berbew | 7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe
Size

90KB
MD5

740ad45ae16ba44b1b7b19a9c91f2a90
SHA1

8a0463432817a86c6939fbabbe6c0792a568890b
SHA256

7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529
SHA512

78a51242c493cdd778f2e06971107d741d1337d94e790c1716ce9aad8ac02dfb2bf2d6c5571d6bd5e67c15bfdf17a1577f2697bf6bdd856563ecfd2473334278
SSDEEP

1536:Ybi0C90Kc3v7Ga/p0bkiI9yVnQQC4fl8k/7TZPN:oMG77/p0bki83T498a7TZPN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
740	Npcoakfp.exe
1864	Ngmgne32.exe
4656	Nngokoej.exe
1448	Nljofl32.exe
4588	Ncdgcf32.exe
4160	Njnpppkn.exe
464	Nphhmj32.exe
3576	Ncfdie32.exe
1944	Njqmepik.exe
4928	Nloiakho.exe
4876	Ncianepl.exe
4916	Nfgmjqop.exe
232	Nnneknob.exe
4220	Nckndeni.exe
2436	Njefqo32.exe
4756	Oponmilc.exe
3928	Ocnjidkf.exe
372	Oflgep32.exe
1460	Oncofm32.exe
4784	Opakbi32.exe
1732	Oneklm32.exe
2704	Opdghh32.exe
1592	Ocbddc32.exe
1416	Ojllan32.exe
5080	Ocdqjceo.exe
3380	Ojoign32.exe
4940	Ogbipa32.exe
2208	Pqknig32.exe
1676	Pfhfan32.exe
4892	Pnonbk32.exe
1584	Pqmjog32.exe
1796	Pggbkagp.exe
4284	Pflplnlg.exe
3932	Pqbdjfln.exe
4468	Pfolbmje.exe
528	Pdpmpdbd.exe
1476	Qmkadgpo.exe
2652	Qdbiedpa.exe
4968	Qjoankoi.exe
2096	Qcgffqei.exe
3840	Aqkgpedc.exe
3372	Ageolo32.exe
3940	Ajckij32.exe
5012	Ambgef32.exe
3956	Agglboim.exe
3340	Amddjegd.exe
700	Acnlgp32.exe
3992	Andqdh32.exe
2884	Aeniabfd.exe
3156	Afoeiklb.exe
1252	Aminee32.exe
60	Accfbokl.exe
1364	Bjmnoi32.exe
1108	Bnhjohkb.exe
3444	Bagflcje.exe
1080	Bfdodjhm.exe
1888	Bmngqdpj.exe
3312	Bchomn32.exe
2860	Bjagjhnc.exe
2152	Bmpcfdmg.exe
2084	Bcjlcn32.exe
4336	Bjddphlq.exe
2216	Banllbdn.exe
2340	Bclhhnca.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Nckndeni.exe	Nnneknob.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
208	2604	WerFault.exe	173

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 740	5108	7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe	82
PID 5108 wrote to memory of 740	5108	7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe	82
PID 5108 wrote to memory of 740	5108	7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe	82
PID 740 wrote to memory of 1864	740	Npcoakfp.exe	83
PID 740 wrote to memory of 1864	740	Npcoakfp.exe	83
PID 740 wrote to memory of 1864	740	Npcoakfp.exe	83
PID 1864 wrote to memory of 4656	1864	Ngmgne32.exe	84
PID 1864 wrote to memory of 4656	1864	Ngmgne32.exe	84
PID 1864 wrote to memory of 4656	1864	Ngmgne32.exe	84
PID 4656 wrote to memory of 1448	4656	Nngokoej.exe	85
PID 4656 wrote to memory of 1448	4656	Nngokoej.exe	85
PID 4656 wrote to memory of 1448	4656	Nngokoej.exe	85
PID 1448 wrote to memory of 4588	1448	Nljofl32.exe	86
PID 1448 wrote to memory of 4588	1448	Nljofl32.exe	86
PID 1448 wrote to memory of 4588	1448	Nljofl32.exe	86
PID 4588 wrote to memory of 4160	4588	Ncdgcf32.exe	87
PID 4588 wrote to memory of 4160	4588	Ncdgcf32.exe	87
PID 4588 wrote to memory of 4160	4588	Ncdgcf32.exe	87
PID 4160 wrote to memory of 464	4160	Njnpppkn.exe	88
PID 4160 wrote to memory of 464	4160	Njnpppkn.exe	88
PID 4160 wrote to memory of 464	4160	Njnpppkn.exe	88
PID 464 wrote to memory of 3576	464	Nphhmj32.exe	89
PID 464 wrote to memory of 3576	464	Nphhmj32.exe	89
PID 464 wrote to memory of 3576	464	Nphhmj32.exe	89
PID 3576 wrote to memory of 1944	3576	Ncfdie32.exe	90
PID 3576 wrote to memory of 1944	3576	Ncfdie32.exe	90
PID 3576 wrote to memory of 1944	3576	Ncfdie32.exe	90
PID 1944 wrote to memory of 4928	1944	Njqmepik.exe	91
PID 1944 wrote to memory of 4928	1944	Njqmepik.exe	91
PID 1944 wrote to memory of 4928	1944	Njqmepik.exe	91
PID 4928 wrote to memory of 4876	4928	Nloiakho.exe	92
PID 4928 wrote to memory of 4876	4928	Nloiakho.exe	92
PID 4928 wrote to memory of 4876	4928	Nloiakho.exe	92
PID 4876 wrote to memory of 4916	4876	Ncianepl.exe	93
PID 4876 wrote to memory of 4916	4876	Ncianepl.exe	93
PID 4876 wrote to memory of 4916	4876	Ncianepl.exe	93
PID 4916 wrote to memory of 232	4916	Nfgmjqop.exe	94
PID 4916 wrote to memory of 232	4916	Nfgmjqop.exe	94
PID 4916 wrote to memory of 232	4916	Nfgmjqop.exe	94
PID 232 wrote to memory of 4220	232	Nnneknob.exe	95
PID 232 wrote to memory of 4220	232	Nnneknob.exe	95
PID 232 wrote to memory of 4220	232	Nnneknob.exe	95
PID 4220 wrote to memory of 2436	4220	Nckndeni.exe	96
PID 4220 wrote to memory of 2436	4220	Nckndeni.exe	96
PID 4220 wrote to memory of 2436	4220	Nckndeni.exe	96
PID 2436 wrote to memory of 4756	2436	Njefqo32.exe	97
PID 2436 wrote to memory of 4756	2436	Njefqo32.exe	97
PID 2436 wrote to memory of 4756	2436	Njefqo32.exe	97
PID 4756 wrote to memory of 3928	4756	Oponmilc.exe	98
PID 4756 wrote to memory of 3928	4756	Oponmilc.exe	98
PID 4756 wrote to memory of 3928	4756	Oponmilc.exe	98
PID 3928 wrote to memory of 372	3928	Ocnjidkf.exe	99
PID 3928 wrote to memory of 372	3928	Ocnjidkf.exe	99
PID 3928 wrote to memory of 372	3928	Ocnjidkf.exe	99
PID 372 wrote to memory of 1460	372	Oflgep32.exe	100
PID 372 wrote to memory of 1460	372	Oflgep32.exe	100
PID 372 wrote to memory of 1460	372	Oflgep32.exe	100
PID 1460 wrote to memory of 4784	1460	Oncofm32.exe	101
PID 1460 wrote to memory of 4784	1460	Oncofm32.exe	101
PID 1460 wrote to memory of 4784	1460	Oncofm32.exe	101
PID 4784 wrote to memory of 1732	4784	Opakbi32.exe	102
PID 4784 wrote to memory of 1732	4784	Opakbi32.exe	102
PID 4784 wrote to memory of 1732	4784	Opakbi32.exe	102
PID 1732 wrote to memory of 2704	1732	Oneklm32.exe	103

C:\Users\Admin\AppData\Local\Temp\7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe
"C:\Users\Admin\AppData\Local\Temp\7bc9f4ce3a31aa8edccae2d605726736206b3cda95edde73e587753ff538b529N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\Npcoakfp.exe
  C:\Windows\system32\Npcoakfp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\Ngmgne32.exe
    C:\Windows\system32\Ngmgne32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\SysWOW64\Nngokoej.exe
      C:\Windows\system32\Nngokoej.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:528
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1252
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1108
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        81⤵
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3844
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        87⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 404
        94⤵
        Program crash
        
        PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2604 -ip 2604
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
90KB

MD5
dcdde0bb5717ca946276c6950cff6494

SHA1
54fe1b2b364cc29dc1e742fcf47b54dc4afd3bd9

SHA256
b3c5d0adb30133aad9f5aa764962d989313bb1ce77c85b214c1a2c5cbdb9edd5

SHA512
42e44712e6884b3c83b9b549d52cb4c3c018ef2c45e4214860ec98939bcd60978f8eca52c44f3fcca2c961553d1789201c9032c62492e15bc26ed3bcbddf35cf

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
90KB

MD5
211da474574a3cda83f80996396ec5c3

SHA1
a469477471809ccbb908511bfd1f1011443d8471

SHA256
77bf7af2cfff74540a64eec3743d64c0a036ebfe830d1e3feaeede77c6e95ef7

SHA512
22a183b71b4c2b993858e153c21d073e5530857f3186a9a3b13e97936be144f33447fdd232d1f4c6eeadf869fe5ca61716ed00af2d932ca4fcf59d6102eaf65a

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
90KB

MD5
36754fef57a6b2553379f7c05c1c2df7

SHA1
6dd958d0ede5cabac05ca287c35f2ef30085c183

SHA256
bf6f3dca85b2692e4519594f5fbc80c552fee49fc36d4eaef64a0a6d723f95fc

SHA512
64951927dd6b9687fb7483a80f73c0a8fc3a0927f131fe2dbff526c08ec6080e4d213d7fc0cd53bfff2d4a69052a4157c1dc38a99409666bb16f77d6951e6eeb

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
90KB

MD5
d1fed1ad7424801b04db07fb1b3460e3

SHA1
e1f5867e4fe10ec0fd0a71bb216f404b144c6e07

SHA256
56ceccabba802982e6ce580909c99097dc76a9189d1c86722e3eb7d6b3bad386

SHA512
825a5628217f460273ee338930a8ade9e4b98c932765ada553851410bd02a40610c2d493a7f23b3a8eb03662b73daeb0e2e7c0e4d7bdbd0264e20a60f866c400

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
90KB

MD5
0cbce91e397b5991cfdef15ee5bb479f

SHA1
41019a22a34fed65abb9ba403cb67aab895f2e43

SHA256
6c32a75e2423a66302478a0f2ec03aeaa7b1f0b8f1fd5be8fb980b0eae7a0716

SHA512
aece1d7bae6a9990dbc001078409def925eef0b4f62c64571fa99db20935ebf8ec3a60a31d703ed60679bc4e6cff800dc12f07878706f362917f2c5088adec27

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
90KB

MD5
203c193395fd7a068f5c32c69329b628

SHA1
3ea0b3e4f3351c9678235ec1fea841f93849a254

SHA256
4aa367dcb2eddf75023f556f049bf768a42e8ce32a0696a742245997b0c3bf9e

SHA512
0115cd664b2ab2961bb975ed0254af688f0472e2d2443229dc4d1452e1ddd168a50a75d96f465425e2866580f9f1d331140699bf5093048fe8b71cc3b6c4c155

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
90KB

MD5
b6555ad7b274dd6867f7cdb9c1cd3161

SHA1
c529b18cfa950c5885a9da19e445986928cbee6e

SHA256
897243895870db7aa65d6d67b1a4aa1771c65e2f34652f623aa98a18df042c08

SHA512
1e4e9df810cfd8c0f871e86f6859552e0440414c87e5dadfbc7ddfa6eaa112e3e5072109afda6f479e5c2b2861924efb1c47478cb6506981e1909569499333d1

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
90KB

MD5
9c08439c46a442399c019adc0635da0d

SHA1
ea0a81fe9972c0cc912e9a154db547ec2ab0e30d

SHA256
2f8edc4df6e9f6f56d4fa86f5173fde7978db897925aad8a18d5b61447b92ea9

SHA512
c3c5aca120aa38d1e266536fa65124b35e7cd4f3f6f7ef648cc20ce92dd98e138bd86b1d40408a0db61aedad152d2c31eff6d0ec75471a1d08adbe5afe2f32c4

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
90KB

MD5
d4dd05ed7f88afafdc7a97a568546f51

SHA1
63079b075801ae73bb5596910353fb2be71a6c83

SHA256
df9a4ca5cc6fc0e7c611513b94884eda1d8039c27f4d43df6f1834ff3e1dcc73

SHA512
6619accb2017bce78bbbc403d3a486796f7d0025a527d49e79f63da5e39b7089988b7160213bab463856182514d20f0fc2663b2a15b89113ef6070b89ffb2a05

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
90KB

MD5
d66855003485aee7b7abdca8c735d6c1

SHA1
46940ec4feb00f310069b4fc257968706481e07e

SHA256
497a0d60926e928a6e2b8e5da329285259e30dd3af1e12ebe6e9ea3dd9b6344e

SHA512
1db43b9971b8cd787ead6417766b7d818dde297ac95f974314aea2ae4379b9e622d6eab6618de121b4d38d4c417328eb8316a6a4ae390f4b6579c1088ce4953b

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
90KB

MD5
df0ddd45e5a19df89417a9f2443f7ee6

SHA1
630405001d1b07123f8569ab1150be673dc4f876

SHA256
f45cc0fcf064ccc097c65cd0a03d8dbcc67ffb1132fb632e9da9efa2cb7e654e

SHA512
017d15ebeaf4ada99449e739ceef800a92f33bdcb0e74d1e05b8a0953c52199b615ebc69d75f5360e6e5773b1066a134d572621d8c7f18e0ed89c5ce22199bc6

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
90KB

MD5
8fd6e33c52f82632a84012201e70d32d

SHA1
057bee8cdd2b5f1dbf51c2dfef8ccaf3a8762246

SHA256
74a802088b891a1a33fb48df2cfb9b3ce5ddfa04bd3d488c144cf7d6fad9ee09

SHA512
9cc258f95c73d4f1b81be47e2f059ae069630d272e25d9e0c9c089bb2382a910b00d52a8c9ee7cc40d849caaa9befba13fc57626599d474bb1bba4d65fccd4f5

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
90KB

MD5
e86d61bdf5d1e229769818075aa6f5f6

SHA1
91d4b84f49e2672fd96e305c1b34b76734f806c8

SHA256
fcf4aa3d2126588a902b2064c6f5d6d59e0046f828eef93100afa70a7073fb4f

SHA512
a17b93977699822990a88375bc44f9d4cc4488ca85b480b01a9de55d285b01b7a8f8a4fd8b49ce61e53c36072566218fb1d0ebc11f130b56fc10d033947be071

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
90KB

MD5
190c40db66768154c25f057ef69da18c

SHA1
0b2515b75791b596ae85550eab7b479a24582497

SHA256
1cdedad968b0e877da5c5795ce709cd287398a0d2eb35142f24acf08d98d49ee

SHA512
7cd54860e2e1e17c1771c0424249dd7cbf8cd05949aabfc7cad4286be3e95fefb26db089dd5ce8326df69d60757d3b78c5cd28e6d41a6fa73a30ed249c9def94

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
90KB

MD5
c7bd53d180eb19ec8167a468898c287b

SHA1
2790b0e2055a02fa829a45710d20430447500d45

SHA256
a298917ebb4057316bd3603d258eac4eb6df6a8df0c75f1cda17212fe16f650c

SHA512
8353aead2ad72c6d2c36f10fa4981153e28ddb48396c483f1db9e27f562acb3fec7080ed65f2d85db468bc1856e5342be87adc1cb009c61c5b596bdac87e3644

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
64KB

MD5
de77f22d1aa96fa0fc57b4984f167a08

SHA1
5807f21a66fc1d5015bf815addd541bde2be7de7

SHA256
6cf1e28bcfcd7cd580fad87435105982a543d80b00a1203055b5eb5c63617d25

SHA512
bdf36fac6e48aa0ad5aff201185d663410bae84437423442835aa9230ed95c702aca978eddc2b2bca15d42bdf93b3eacdde9204651852e95ef349b5ab4a2faaf

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
90KB

MD5
ca9901c79e8edcf743dbe61bb325ccdf

SHA1
b17e0fad8ce91c7f8447238195baa23b99168090

SHA256
92bd192356b687cd5fe39ab596025546beb37b1dd4577286274b267fe6b573eb

SHA512
4c7d4badf114376062a15c0d9ab52b3441f3a739366ab53513c03ca3cab5c09780051cfcca2d24b605edda442cc3b30b43e86b238d2e6e4638879ec667855f91

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
90KB

MD5
d63ec313bc958ad41331b72cbd0b519f

SHA1
18ee8302401e8d89129d58ceb495e9a7d01f454f

SHA256
dfd4b779a046568c3e994b33d594683f6d4d1d686ae2d89669acc72951c45934

SHA512
68d3c8d475c18112b1ee5a6a519842bec9ae9c96b2e1440216d52209b974948592d93aa0c405c8999eb7cc4725da1736c6162b8571ec0ad2b961b8080ec8cab2

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
90KB

MD5
f14be72eebb90906b099c482cef58a30

SHA1
1557587fa6c742d7ac9e88ca7853d4ca26e67de6

SHA256
4cbda5724604623ccd559e76556508e4b5fce17431f22bed3d8d0baee417b0e6

SHA512
67ae97632e662329847c3891db4161039140c9062d3088d064a4155f52f60737056484d46d2313140ea9e5b67bbf8a65216310b084abe4b6ccefd5011c73ca8b

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
90KB

MD5
6d857bf16bb7faecab1221c938cbe850

SHA1
a90c4f1e62a3c0c6f0d47c0aee59e812cde496de

SHA256
99b2ff93a91368fe5c7c76ed858a41d1d6249961951907c79e05a23e8c1ef871

SHA512
7d1d65e8effd1d528c389df0726aa4ca3e424185cd1849d406d3d0806fb0138a225e74f8f530178c25c46581182d82be8402b6cac471023c6b72aa7e7d1b28b0

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
90KB

MD5
db6a693b7a87c193f75832fb3f431317

SHA1
4d3acb4a7610d81f11d0ab1ac5d3e997479d3047

SHA256
1ebcbb307e89e42e2a6a8dd875d528517dce6d6740e1c410e39d12791d87d64c

SHA512
076f8d00a5e993e81f762f75885054d2fcbad0d752e552fb0b2acc07a3943dfc6207dcb1f4da586dd24198c09790784f3580fc02103fea02a2116283b6f1e77b

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
90KB

MD5
6071b5b0876635f4e47f6b677e667e43

SHA1
c9324eef3c17cff24fb6537467d938ec472ee4e6

SHA256
e50ca88e21440b0c0f57de14a63343be339853434e4b23e7f0032814150906a7

SHA512
69c97127feb4f61f9cc49b86554e576117255117e8e467c3b225f27b67e36e2d9148228054904765147a4afbc3717faa064ddd6f2b4235c63e14c34af0a39990

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
90KB

MD5
8e88f758ec1724197574b37ec9c2562b

SHA1
d99bd409bfa285f4bf27295e33609438ce063e95

SHA256
15130c3a0d0838eb1fc1c97a78397f4c1ac00770e14a6427ff67663329ac8e49

SHA512
54fdbecf9fee61b10e5a3bb158305dc314a810e52328731793c5e54381701efab8741c4837739b7db60d5241f6fb5f061807c05165cf6f783c82da2b9ddcbb1d

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
90KB

MD5
7ff8d3d9480244bd44422c53c0666d6a

SHA1
f6704e76949977361d692894db68f6ca8fb3ffd4

SHA256
fd0d048d5125378ade5384587f5f11be81dfc3e5159f06dfc5eed1d33bdf65b3

SHA512
2ee43af8a9647e2c90d0eac363ddb547e6b0f6eff2d4ca47ee8e079c524f06169e10ae0bd7f6eb1aee2643c3a94353e5546ef94d1ea46e551619332530fd7602

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
90KB

MD5
214e1a11d170862eed3e124be39c9d36

SHA1
7315ad31a6460de74fdfb4c60856d121573d3472

SHA256
fdb23d74f401fde892bea1ed120dfc8196f5a19f54db83a6edd318fdafdac939

SHA512
b8e095dd03edc2a92ad66f0d380d662285fcba9e085fc0b8dea1db879490d9b00bb90a9fe4a480ef71f86e63e8062881747e8670b675a3f6ac7f136cf8fbfe57

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
90KB

MD5
6ff8dae4823b42e651f3ebee28df7a38

SHA1
9ffffc94fbc7c5147d44736ed31021b4ae5b0cad

SHA256
4931beae2c44978328a9fb204bedce898cc1540047ccf6620c1241a5da9f554e

SHA512
d30424a92e9b74217e4dfc7e7a688ee31056bdf2b4f8b411261fa7e6680c48508bda463acc083b341b4e6847bbc88ae45eb81f765de2285fdf5d05fcdb1cba61

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
90KB

MD5
fd943c019a109eeb1b72d9651ec012de

SHA1
c34a8ae483a0a826bdbab7029298fca629a459b0

SHA256
53e973c4edd35498e66073647ed205ad4a56d082d14aafda2d3e3c5c2e2a162d

SHA512
237b48981aaf241d235284363047f7c91a9ae9686d821e184f014ac6c1c0369f768ae7942ed898aa12e1ff0e7ce6cda0d33b10478ccc5ad64f94dc16999149c4

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
90KB

MD5
e708fd403159f2ae53adb8fa76c98573

SHA1
259d0b948b2adac54f3e8ee8cc6a565334df07a6

SHA256
7a077fe8df1a1235de831c630360bf83090123d7ed694ab8713e5ca58faa6356

SHA512
163ac2a925e5c1454c884dc2578a6ea703dc12415a718708243b4cd042b66811ee006fb856d25ebf40bb449a36b819394ac2f9ad97f51c5d55b16005cd64eb0a

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
90KB

MD5
2a27cb91999affc6bb7568cf1e38b9fd

SHA1
19438b2530d692bdde3214b967a01dd32fc092da

SHA256
7a927285bfc0405d053f7fd40a13aa83d36b56a6fd251f58b13ebe0d8ff88281

SHA512
afb9ae040c7a29c5f17337665ee6621fd78acb0a1c9723781c031a65a8c89a3814bb3a0c283ab362593911a3bc0d9e93d75b11e3c0ef4bd473cb40089ed70446

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
90KB

MD5
5057a1189ba22062ff5d0b6707f86e7e

SHA1
5dbdb8f1c591466b348041e2c48ff18000d8d8c2

SHA256
89c18845c86c28a03175359d7ab1fc9958207da0ff389d31bb935715320ce576

SHA512
42ba625e7cef6877f54954d3a6f171605f0474657635ba84e87fa7ea26520cb23cd0f343e047f6baa97d51f480972ea2ac9cfcb59460396fc0844afa7a6c280b

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
90KB

MD5
639ce07a304dc94092e21660ea402001

SHA1
d849aabf11619af5ac27f6c92e5b4c637349dff5

SHA256
df0a1a2b59132e7034e93c49b6fd375e2a971932a14b6c2a20bbbb678a64980a

SHA512
13ebbb2bc524d46600bdb1887462a6afe3d17ab32b5c89a2555ab9c2d49f4d6ac74cb73c483c9137dc7217547e662bcf350def2ce2c9753c5852c972402b2bd2

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
90KB

MD5
f86830af76555f01abbe9cdedf5866e1

SHA1
9cd999ec763a214db2d589d0f8514366a205197f

SHA256
56d905daa988038061a267862061465610b2ca86be64997fb1a2fbf45fab0bbd

SHA512
d3a1bc18e2e3fbde77fcff43552fdb222d96206aff736265747756e3ca70ee097878f6ba8adf458f5b1a0475ae67022d5e3084a987a3aeac661d95ed2fe28891

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
90KB

MD5
5378bf206ac6200cb4da99be1cb8bead

SHA1
28eadd316a3683af65c8ea758c6d733fec9db25d

SHA256
a1a0ab708504c7185ff7db8c789dee20891c2de30aa80475b765ca0cf027fc34

SHA512
422c56d8e5cccacf5aa1c94ac0b46d823cf8b221987086ec93e7543eddec3a92b924d7f274c6672da08f5646366d90542365d5da678998695f2a646a9cd31685

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
90KB

MD5
f5d749163cc0b1346967eb9f4ba2d2da

SHA1
053230d0ea31682274aea2633d9c165be2869bac

SHA256
a93b3de2063d2621090f8866ffdf3d3daf1750f99e952ad58253249905af444c

SHA512
db26d93e113889da078a21e2059623ad8c86a3d525245b99247399b8781542dff43caa29904ed1f3709892845bb5ed831b1a1dd3bb87cc23102cabd3df614a7f

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
90KB

MD5
57ec20d2e37f81e004c4ba9b37f27df1

SHA1
0bb1cb02c9dc587a244f2b8d177883401f44a44f

SHA256
59d7bec56dd6dcf711c8f71096713397ea811cb65b2d537ed04acea23029a630

SHA512
34858789be5cf3ce641c296b92371ad249964488194e9b48468475f9d7522481d7680881ef7fc63b4f0e510881121e923a1806e3d2e01b2fb19f20cd98c39d9c

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
90KB

MD5
c8be14073553e51d2fa0fe5709443def

SHA1
655c741b11b0dfbd9c0c9b8f18aeab64826cac17

SHA256
83575005c810a15a03977157435045a8b31145fd2f2ae2454c987f573277d3d0

SHA512
b2b332bd1d71ef5f10b10dd57019c42adbadf0e77c2ece09bb5e2cea11ebe8459713e3dacc2463f789638c28ae8ca6ee0a315b1312ff612d7322d8d318b07379

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
90KB

MD5
08625f030e80723385505ae1e37d9889

SHA1
b28def1948a422656af9221f8452ae94ada4be2e

SHA256
ef0928aacd6239b46d7d2e58756a65c5de1ca29a21d36110519e6b52f3631f31

SHA512
4bb1a27863774e1d149490327fd515e6ffa79d16b87afed55bacad8f2dd1b5458674ebdfc90ee3dd10639f8e1e4271e85985ef755abbe1cd67b8b16a22196ea7

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
90KB

MD5
df0bd792b25cc0debb58a35ac7fb2125

SHA1
84aafcab43d66e081f128f06058b2a64347408e2

SHA256
8948a80fca31a739d32aec1ab23cb13aa799a8c4e929e48cbdc8768f3f118f28

SHA512
88038de4f288431983c3c53fc6b4091fc94d2fcba6a4c2c8fe59c1600c80283d366b60774635cbbbd84e36baad7a08dc63ffb5a812f08bcf3b65ca2c4657b43a

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
90KB

MD5
7b883a037c320d6a8b54ed69943ede5b

SHA1
2c883224200939d2f57d71ec71e9964e0c638b54

SHA256
43b72333e76988b863a8e70314cddb3c97a35b0a380b177978c8e3164ac53f97

SHA512
dfb48f04421584c2f3a3224fdfa5d1eb8496ccf3c9372cfa16fb12115f121026ad9ea3673e2e8de43819fbd56891b9bef08a7c26b06fd47b620bcf006f6b0029

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
90KB

MD5
e5a5e38b8d149a1b3e688d09644f54a3

SHA1
f56a40afb68fe6c776e6fc80e33d4fd9ece049bb

SHA256
40c9afaa06ed0b78015bfa7e3896c96eb6665afba8a707ea74a1a9e09cf1970d

SHA512
6fe7e65b26c3f0fbbfcff16082f1c88231aac9f3634efa68c2f4218efd5397cfe6915312dfa112ad76f271efe968784509a3f99eb633a7de77c624e578698f67

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
90KB

MD5
985cbf3960da104c1798f180bd9415a3

SHA1
1c603839196b39b4fdcabfa590e9451e78691c31

SHA256
140e3e96a2bb95d6e34d5a0383bfab11391855f615df7ea447862460eab12143

SHA512
5014da272c89af14e0b194c9bc3226f2c777a200cd48fb3167fb39726f3fd21c94e0aa42012f7624249fa3c34018c94de283ab0b2243cb72f137b7fe3138e141

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
90KB

MD5
90d949bc854b7c00fa4b0d1a5da24d18

SHA1
53bb475cd3bc25587c6ad4950d99fab91843ad99

SHA256
91512daaff5fbc332abc88fbab390204b990c9bb63e099acf249e39fe6d589e7

SHA512
63759bae073fdf0ddf339de994529fdea4911f2a98a005025a896989efdbaa3c70e76a7036387ed1b1395542e9077ccc451c263016a20a2ed8d9c3f053a2121a

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
90KB

MD5
9c934b5bc7bdab9e646906e93f189966

SHA1
afc242a2e4eaa9e836173011ea8f09156982c9c7

SHA256
3728578dac0650db514f4892b0a29c0022dbe64e43a301d1a88f67d7cb57a78b

SHA512
69606e90cb49c1a00a553ffdd25f3be9b5215d5a0595d144154aecc080938fa9652ef6b5bb9930eb5e47e34e2adbbc8d05c0be872614ceccac1e728d50885912

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
90KB

MD5
c974bdecd060981b2582afc411e1f3d7

SHA1
ede5a77cf518412681f50c3fcd6494e9921ab4f2

SHA256
e324630fd2b6cdcc4d23938422b8c4028a101cf1d80d2913392859d261e01357

SHA512
fb90e1b1d0635bf67af93488e29b43eb977b797c8701224e56db276992b8b5c45dfda3bb3159f3f4e8a00bb462f87c14fea65072435a257006e1caf9b6705330

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
90KB

MD5
02a76d60ea2bbfb01fd620e19da399d8

SHA1
cf6bf2e6c81836a3f8bd3c4edcad64c45138a7a7

SHA256
f02e67d45e6bdecf15f1a0eae8b781774035e2bf7c4c971812eca183650801ba

SHA512
4d8039a5eb3cedfd9ad0917f712ee1cab9baccb8a0420676435dee72465c8a618f5d77fb98fb64a02b93322b67feb17043af66d58534ae3b7b1e03b3a00acfd1

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
90KB

MD5
0b7abc87e47d5c74719026bcd91f66f9

SHA1
b69a496b87bd2a70d9f87d0ed6c2b4b86e200129

SHA256
38d036b5fe4a50ada61a4de15992a2584271c19c1e77259abbba2f33ecb0f198

SHA512
0bf2fb5278771c43f7cab4bf4ec5f1ced75084785c0b417d40e23f54ddef38502698bffb84d944a920f87fdec0c695568c6454dc8caaf92fd90e985c4011a87e

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
90KB

MD5
00bca2324f227c7cfd284641ee3dfbb6

SHA1
9e720c2b0e2d1842907d0f55b436b09a7d0930ec

SHA256
2af33c1f3185b77d177d11074e2ed25719f49f4b156be7942b3cbc11bba1b4d1

SHA512
e80d5d320ea81a040dcb8d1b191ce0b6f6422dcc71dd3bcf63cb0ea43c7315530cfa4d80dde9ea7121976b770ab2051e30bfaff113d787c5c00e82b6ea3c2367

Download Submit
memory/60-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/232-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/528-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/700-713-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/740-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-702-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-744-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2096-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2340-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2436-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-591-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2652-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-707-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3312-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3372-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3380-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3428-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3472-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3504-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3576-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3816-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3840-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-648-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3844-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3916-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3928-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3932-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3940-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4160-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4532-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4736-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4756-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4784-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4932-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5100-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads