540-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/648-325-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1108-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1324-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1400-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1400-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-391-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1752-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1912-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1912-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2000-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2000-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2088-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2176-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2192-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2316-379-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-291-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2608-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2864-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2892-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3076-297-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3076-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3100-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3100-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3204-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-308-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-372-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3292-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3292-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3404-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3404-404-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3452-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3452-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3492-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4088-405-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4104-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4104-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4116-398-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4120-347-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4120-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4216-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4216-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4380-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4380-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4384-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4544-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4544-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-284-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4624-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4624-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4652-354-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4652-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4712-360-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4712-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4784-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4784-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4820-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4928-319-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-331-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4996-253-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5012-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5012-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5056-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5056-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5088-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads