berbew | 8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe
Size

481KB
MD5

de2917a0255ca27b0dcb7721e67ff1ea
SHA1

19b64dcd376f3ff6ca638b253d60d8be6328973b
SHA256

8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb
SHA512

0abbc6920d527499f2490462bf6afac0d220d69e7a77afea5e2c79e6e9cb272fff09088da55e0597bce1fa42957b0762623beaeaa0e26993bde2d98b034654b2
SSDEEP

6144:j9XakS8ZfByLhNF/FM6234lKm3mo8Yvi4KsLTFM6234lKm3+ry+dBQ:JXakS89wNxFB24lwR45FB24l4++dBQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmlcennd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dffdcccb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpcljnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llpcljnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlefngkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chhdlhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Leihep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldjhcgll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknlbmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhdgeai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpdklo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjhdgeai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcgopjba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njifhljn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdmpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqdqbaee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdmpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amkagb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcgopjba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgiodlqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjemgal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libgpooi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojbinjbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcbdgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqoggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agniok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoeaili.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndinalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnmcnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndinalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjjheg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anjnae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmddma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmcnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmlcennd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkdmia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqonpdgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjbcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhfbacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopijpab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpgoig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlllof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhdlhfe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpjmla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqoggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dffdcccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbhocegl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmbmlmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agpedkjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chehfhhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmbmlmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogdmaocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqknlbmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjemgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djmgiboq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anjnae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aamchpmk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1888	Lbhocegl.exe
1624	Libgpooi.exe
1268	Llpcljnl.exe
3504	Leihep32.exe
2972	Llbpbjlj.exe
4520	Ldjhcgll.exe
928	Lghdockp.exe
4352	Lekekp32.exe
4216	Lmbmlmbl.exe
2484	Mpgoig32.exe
2712	Mcfkec32.exe
4564	Medgan32.exe
4824	Mlqlch32.exe
4940	Ngfqqa32.exe
4832	Npoeif32.exe
2160	Nlefngkd.exe
228	Njifhljn.exe
1188	Ngmgap32.exe
4336	Njlcmk32.exe
3624	Nlllof32.exe
2752	Ofeqhl32.exe
2016	Ogdmaocp.exe
2184	Ojbinjbc.exe
1524	Oqonpdgn.exe
3960	Oqakfdek.exe
4528	Pcbdgo32.exe
4516	Pcdqmo32.exe
1344	Pjqeoh32.exe
1892	Pqknlbmp.exe
4184	Pdhfbacf.exe
2240	Qqoggb32.exe
472	Qgiodlqh.exe
3892	Qdmpmp32.exe
336	Qjjheg32.exe
2440	Aqdqbaee.exe
4628	Agniok32.exe
4040	Amkagb32.exe
3856	Aqfmhacc.exe
4332	Agpedkjp.exe
1548	Anjnae32.exe
2364	Acgfil32.exe
972	Afebeg32.exe
960	Aakfcp32.exe
3088	Ageopj32.exe
2540	Ambgha32.exe
3732	Aamchpmk.exe
868	Aclpdklo.exe
1444	Bmddma32.exe
3020	Bcnljkjl.exe
5100	Bjhdgeai.exe
4104	Babmco32.exe
4952	Bfoelf32.exe
4972	Badiio32.exe
3316	Bgnafinp.exe
2648	Bnhjbcfl.exe
3952	Bebbom32.exe
3916	Bhqnki32.exe
2816	Bmngcp32.exe
3104	Bcgopjba.exe
3956	Cnmcnb32.exe
1340	Chehfhhh.exe
2696	Cnopcb32.exe
2460	Canlon32.exe
4440	Chhdlhfe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jkbmmb32.dll	Llbpbjlj.exe
File created	C:\Windows\SysWOW64\Aqdqbaee.exe	Qjjheg32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpdklo.exe	Aamchpmk.exe
File opened for modification	C:\Windows\SysWOW64\Bmddma32.exe	Aclpdklo.exe
File created	C:\Windows\SysWOW64\Bfoelf32.exe	Babmco32.exe
File created	C:\Windows\SysWOW64\Badiio32.exe	Bfoelf32.exe
File created	C:\Windows\SysWOW64\Ageopj32.exe	Aakfcp32.exe
File opened for modification	C:\Windows\SysWOW64\Bcnljkjl.exe	Bmddma32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngcp32.exe	Bhqnki32.exe
File opened for modification	C:\Windows\SysWOW64\Chehfhhh.exe	Cnmcnb32.exe
File created	C:\Windows\SysWOW64\Bmfnfooo.dll	Cndinalo.exe
File created	C:\Windows\SysWOW64\Cepnqkai.exe	Cfonbdij.exe
File opened for modification	C:\Windows\SysWOW64\Llpcljnl.exe	Libgpooi.exe
File created	C:\Windows\SysWOW64\Egckpjdo.dll	Cenakl32.exe
File created	C:\Windows\SysWOW64\Nodiig32.dll	Dffdcccb.exe
File created	C:\Windows\SysWOW64\Cllnlemd.dll	Libgpooi.exe
File created	C:\Windows\SysWOW64\Lmbmlmbl.exe	Lekekp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjhdgeai.exe	Bcnljkjl.exe
File created	C:\Windows\SysWOW64\Diikmo32.dll	Mpgoig32.exe
File opened for modification	C:\Windows\SysWOW64\Ojbinjbc.exe	Ogdmaocp.exe
File opened for modification	C:\Windows\SysWOW64\Canlon32.exe	Cnopcb32.exe
File created	C:\Windows\SysWOW64\Dffdcccb.exe	Dmnpjmla.exe
File created	C:\Windows\SysWOW64\Enfamfpn.dll	Oqakfdek.exe
File created	C:\Windows\SysWOW64\Hjekkmnh.dll	Afebeg32.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgap32.exe	Njifhljn.exe
File opened for modification	C:\Windows\SysWOW64\Pcdqmo32.exe	Pcbdgo32.exe
File created	C:\Windows\SysWOW64\Keqnmjbl.dll	Mlqlch32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeqhl32.exe	Nlllof32.exe
File created	C:\Windows\SysWOW64\Qjjheg32.exe	Qdmpmp32.exe
File opened for modification	C:\Windows\SysWOW64\Aqdqbaee.exe	Qjjheg32.exe
File opened for modification	C:\Windows\SysWOW64\Acgfil32.exe	Anjnae32.exe
File created	C:\Windows\SysWOW64\Bmddma32.exe	Aclpdklo.exe
File created	C:\Windows\SysWOW64\Cnmcnb32.exe	Bcgopjba.exe
File created	C:\Windows\SysWOW64\Lbhocegl.exe	8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe
File created	C:\Windows\SysWOW64\Pjqeoh32.exe	Pcdqmo32.exe
File opened for modification	C:\Windows\SysWOW64\Amkagb32.exe	Agniok32.exe
File created	C:\Windows\SysWOW64\Djmgiboq.exe	Cepnqkai.exe
File created	C:\Windows\SysWOW64\Ngfqqa32.exe	Mlqlch32.exe
File created	C:\Windows\SysWOW64\Aqfmhacc.exe	Amkagb32.exe
File opened for modification	C:\Windows\SysWOW64\Aamchpmk.exe	Ambgha32.exe
File created	C:\Windows\SysWOW64\Llgdel32.dll	Qgiodlqh.exe
File created	C:\Windows\SysWOW64\Ldjhcgll.exe	Llbpbjlj.exe
File created	C:\Windows\SysWOW64\Lekekp32.exe	Lghdockp.exe
File created	C:\Windows\SysWOW64\Ofeqhl32.exe	Nlllof32.exe
File opened for modification	C:\Windows\SysWOW64\Afebeg32.exe	Acgfil32.exe
File opened for modification	C:\Windows\SysWOW64\Bgnafinp.exe	Badiio32.exe
File opened for modification	C:\Windows\SysWOW64\Bebbom32.exe	Bnhjbcfl.exe
File created	C:\Windows\SysWOW64\Dopijpab.exe	Dkdmia32.exe
File opened for modification	C:\Windows\SysWOW64\Libgpooi.exe	Lbhocegl.exe
File opened for modification	C:\Windows\SysWOW64\Bhqnki32.exe	Bebbom32.exe
File opened for modification	C:\Windows\SysWOW64\Djmgiboq.exe	Cepnqkai.exe
File created	C:\Windows\SysWOW64\Ajojjcgc.dll	Ddjemgal.exe
File created	C:\Windows\SysWOW64\Pcgfebgh.dll	Njifhljn.exe
File created	C:\Windows\SysWOW64\Fpdjfioh.dll	Ofeqhl32.exe
File created	C:\Windows\SysWOW64\Oqonpdgn.exe	Ojbinjbc.exe
File created	C:\Windows\SysWOW64\Bjhdgeai.exe	Bcnljkjl.exe
File created	C:\Windows\SysWOW64\Ogdmaocp.exe	Ofeqhl32.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhcgll.exe	Llbpbjlj.exe
File created	C:\Windows\SysWOW64\Hqmfgcnl.dll	Lghdockp.exe
File created	C:\Windows\SysWOW64\Hkhfjo32.dll	Ogdmaocp.exe
File opened for modification	C:\Windows\SysWOW64\Qgiodlqh.exe	Qqoggb32.exe
File created	C:\Windows\SysWOW64\Bnhjbcfl.exe	Bgnafinp.exe
File created	C:\Windows\SysWOW64\Bmngcp32.exe	Bhqnki32.exe
File created	C:\Windows\SysWOW64\Libgpooi.exe	Lbhocegl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3016	4240	WerFault.exe	161

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpgoig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npoeif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqdqbaee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfkec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agpedkjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anjnae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjbcfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlefngkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njifhljn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknlbmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amkagb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhfbacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpdklo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Canlon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danefkqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leihep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghdockp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgiodlqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcgopjba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkdmia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpcljnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agniok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakfcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhcgll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlqlch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlllof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdmpmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjjheg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aamchpmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnafinp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqakfdek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjqeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afebeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhqnki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhocegl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqoggb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcnljkjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Badiio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoeaili.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndinalo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenakl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmlmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeqhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdgnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmddma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmcnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chehfhhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmlcennd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhagbfnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbpbjlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfqqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepnqkai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopijpab.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgnafinp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogdmaocp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqoggb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmpjpg32.dll"	Anjnae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafndn32.dll"	Chhdlhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chhdlhfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfehoi32.dll"	Ngmgap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlllof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geqfeclf.dll"	Chehfhhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cepnqkai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Domldpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llbpbjlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caoinf32.dll"	Bebbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccbkfjj.dll"	Dkdmia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopijpab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdhfbacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aclpdklo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgiodlqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qdmpmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imkppcem.dll"	Agpedkjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngfqqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofeqhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amkagb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acgfil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmnhqfc.dll"	Aamchpmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olheph32.dll"	Bmddma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Canlon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdoeaili.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjni32.dll"	Llpcljnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lekekp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjbid32.dll"	Cdoeaili.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bhqnki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cepnqkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lghdockp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcbdgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgnafinp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnmcnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbhfao32.dll"	Dmnpjmla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlqlch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngmgap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmmaq32.dll"	Ldjhcgll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcgopjba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npoeif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlefngkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnhjbcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bebbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmdmdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdoeaili.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Medgan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlqlch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djmgiboq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmbmlmbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaplbcc.dll"	Aqdqbaee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkafloa.dll"	Cmdmdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcgopjba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgedglll.dll"	Oqonpdgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejlqadpo.dll"	Babmco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chehfhhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopijpab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bacdhldd.dll"	Npoeif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkibbp32.dll"	Aakfcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngcp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1888	1656	8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe	81
PID 1656 wrote to memory of 1888	1656	8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe	81
PID 1656 wrote to memory of 1888	1656	8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe	81
PID 1888 wrote to memory of 1624	1888	Lbhocegl.exe	82
PID 1888 wrote to memory of 1624	1888	Lbhocegl.exe	82
PID 1888 wrote to memory of 1624	1888	Lbhocegl.exe	82
PID 1624 wrote to memory of 1268	1624	Libgpooi.exe	83
PID 1624 wrote to memory of 1268	1624	Libgpooi.exe	83
PID 1624 wrote to memory of 1268	1624	Libgpooi.exe	83
PID 1268 wrote to memory of 3504	1268	Llpcljnl.exe	84
PID 1268 wrote to memory of 3504	1268	Llpcljnl.exe	84
PID 1268 wrote to memory of 3504	1268	Llpcljnl.exe	84
PID 3504 wrote to memory of 2972	3504	Leihep32.exe	85
PID 3504 wrote to memory of 2972	3504	Leihep32.exe	85
PID 3504 wrote to memory of 2972	3504	Leihep32.exe	85
PID 2972 wrote to memory of 4520	2972	Llbpbjlj.exe	86
PID 2972 wrote to memory of 4520	2972	Llbpbjlj.exe	86
PID 2972 wrote to memory of 4520	2972	Llbpbjlj.exe	86
PID 4520 wrote to memory of 928	4520	Ldjhcgll.exe	87
PID 4520 wrote to memory of 928	4520	Ldjhcgll.exe	87
PID 4520 wrote to memory of 928	4520	Ldjhcgll.exe	87
PID 928 wrote to memory of 4352	928	Lghdockp.exe	88
PID 928 wrote to memory of 4352	928	Lghdockp.exe	88
PID 928 wrote to memory of 4352	928	Lghdockp.exe	88
PID 4352 wrote to memory of 4216	4352	Lekekp32.exe	89
PID 4352 wrote to memory of 4216	4352	Lekekp32.exe	89
PID 4352 wrote to memory of 4216	4352	Lekekp32.exe	89
PID 4216 wrote to memory of 2484	4216	Lmbmlmbl.exe	90
PID 4216 wrote to memory of 2484	4216	Lmbmlmbl.exe	90
PID 4216 wrote to memory of 2484	4216	Lmbmlmbl.exe	90
PID 2484 wrote to memory of 2712	2484	Mpgoig32.exe	91
PID 2484 wrote to memory of 2712	2484	Mpgoig32.exe	91
PID 2484 wrote to memory of 2712	2484	Mpgoig32.exe	91
PID 2712 wrote to memory of 4564	2712	Mcfkec32.exe	92
PID 2712 wrote to memory of 4564	2712	Mcfkec32.exe	92
PID 2712 wrote to memory of 4564	2712	Mcfkec32.exe	92
PID 4564 wrote to memory of 4824	4564	Medgan32.exe	93
PID 4564 wrote to memory of 4824	4564	Medgan32.exe	93
PID 4564 wrote to memory of 4824	4564	Medgan32.exe	93
PID 4824 wrote to memory of 4940	4824	Mlqlch32.exe	94
PID 4824 wrote to memory of 4940	4824	Mlqlch32.exe	94
PID 4824 wrote to memory of 4940	4824	Mlqlch32.exe	94
PID 4940 wrote to memory of 4832	4940	Ngfqqa32.exe	95
PID 4940 wrote to memory of 4832	4940	Ngfqqa32.exe	95
PID 4940 wrote to memory of 4832	4940	Ngfqqa32.exe	95
PID 4832 wrote to memory of 2160	4832	Npoeif32.exe	96
PID 4832 wrote to memory of 2160	4832	Npoeif32.exe	96
PID 4832 wrote to memory of 2160	4832	Npoeif32.exe	96
PID 2160 wrote to memory of 228	2160	Nlefngkd.exe	97
PID 2160 wrote to memory of 228	2160	Nlefngkd.exe	97
PID 2160 wrote to memory of 228	2160	Nlefngkd.exe	97
PID 228 wrote to memory of 1188	228	Njifhljn.exe	98
PID 228 wrote to memory of 1188	228	Njifhljn.exe	98
PID 228 wrote to memory of 1188	228	Njifhljn.exe	98
PID 1188 wrote to memory of 4336	1188	Ngmgap32.exe	99
PID 1188 wrote to memory of 4336	1188	Ngmgap32.exe	99
PID 1188 wrote to memory of 4336	1188	Ngmgap32.exe	99
PID 4336 wrote to memory of 3624	4336	Njlcmk32.exe	100
PID 4336 wrote to memory of 3624	4336	Njlcmk32.exe	100
PID 4336 wrote to memory of 3624	4336	Njlcmk32.exe	100
PID 3624 wrote to memory of 2752	3624	Nlllof32.exe	101
PID 3624 wrote to memory of 2752	3624	Nlllof32.exe	101
PID 3624 wrote to memory of 2752	3624	Nlllof32.exe	101
PID 2752 wrote to memory of 2016	2752	Ofeqhl32.exe	102

C:\Users\Admin\AppData\Local\Temp\8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe
"C:\Users\Admin\AppData\Local\Temp\8f168e5ef533d66ba9df51ababb1e4e2616c8bd2f76af3608bacf2cf833140fb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\Lbhocegl.exe
  C:\Windows\system32\Lbhocegl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\Libgpooi.exe
    C:\Windows\system32\Libgpooi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\Llpcljnl.exe
      C:\Windows\system32\Llpcljnl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\Leihep32.exe
        
        C:\Windows\system32\Leihep32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SysWOW64\Llbpbjlj.exe
        
        C:\Windows\system32\Llbpbjlj.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Ldjhcgll.exe
        
        C:\Windows\system32\Ldjhcgll.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Lghdockp.exe
        
        C:\Windows\system32\Lghdockp.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Lekekp32.exe
        
        C:\Windows\system32\Lekekp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Lmbmlmbl.exe
        
        C:\Windows\system32\Lmbmlmbl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Mpgoig32.exe
        
        C:\Windows\system32\Mpgoig32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Mcfkec32.exe
        
        C:\Windows\system32\Mcfkec32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Medgan32.exe
        
        C:\Windows\system32\Medgan32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Mlqlch32.exe
        
        C:\Windows\system32\Mlqlch32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ngfqqa32.exe
        
        C:\Windows\system32\Ngfqqa32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Npoeif32.exe
        
        C:\Windows\system32\Npoeif32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Nlefngkd.exe
        
        C:\Windows\system32\Nlefngkd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Njifhljn.exe
        
        C:\Windows\system32\Njifhljn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Ngmgap32.exe
        
        C:\Windows\system32\Ngmgap32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Njlcmk32.exe
        
        C:\Windows\system32\Njlcmk32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Nlllof32.exe
        
        C:\Windows\system32\Nlllof32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Ofeqhl32.exe
        
        C:\Windows\system32\Ofeqhl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Ogdmaocp.exe
        
        C:\Windows\system32\Ogdmaocp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Ojbinjbc.exe
        
        C:\Windows\system32\Ojbinjbc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\Oqonpdgn.exe
        
        C:\Windows\system32\Oqonpdgn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Oqakfdek.exe
        
        C:\Windows\system32\Oqakfdek.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Pcbdgo32.exe
        
        C:\Windows\system32\Pcbdgo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Pcdqmo32.exe
        
        C:\Windows\system32\Pcdqmo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Pjqeoh32.exe
        
        C:\Windows\system32\Pjqeoh32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\Pqknlbmp.exe
        
        C:\Windows\system32\Pqknlbmp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Pdhfbacf.exe
        
        C:\Windows\system32\Pdhfbacf.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Qqoggb32.exe
        
        C:\Windows\system32\Qqoggb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Qgiodlqh.exe
        
        C:\Windows\system32\Qgiodlqh.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\Qdmpmp32.exe
        
        C:\Windows\system32\Qdmpmp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Qjjheg32.exe
        
        C:\Windows\system32\Qjjheg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:336
        
        C:\Windows\SysWOW64\Aqdqbaee.exe
        
        C:\Windows\system32\Aqdqbaee.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Agniok32.exe
        
        C:\Windows\system32\Agniok32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Amkagb32.exe
        
        C:\Windows\system32\Amkagb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Aqfmhacc.exe
        
        C:\Windows\system32\Aqfmhacc.exe
        39⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Agpedkjp.exe
        
        C:\Windows\system32\Agpedkjp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Anjnae32.exe
        
        C:\Windows\system32\Anjnae32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Acgfil32.exe
        
        C:\Windows\system32\Acgfil32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Afebeg32.exe
        
        C:\Windows\system32\Afebeg32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Aakfcp32.exe
        
        C:\Windows\system32\Aakfcp32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Ageopj32.exe
        
        C:\Windows\system32\Ageopj32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\Aamchpmk.exe
        
        C:\Windows\system32\Aamchpmk.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Aclpdklo.exe
        
        C:\Windows\system32\Aclpdklo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Bmddma32.exe
        
        C:\Windows\system32\Bmddma32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Bcnljkjl.exe
        
        C:\Windows\system32\Bcnljkjl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Bjhdgeai.exe
        
        C:\Windows\system32\Bjhdgeai.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Babmco32.exe
        
        C:\Windows\system32\Babmco32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Bfoelf32.exe
        
        C:\Windows\system32\Bfoelf32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Badiio32.exe
        
        C:\Windows\system32\Badiio32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Bgnafinp.exe
        
        C:\Windows\system32\Bgnafinp.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Bnhjbcfl.exe
        
        C:\Windows\system32\Bnhjbcfl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Bebbom32.exe
        
        C:\Windows\system32\Bebbom32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Bhqnki32.exe
        
        C:\Windows\system32\Bhqnki32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Bmngcp32.exe
        
        C:\Windows\system32\Bmngcp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Bcgopjba.exe
        
        C:\Windows\system32\Bcgopjba.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Cnmcnb32.exe
        
        C:\Windows\system32\Cnmcnb32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Chehfhhh.exe
        
        C:\Windows\system32\Chehfhhh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Cnopcb32.exe
        
        C:\Windows\system32\Cnopcb32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Canlon32.exe
        
        C:\Windows\system32\Canlon32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Chhdlhfe.exe
        
        C:\Windows\system32\Chhdlhfe.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Cmdmdo32.exe
        
        C:\Windows\system32\Cmdmdo32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Cdoeaili.exe
        
        C:\Windows\system32\Cdoeaili.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Cndinalo.exe
        
        C:\Windows\system32\Cndinalo.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Cenakl32.exe
        
        C:\Windows\system32\Cenakl32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\Cfonbdij.exe
        
        C:\Windows\system32\Cfonbdij.exe
        70⤵
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Cepnqkai.exe
        
        C:\Windows\system32\Cepnqkai.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Djmgiboq.exe
        
        C:\Windows\system32\Djmgiboq.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Dmlcennd.exe
        
        C:\Windows\system32\Dmlcennd.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:476
        
        C:\Windows\SysWOW64\Dhagbfnj.exe
        
        C:\Windows\system32\Dhagbfnj.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Dfdgnc32.exe
        
        C:\Windows\system32\Dfdgnc32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Dmnpjmla.exe
        
        C:\Windows\system32\Dmnpjmla.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Dffdcccb.exe
        
        C:\Windows\system32\Dffdcccb.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\Domldpcd.exe
        
        C:\Windows\system32\Domldpcd.exe
        78⤵
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Dkdmia32.exe
        
        C:\Windows\system32\Dkdmia32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Dopijpab.exe
        
        C:\Windows\system32\Dopijpab.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 424
        83⤵
        Program crash
        
        PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4240 -ip 4240
1⤵
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agniok32.exe

Filesize
481KB

MD5
881df8495c43f906a53d813175ea6aa7

SHA1
d4fe568acdd8d3c712f4c2a1f192f38351ac6e56

SHA256
b902091b8513460ec7f1e42cec325218fbe8ef55d4ab4cb2aaa6d481c97a5692

SHA512
61084aa79ffffec3ab56ac4cc02c320b067586048c5f3fa45325eaad11d910bdfb780e3318718e4fba31beb4f5a246dc328835cfb20c7e2c7adf0d9dd030cb88

Download Submit
C:\Windows\SysWOW64\Aqfmhacc.exe

Filesize
481KB

MD5
7bbbe77560529a1c0f5ee871e37815ad

SHA1
2d0f5485f5942710ea79b65318faef2d46c61db0

SHA256
6c8c1be90eb510368713accaf2a8b716c1e0536f6edcbafe9c47f7d7a57feaf0

SHA512
e214a16467e7704b3641043b1b5c4750a4260590d8bd8dd55c02527931dc813a12919ec74766f00e4ed8bd195a469ff5b265b7c4507111cb0640fa8ee1d0bd18

Download Submit
C:\Windows\SysWOW64\Badiio32.exe

Filesize
481KB

MD5
59c9d29f2477f351fa288502a1b178d7

SHA1
9e00785250e0d5355adbad8769485064a34ba33a

SHA256
6d27294f0a8fc373a6131bdcd4640274907faa12bf9a232273eba943737e3fe8

SHA512
feb62f16ff7dd7fae31e9a0213d698515519920dd929c74f02434fad592d57b2c3473381851ecb2482884a2fc7f0a52d94172c0be0cbad5b649b094bb700dc20

Download Submit
C:\Windows\SysWOW64\Bcnljkjl.exe

Filesize
481KB

MD5
fdea2b9a06868a1647298ff5da66e961

SHA1
519ced8cf5054bc78d48916c3289b05d82f0c0f9

SHA256
4eabc0450197295ab5e2fc2815f7424deddd2d03708b1d8fcf3b98970707b597

SHA512
d01e4ca6f63f2049ca62e6afc51508fa4b5a89ad46020a104f9c276b91aa2f00c4d65d79a554e44ba0766f13fb4abbc0e21a148e03399ad87ab9183db7cd33c7

Download Submit
C:\Windows\SysWOW64\Bfoelf32.exe

Filesize
481KB

MD5
fbbe76bc6414db374f2ce0594bcc72c8

SHA1
bfe1f38e6fcdfe295cee25f06966e09f935f1c6a

SHA256
3c7584fc5aac626b79926ac8903af34bb59cd1116a8365f3be3cc04ef671227a

SHA512
ec00f86259bbb943533603edf98398899575e8490092dae16f96805b4bffefd0eeee19f993d3eb251f123b33db05938d38a901e0bd25f23a7c7e25ee9d121fc7

Download Submit
C:\Windows\SysWOW64\Bmddma32.exe

Filesize
481KB

MD5
f4e437dbd4eced8813a303079b720f1b

SHA1
cb5d22ffec5673723ecc544f71cf5c070ab1258e

SHA256
1944d6a1ee1ea4620b0535db81fab00aa45c668dcf76cada6f06fb7c0a73477d

SHA512
1c78b98c6a4ca5f36381d21dccb8e790e08e31adae5bfdd88d72af1e6e64abab99fffa47b09d440d7745ee82f2b95e6469402c292d2a2391a1f27c26ee3f5bae

Download Submit
C:\Windows\SysWOW64\Bmngcp32.exe

Filesize
481KB

MD5
3ea6a14b6d1b6a22d365bcb9b13757ad

SHA1
d67ad04cf2dd10337cf1d3916de3adce0dfca39f

SHA256
59bc3c4f007bbfe9cdedcae80b9749845b730c63306eaaf5fd06c4e84cfb7101

SHA512
08ca03c2b0b91c5dabc605cb1cd97893923259a77e79532fed9026375c831a732426e12e810670452f7c53751fb5112b81f0db1838240ac0c96fefe811315f35

Download Submit
C:\Windows\SysWOW64\Cmdmdo32.exe

Filesize
481KB

MD5
7ed17141d3c1ba43d235d82142aaf72c

SHA1
ec956e753a6026189e03735aa7c491f590ab965c

SHA256
00c5e4b8f97de9ec09aae9f08eca7e7744dfd8f5f248f509653bdad851d2dfed

SHA512
d9082189b9f67b58dd75b040442b8d652e730840a0d5f2e2d0ddb6fc5261760c00f35dd3f0cba3f9f581bded25f6fab8fb98905ffedac78f6ae57c12cf04d7f9

Download Submit
C:\Windows\SysWOW64\Cndinalo.exe

Filesize
481KB

MD5
516b7959273e60040fa0f0ac60401a96

SHA1
64b6ad6f74de36e0e20f25f967fa826966c569f8

SHA256
02695b472e26de1f3e76fe7a4c175d4a34a01abd5ef73091224ee997ed714bcf

SHA512
698d67181ddc52ef6e5d0a13dc9d2be3b95052aaaef553998393d5cb94d746337a7801960696fa4f1a58ce5b5b2d17704a8d53d5add50bfcac0ce3b1081b922c

Download Submit
C:\Windows\SysWOW64\Cnmcnb32.exe

Filesize
481KB

MD5
1df2e0f7e9e95c2c17627fb7108199e7

SHA1
a78c7052a49b75d665d7f4b0cd64b70b6ab08935

SHA256
d2ecd4fccfd329acebaa56a00901dcbc945f905fe92768e73dd279c63709fe2b

SHA512
f08539713da13a5d41bce6517bff08edab192a3bbe6a817c8f15124de5c0f415ada9a604017f60d1e368f1037be3367aa29eb7f373dd7fa19d88ce84a772ec13

Download Submit
C:\Windows\SysWOW64\Djmgiboq.exe

Filesize
481KB

MD5
616488fd3bd2ac5d43d96dba6e05e971

SHA1
6fc0b2078748dfc6d81e067473632eaeddc9da15

SHA256
2c1a292fe37e64cb81acf920cb1cfccc613f6d0c05ffd4604bd57287b12baeda

SHA512
44e3108783cea31457e921b3206d44cad03092f2ca13548ec517c10a76bf8efab83d30117a1f7951953549f27a005a16cd69149f278d3696f7c217ea83458436

Download Submit
C:\Windows\SysWOW64\Dmnpjmla.exe

Filesize
481KB

MD5
3ed61cda729191fea270984ce06354c1

SHA1
5a229764eb6aa27bf45523badf10a2f0d2bf755f

SHA256
18b311241d6b179f9d3925e74b70130bb5648aadec9e51d5b50086611daca608

SHA512
5cb65d7251276dee8e494c0773b013f1f8b6f7476c037a67a4cd56ec71359245714c3c258ff3f4fa029f720a04ff4d63c82043959530487378529d1fd6d329c9

Download Submit
C:\Windows\SysWOW64\Lbhocegl.exe

Filesize
481KB

MD5
f1810738c4c4b3f3cd0417471b8d2371

SHA1
84087d2d5b1e52d4a184623be077e53a1a3384d4

SHA256
113694a1100510b2d0a2c3cf02c3f4f86fdb302216ebfc0bfbf039a69e87fe71

SHA512
cac3321515d6a3c615b5dc23df9d06640de0e841ecbba26fe44b27d2ac4561a7b7693e27f7563ec89866d9ff48edf9aa3acac04a3b89c47513f0d42c9bb1f669

Download Submit
C:\Windows\SysWOW64\Ldjhcgll.exe

Filesize
481KB

MD5
6fdfc9852c63aa1e0e72df2babc49e81

SHA1
667eb63bd15f173cd5d3c9baada6f9b61c6c759f

SHA256
41dba712e30aa795100f563f705ded6afeaa963ec83e4e45fb903d16801a9942

SHA512
0ffdbb2f7ca732d0d2195630a2f23ceecdcf63d84689304cca2e44be7a5990141496c8bc8d99bb9466b0661700c88107de7a7480f04037bd454ac2a004733f7b

Download Submit
C:\Windows\SysWOW64\Leihep32.exe

Filesize
481KB

MD5
df7c83b713fcb442eefe5b02e7362157

SHA1
cdf119e53f68ca5b90ccd60dfe7f21cae8e82f1a

SHA256
76f6031189f2dd7112e22098c6859aa662b88069aa84f8a41b6764114336ab88

SHA512
f12460646e67d1a5c4584394e3b60bc908e5e81401690f99b3d88d9305c3315ccec7960ad6abcc5500afa0705bd266f899504f19ecc3d5bd10cca760a8b7e9c5

Download Submit
C:\Windows\SysWOW64\Lekekp32.exe

Filesize
481KB

MD5
9cb18c32e30ed382b9d8a962b78b103d

SHA1
fe501b0d2d1c44205ff0c256727d2913723244be

SHA256
06b30541ead585f3e5fc369156a7c7e0d7b8e05371a8f8fd29c84d03c978c084

SHA512
284a76ea2dadf9049106f66421f4aeebbe68ad7bcada5bc8362d668c9e67ed37c0b6e65f1fe45831ff97f71b2608a7c1024b372749ff2f40cf1888ddd9544881

Download Submit
C:\Windows\SysWOW64\Lghdockp.exe

Filesize
481KB

MD5
d15243af1d3802106b756e57c28c6047

SHA1
e9f44aaac7234405cb154fe117f783d7aa962e8b

SHA256
dae9b5780358709456cc59c74be8189a3af81dde5f0c2152c20d2f129d10bdb8

SHA512
9e2642ab09f789fd3e0481c9f45e740208b7a9a041c675229cfe2baf2e6f4dd2b916fddfcf973aab267305e71c445923fbeb71ec6bcf0052863a7126ab2500d8

Download Submit
C:\Windows\SysWOW64\Libgpooi.exe

Filesize
481KB

MD5
65dbb4906bcfa315420047c29f1155fe

SHA1
019a905cdda566e8fa8536c94c740df88021de00

SHA256
666560c9fe6b60667a5c071579c4eade8c1b1aeb2f6700e36ca4a431418f7803

SHA512
7e20964e41f582799b6160a8a7f56c6b0b3a3a0976e43995b73873326c142b2a591cf2666088bd7c78b1518d699a86d9033e4ac6964e27da2a6bc323e0503530

Download Submit
C:\Windows\SysWOW64\Llbpbjlj.exe

Filesize
481KB

MD5
ad7f56a8f599c0a4b668b95b8b6c2400

SHA1
b187c92664175ca1297ebdcdf9036ad72f1f13c2

SHA256
c7fad1c079bf7c4484877cc7d417cd126291bf970f67cf52b6ba8ee65932b069

SHA512
ec2922bf42f7f8cb39c78fa5e80a73229931f365413d56c9281af3eff94facb0e6bbd993caa059710a916b63b16ea6374d7af55e05f201054f2d3ad29877c504

Download Submit
C:\Windows\SysWOW64\Llpcljnl.exe

Filesize
481KB

MD5
399b2fe7c65bd1ef0fbc7582457a60ac

SHA1
c237d0f33f2777cd122515e5561af8b98d441064

SHA256
c84c00a0f364c460549566185de22ffba8fe7395922b236cf23da164d30c69e1

SHA512
49e6669c55fa29da810b3cfcde095198a38fa512cb6bdc2e28663e337a504cda21d644e5508dc4456dc4693e3b8cee6ff598c4f0998b6dbfde7b1a5b0057201b

Download Submit
C:\Windows\SysWOW64\Lmbmlmbl.exe

Filesize
481KB

MD5
4dad70c71130ea58e2adaa38355b7c81

SHA1
0088bbf6a54a535477b0dcdebfd36d6b75228356

SHA256
fa5ab755700b55b8b5f0970d31095d05f542b54d1aac7159206e95dc6e79d0a0

SHA512
44207d60a9664331a387acb759964f4d92b77117e4aef4420ee468520ef2560152f04de99ad01349d7be87a1607bd337d5709ef9986fc5e79a9a8fb56943d3a2

Download Submit
C:\Windows\SysWOW64\Mcfkec32.exe

Filesize
481KB

MD5
3c7ed9ed45016f010c2a5dcf999d7799

SHA1
a089a441a59ea0bd666869467c06a986a1115c5d

SHA256
dfd806724893a5b515161c5b855cb2efda083a1c77e3f3d7036f7fa32eab3ace

SHA512
97e67bcb0ab028c3eaca80b227d5849120ea44bf51c30dbfd36cf2360c29d1ed5e51a40a1e6559ca043d00dd5ad92e65355729ca1438940097faf09d1da99f68

Download Submit
C:\Windows\SysWOW64\Medgan32.exe

Filesize
481KB

MD5
e58eee0c273bbb7944631597dc843ebd

SHA1
5e30683ae6b8b435bc004484bdde0e0840c2f33d

SHA256
ac94bce3e9a043cfd4ba0dc1538bc25b81b95d8a8a55534201eb84aec8e5a462

SHA512
6f0d7113190822f57f069243f221917af79acaa784f363bf59c090ab18b674ddd0a19df373236b9a4c7a060cfc517dff7d836861be8d2805d3b7711d1e0c4ed0

Download Submit
C:\Windows\SysWOW64\Mhjlkk32.dll

Filesize
7KB

MD5
056f96ac4e00c3a28a192b2192f6de24

SHA1
5a8305302fc70332431980004d16366016a0c43b

SHA256
30c1d504f30be7837a8b6009f8ede91d2a150806b0044473e8f163c2fea1d8f1

SHA512
2eecfa76e59eded1f3ee7e6d8d27eacf75b32f4180e1c7db5b9fe2c71a30012f5ca8c1615e13e09d12a3fbe5f8fd6bd631a7d91318696d2077b6caf7e4ac347f

Download Submit
C:\Windows\SysWOW64\Mlqlch32.exe

Filesize
481KB

MD5
e57a85615021fb67baaf881409172ab8

SHA1
a319b298d063c929180fde0e50ad02e72bb1e445

SHA256
f4f83a90654482737bfb39d2ece27166829b69465597500a4983d9125be4d62d

SHA512
e2cb32e54384585333208518398349a6e6e5031001bf8babe9d903ef5ac3ed7f4e06790e2f14cd9b23be1dbd7417919b19ce004cc2305591673b106b4959b62a

Download Submit
C:\Windows\SysWOW64\Mpgoig32.exe

Filesize
481KB

MD5
6dbd79af16b0038149f5ef4b7cdcde37

SHA1
f0e6b8e0dc430513bad8ebe9ca8d2f678ba9ae7e

SHA256
ac25dabbce6cdfdb820e5d8c126f7045cc24e9a8a7f8f444a8bcc54331d5c008

SHA512
5f4609a25c1b5eaa1a54585ef5c07ec75ec7b5c688c49af63e994306acd5fafe3e41b2307d4d417b7fff5a56af93d7396b0bb088e70e024991cda803d4edb548

Download Submit
C:\Windows\SysWOW64\Ngfqqa32.exe

Filesize
481KB

MD5
4d7275c26e7b20d81447ceccaf8950ef

SHA1
ed789835b15e863719df7e45200169fbc76e9dbe

SHA256
c55a62516ee30a00e8c032c31ff00e0f19cc3071f621bd4cb9b8ed2b7563c5e3

SHA512
0eb70d3afd5d983193f4f2cc585fe45bff5a28b75a9336629aed2d5e0d1ec8cc2db33389c6a0d3bbc8cfecbaddc853530eb384061f874ddce65644e205fd4acf

Download Submit
C:\Windows\SysWOW64\Ngmgap32.exe

Filesize
481KB

MD5
24b701d2086f7fae3ded3a0082f57912

SHA1
e609b206ad25e6471786d5f071c8e82e3d9a6a84

SHA256
be57062b3c369ac1f7b8b20499b0e18bfc00421cf5b27919e4a3f8b361189023

SHA512
9da49b64cca001e330776cd35290b8e37a11ce41815ddb0ee5e6b735116f28116387cfc4f4c0eef6c67e40d8074a9d2baffae087a6b6cb0698f4a9032e7397a2

Download Submit
C:\Windows\SysWOW64\Njifhljn.exe

Filesize
481KB

MD5
426071cb6941c2ba669a94983501820e

SHA1
2ffc6d8e16fda74d00efe252329002abf2cc60a8

SHA256
51e7c0791ad2b6f2ac551ce8cf9676123d15572ca8d9e3e7fc61e6986b65e77b

SHA512
1cae9a47a17ca4500fbed6f753c2c13a2c43c885d594328d9d01883f7ef21efedc7e0cf04528c91a0257fe0dab3fae63ec3dc92c9e51c192d575311000307e6b

Download Submit
C:\Windows\SysWOW64\Njlcmk32.exe

Filesize
481KB

MD5
0c3a336edeec8677b2015bf52e6bbbf3

SHA1
02092a07e0bf30fe6931f2eecbb77d366268333c

SHA256
a01b94c003e7555f2fa8bfa74851a0103d4fa640aebff453b121585624c1f774

SHA512
2a4f917425909ffcb62772b627d7e523b3d80574b9e1c60f51ae6d58375f291c785e3b59bb428d28681dc403c70d6ccf553da854ee72c96437c8ec8e4aa850c4

Download Submit
C:\Windows\SysWOW64\Nlefngkd.exe

Filesize
481KB

MD5
bb90897352276a42946e6c5a4830f934

SHA1
3fe19a9f0d53fc7c2aade5522f9beb9abb4e354b

SHA256
5c8ea9f856a3061bbebe2e4657ea27ba2354177003f95ba7a2d931536cbc4c9a

SHA512
ed1fb240fd1d7c8df408150e378812ecf07252c616597d59756b278a221a5ccaacfd22210100bc86cb9e207715902b80d1fd3fbf08775da84c5d22847e288edd

Download Submit
C:\Windows\SysWOW64\Nlllof32.exe

Filesize
481KB

MD5
9e51e5dc636ff19153607dce5197a52e

SHA1
7555db4f0a5d44786665dfaf4f172820401515c1

SHA256
12e2b180d13742a8c3d7b8815d05775eb55af3fe16c3e66e65ac0fecb33aec9e

SHA512
d0f7250206dd2fed42a508f8fd093a635382ac52a98da1215c6d4627eac8698a482fc06d670eb77a4e569420ba4f5e1d8f6348b85e2da687fc507c796d7ba86f

Download Submit
C:\Windows\SysWOW64\Npoeif32.exe

Filesize
481KB

MD5
2ad1ae1a9cb208c28905c493a97b36d2

SHA1
95edcd576935304b5c23f4e8e9ebbdfbd6bd64d3

SHA256
2631a2173136c26f2473af3408e9cccd253f5f0bd5e1ab524b9c7fdf7a9152f7

SHA512
16a4da05ba2b0a9bf3dda687f68a42d5b2b595287eb6bf81e658af51fff6c54ea0c046d14c16167dee7ccdac2206f65358bc3d94a58525f19d36e7484e395f18

Download Submit
C:\Windows\SysWOW64\Ofeqhl32.exe

Filesize
481KB

MD5
29a5b2084d4506764d1d8253ec13b7ed

SHA1
49752bfe7dc6acfdd79188787e98123b31316f72

SHA256
8d89e290571991e59d443d3df06cb83b8c008525a6b49578d9d46d715b5d1d14

SHA512
403a54b82fa57638bad9930b068308b41fd5a3142d08737c4d6531d2a52ec9be3562b42201162fb7cc4c8937200a5a3a243fffa530ae67112b2cd00e99c49d47

Download Submit
C:\Windows\SysWOW64\Ogdmaocp.exe

Filesize
481KB

MD5
f57a5920116f7f3fd7d052f0acc42a8a

SHA1
17a9b7457d4a591ca757c4b7702a056dfc878338

SHA256
437af411c9a8378b1fc50d0c48d6675d7e191b887030426bdd13f67a593096b4

SHA512
2baf79d90fd620d8fd355f227b864728c97a42be06e55c4a40b227eff23599c035d8722ab62c90e63f29484943b990d984804e6a2a6f986da5c4c8cfa04bf809

Download Submit
C:\Windows\SysWOW64\Ojbinjbc.exe

Filesize
481KB

MD5
0b59a321151ee14c6c9d50e7500d99b7

SHA1
e8880884434a8b1cdd645b3a736a43bec04a8789

SHA256
9f9347111982eda5c6f200b0fa538eea343bbbf44a2b30854e9cc9570f6a0b15

SHA512
375856c45df49097ecfeefa3f27193acec3177a89188ac095cd2de98a184c3646a007a9e7bb216c0f3783384ddc2de05de1c87d17440760915cba47834eb775c

Download Submit
C:\Windows\SysWOW64\Oqakfdek.exe

Filesize
481KB

MD5
dccaed1ad513f18a822f76c8eb8906c8

SHA1
4726ee221902d8705c1eb64aee8db85a83d8b10e

SHA256
559cce1023b2be69db77c751c44c7e2cea5376808ab60318e85ef55a83cb40c3

SHA512
afb9e7cc02afc9e20b5df3e0d8d4240b5020d26e063bc98cbd5e188374a1adbf1ffd7054ce97d40cabc7f850182a197ffca4c53db4f1882dcfc214abb97348d3

Download Submit
C:\Windows\SysWOW64\Oqonpdgn.exe

Filesize
481KB

MD5
34600db999775feeec63aa46da72acde

SHA1
967be52870eb517afd7a1e8a9ffebbd5c2d53e9e

SHA256
118b1f560e8cc72806f0176441f620efa65ddf7370920f67544e63dcd7e13671

SHA512
7b92df28d3eeb03b05e9a17af4163b114618751e17651367cf63e46b4e8f6efbd4351306c4b8f354868aaf03dbd65dc0dc2847dcb425621c2e8c114982c6ba98

Download Submit
C:\Windows\SysWOW64\Pcbdgo32.exe

Filesize
481KB

MD5
c96725ae44f10cdfec6fb5b9d8b88fd0

SHA1
a260acfdbee6142dcf65ecd9669b536480071157

SHA256
e3ddd9f4129415f2f2361c6e57ec6dc0f28632eb4ac793dbbd515f36d83f8916

SHA512
075d9f173cc449228b0dd833fb5803d11c1b23fdaedae861356899a5a0195d1b336ec4a9fd7eb2b2ed32457a57451e70423c47089dcf26c4be051faf51eeb073

Download Submit
C:\Windows\SysWOW64\Pcdqmo32.exe

Filesize
481KB

MD5
b30144eec326bad884c746165afda931

SHA1
6d58ec6cc71703b69e6f539e44e9e26ecc62ab09

SHA256
a5469f03c191682bd8f34926788d00eca3b1c5024eb9feef930c928563bdc9ff

SHA512
93cf8cd4d725d31c7c349db77d30688f986b7ae4b0add36a0bea340ab02156a790f18e23b97bd1847fea806dfb3f42c67d0bd31163dcf80e9659fd3d20663e7d

Download Submit
C:\Windows\SysWOW64\Pdhfbacf.exe

Filesize
481KB

MD5
ac52103a4e844c57de3610b81f7ea059

SHA1
09d5ea22ec07130ef76366787c485adf5712cfc3

SHA256
aad2597e78e8871008125ea59ba7a96b84895835a725e4ab639ec22ecf00624a

SHA512
2196a23f9f2e193584c1b2f8c0f321d9998d9dd5446e8436b500db8c9461c346ca6f0c951b9eabb5d0f9ed527381734e9bf01b5e3a5d9dbaa4cedbe0447f8976

Download Submit
C:\Windows\SysWOW64\Pdhfbacf.exe

Filesize
481KB

MD5
a81197b4445f5ce68a9cc35d7eeafcf6

SHA1
39180deca4751d68ccc1b4c28be0f34c5e33cb15

SHA256
9df2d0548b5a218cbac77dc11b36488d4d030af9e1469a433958399acd1ece15

SHA512
ce80354314f3d7a625412564cd8a9416e16900d67561beda148967a42bfdc89690149181d30efa8e911a9c9b1c3f1870c0ea53c7546ef9646a4d05d395a326de

Download Submit
C:\Windows\SysWOW64\Pjqeoh32.exe

Filesize
481KB

MD5
d83d6b2251134080a3dcb5fe8048fee5

SHA1
e6eb4d5c3f73473d4d841d3493669a359883cb0c

SHA256
8f5acdaa87cc3a0d8e6c13ce8a8c7cc13bbad5116824d00e6964c5693f74d1f5

SHA512
ddaa5060f5f714a24fd80f7df4da9b38c749e62dc8a27a3a43b1047de8ccdc487824ce4359cc2aabaff923ec4ad71423349bb83d68abe7e19c98eb082e16408c

Download Submit
C:\Windows\SysWOW64\Pqknlbmp.exe

Filesize
481KB

MD5
aaf040a763e855daeba4bd4669bf9ba3

SHA1
96b7f98c68b18198c20c218be4b705112732b086

SHA256
3af60efc875a0f08ab5a95afefc63216aa2b667705b647b0ee4a2b87661c1035

SHA512
75aa86766d28372eaa637521d01197fa6d457ae67a5b9c8c8a293f46b3385e82da04d0e28f5fb1a2c071e54b2e027e5bc3ef01969659ef4bf0c5f0f4ac6fe4dd

Download Submit
C:\Windows\SysWOW64\Qgiodlqh.exe

Filesize
481KB

MD5
3ecb1c196394912474a762dd18bbefd0

SHA1
6ec2259340e1479cde715ece848b5fd607aed309

SHA256
9eabdd88cbc5129fd996e2f8f2c2f2b26e3071496b0df2d7b1693d23e6a79a43

SHA512
9a4908aa4536c792b9e410afaf1e6b3b34d6746da104fb2b3c968c1190832b800a7aeb2f91176b11c127ac71d56e1f9edce69d51795ecc39d17d6bc1322d7e08

Download Submit
C:\Windows\SysWOW64\Qjjheg32.exe

Filesize
481KB

MD5
45e3fd1b0df6d856a4f19cb35823615b

SHA1
55457d6f7dab506cd26b8ad1a62d9d5fd7458394

SHA256
041da776d90fb82ed23e778966ee4dbbb72d5226bb79ad465cf835ba7d9c1ee2

SHA512
25f1fc7f5fe72e3af34e17e08397ba15b3d096658eea72ebd3043f4618887b0af6b4803607c3b94f2ca9556f001985559c7f3411237fe399d87c79f31e59d905

Download Submit
C:\Windows\SysWOW64\Qqoggb32.exe

Filesize
481KB

MD5
d4b98560e0333531d21cc4d348a7a480

SHA1
3f5a621a965fa13359e99ca5bdff364397ffb2fc

SHA256
bd24039d4d4af4e089519aa5f91cff6ffb8ce7417ed799ca2826bda17b5b6160

SHA512
b4894d7d816d56823037fa99e2639fdfb8998dbc64d7ab088ee4b3a1164bc473a52cd61d86545352db4ff0d189773629faecf0b7524f5d464a4ca93f9375f623

Download Submit
memory/228-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/472-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/476-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/476-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads