berbew | 1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe
Size

352KB
MD5

b3eaac06c14e081e2b6188bb81e50e30
SHA1

4f31dbad915d89749ecae1296738c51b87a4caa1
SHA256

1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc
SHA512

e0e8b14523676ac2985315d00f7232b12e27de8df063aab1eb83a08fa3b32efc11f885b7a22d2e32798bf4474861d6afabebec81591ccbfeb437f416a560b0b5
SSDEEP

6144:hyIfiRTz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisj:PfjsUasUqsU6sj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogfjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcppimfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnadadld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhagbfnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddhhggdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpcljnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnpimkfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqijmq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnfmmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfakhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmnpjmla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhhggdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdnang32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpebch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfoee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bappnpkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagfooep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldjhcgll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlqlch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojbinjbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjemgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnamib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepnqkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkjlpkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqdqbaee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ammnmbig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicdncn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjddbcgk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjhcgll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anhaledo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoeaili.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgnafinp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpcioha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chlngg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmnpjmla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njgjbllq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdkcgqad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbpoofo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagoel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngonjqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjddbcgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ammnmbig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bappnpkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnpimkfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcodf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mljfbiea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfbdblnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcdqmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqhafcoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagfooep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghdockp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opjeee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfolehep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicdncn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjhmnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpgoig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgfdikg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlhki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepnqkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfolehep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanffhq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1536	Llpcljnl.exe
1132	Lmppfm32.exe
1164	Ldjhcgll.exe
3504	Lghdockp.exe
476	Mgjadb32.exe
4592	Mdnang32.exe
636	Mljfbiea.exe
3088	Mpebch32.exe
4760	Mpgoig32.exe
984	Mlqlch32.exe
2712	Nnpimkfl.exe
4564	Njgjbllq.exe
4580	Ngkjlpkj.exe
2660	Npcodf32.exe
4964	Nngonjqd.exe
3264	Nfbdblnp.exe
396	Ocfdlqmi.exe
5044	Opjeee32.exe
1984	Ojbinjbc.exe
2136	Ogfjgo32.exe
4020	Odjjqc32.exe
2752	Olfoee32.exe
5080	Ojjooilk.exe
1620	Pfqpcj32.exe
3104	Pcdqmo32.exe
1292	Pqhafcoc.exe
1964	Pjqeoh32.exe
1512	Pfgfdikg.exe
4124	Pggbnlbj.exe
4680	Qdkcgqad.exe
1920	Qncgqf32.exe
5112	Qcppimfl.exe
1832	Qfolehep.exe
472	Aqdqbaee.exe
4788	Afaijhcm.exe
4800	Anhaledo.exe
688	Aqfmhacc.exe
3460	Ajoaqfjc.exe
2600	Ammnmbig.exe
3856	Aqijmq32.exe
4088	Ajanffhq.exe
1032	Aefbcogf.exe
2364	Anogldng.exe
640	Ambgha32.exe
4100	Bnadadld.exe
2168	Bappnpkh.exe
872	Bncqgd32.exe
4772	Bnfmmc32.exe
4716	Bgnafinp.exe
4744	Bagfooep.exe
1440	Bnkfhcdj.exe
4824	Baicdncn.exe
876	Cffkleae.exe
2012	Cmpcioha.exe
244	Cjddbcgk.exe
2800	Cmbpoofo.exe
2648	Cdlhki32.exe
4852	Cnamib32.exe
1404	Cdoeaili.exe
4176	Cjhmnc32.exe
3592	Cmgjjn32.exe
4608	Chlngg32.exe
4116	Cepnqkai.exe
4372	Dfakhc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pqhafcoc.exe	Pcdqmo32.exe
File created	C:\Windows\SysWOW64\Dchgoldk.dll	Bgnafinp.exe
File created	C:\Windows\SysWOW64\Hdkbie32.dll	Cepnqkai.exe
File opened for modification	C:\Windows\SysWOW64\Dhagbfnj.exe	Dagoel32.exe
File created	C:\Windows\SysWOW64\Jonepa32.dll	Llpcljnl.exe
File created	C:\Windows\SysWOW64\Mpgoig32.exe	Mpebch32.exe
File opened for modification	C:\Windows\SysWOW64\Mpgoig32.exe	Mpebch32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgha32.exe	Anogldng.exe
File created	C:\Windows\SysWOW64\Ngkjlpkj.exe	Njgjbllq.exe
File created	C:\Windows\SysWOW64\Ogfjgo32.exe	Ojbinjbc.exe
File created	C:\Windows\SysWOW64\Aqfmhacc.exe	Anhaledo.exe
File created	C:\Windows\SysWOW64\Baicdncn.exe	Bnkfhcdj.exe
File created	C:\Windows\SysWOW64\Giaiel32.dll	Mdnang32.exe
File opened for modification	C:\Windows\SysWOW64\Npcodf32.exe	Ngkjlpkj.exe
File created	C:\Windows\SysWOW64\Dgqmpg32.dll	Anhaledo.exe
File created	C:\Windows\SysWOW64\Kbnggn32.dll	Cjddbcgk.exe
File created	C:\Windows\SysWOW64\Dpoamahl.dll	Dfakhc32.exe
File created	C:\Windows\SysWOW64\Ddjemgal.exe	Dalhqlbh.exe
File opened for modification	C:\Windows\SysWOW64\Ldjhcgll.exe	Lmppfm32.exe
File created	C:\Windows\SysWOW64\Nbaibe32.dll	Aqdqbaee.exe
File created	C:\Windows\SysWOW64\Cepnqkai.exe	Chlngg32.exe
File created	C:\Windows\SysWOW64\Cllnlemd.dll	1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe
File created	C:\Windows\SysWOW64\Bnkfhcdj.exe	Bagfooep.exe
File created	C:\Windows\SysWOW64\Klpbed32.dll	Mlqlch32.exe
File created	C:\Windows\SysWOW64\Odjjqc32.exe	Ogfjgo32.exe
File created	C:\Windows\SysWOW64\Aqijmq32.exe	Ammnmbig.exe
File created	C:\Windows\SysWOW64\Dmnpjmla.exe	Dhagbfnj.exe
File created	C:\Windows\SysWOW64\Bgnafinp.exe	Bnfmmc32.exe
File created	C:\Windows\SysWOW64\Ibmmml32.dll	Bappnpkh.exe
File opened for modification	C:\Windows\SysWOW64\Bnfmmc32.exe	Bncqgd32.exe
File created	C:\Windows\SysWOW64\Lnapigob.dll	Cffkleae.exe
File opened for modification	C:\Windows\SysWOW64\Dalhqlbh.exe	Ddhhggdo.exe
File opened for modification	C:\Windows\SysWOW64\Cmbpoofo.exe	Cjddbcgk.exe
File opened for modification	C:\Windows\SysWOW64\Cffkleae.exe	Baicdncn.exe
File opened for modification	C:\Windows\SysWOW64\Cdoeaili.exe	Cnamib32.exe
File created	C:\Windows\SysWOW64\Mdnang32.exe	Mgjadb32.exe
File created	C:\Windows\SysWOW64\Aifmdmap.dll	Npcodf32.exe
File opened for modification	C:\Windows\SysWOW64\Pfgfdikg.exe	Pjqeoh32.exe
File created	C:\Windows\SysWOW64\Qfolehep.exe	Qcppimfl.exe
File created	C:\Windows\SysWOW64\Bncqgd32.exe	Bappnpkh.exe
File created	C:\Windows\SysWOW64\Dhagbfnj.exe	Dagoel32.exe
File opened for modification	C:\Windows\SysWOW64\Nnpimkfl.exe	Mlqlch32.exe
File opened for modification	C:\Windows\SysWOW64\Olfoee32.exe	Odjjqc32.exe
File created	C:\Windows\SysWOW64\Bagfooep.exe	Bgnafinp.exe
File opened for modification	C:\Windows\SysWOW64\Cnamib32.exe	Cdlhki32.exe
File created	C:\Windows\SysWOW64\Jedhei32.dll	Cdlhki32.exe
File created	C:\Windows\SysWOW64\Chlngg32.exe	Cmgjjn32.exe
File created	C:\Windows\SysWOW64\Jkbmmb32.dll	Lmppfm32.exe
File opened for modification	C:\Windows\SysWOW64\Mljfbiea.exe	Mdnang32.exe
File opened for modification	C:\Windows\SysWOW64\Nfbdblnp.exe	Nngonjqd.exe
File opened for modification	C:\Windows\SysWOW64\Cepnqkai.exe	Chlngg32.exe
File created	C:\Windows\SysWOW64\Nfnehjqi.dll	Bnfmmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjddbcgk.exe	Cmpcioha.exe
File opened for modification	C:\Windows\SysWOW64\Ajoaqfjc.exe	Aqfmhacc.exe
File opened for modification	C:\Windows\SysWOW64\Mgjadb32.exe	Lghdockp.exe
File opened for modification	C:\Windows\SysWOW64\Pfqpcj32.exe	Ojjooilk.exe
File created	C:\Windows\SysWOW64\Cfhdmdld.dll	Qfolehep.exe
File opened for modification	C:\Windows\SysWOW64\Bagfooep.exe	Bgnafinp.exe
File created	C:\Windows\SysWOW64\Kakaefma.dll	Baicdncn.exe
File created	C:\Windows\SysWOW64\Dfakhc32.exe	Cepnqkai.exe
File opened for modification	C:\Windows\SysWOW64\Cjhmnc32.exe	Cdoeaili.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpjmla.exe	Dhagbfnj.exe
File opened for modification	C:\Windows\SysWOW64\Ojbinjbc.exe	Opjeee32.exe
File created	C:\Windows\SysWOW64\Qcppimfl.exe	Qncgqf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1572	4848	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjooilk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhafcoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnadadld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepnqkai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpcljnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghdockp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opjeee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfoee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dagoel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmnpjmla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afaijhcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbpoofo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnamib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhagbfnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnafinp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpcioha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnang32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfbdblnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfqpcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anhaledo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqijmq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffkleae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoeaili.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnpimkfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcodf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjqeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbnlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danefkqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjhcgll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojbinjbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammnmbig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalhqlbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chlngg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhggdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bappnpkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnfmmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagfooep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngonjqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfgfdikg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqfmhacc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajoaqfjc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqdqbaee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bncqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpgoig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcppimfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogldng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjhmnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkjlpkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkfhcdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjemgal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmppfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mljfbiea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpebch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjjqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogfjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfolehep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanffhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjddbcgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicdncn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjadb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnamib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdoeaili.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cllnlemd.dll"	1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnlopc32.dll"	Mgjadb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knobie32.dll"	Pfgfdikg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdlhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpebch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocfdlqmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgpnnah.dll"	Pqhafcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpchile.dll"	Ocfdlqmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogfjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckaqiakm.dll"	Olfoee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afaijhcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanffhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chlngg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqhafcoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggfknab.dll"	Ajoaqfjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanffhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjemgal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjckan32.dll"	Ngkjlpkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcdqmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqfmhacc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjooilk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ammnmbig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepnqkai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonepa32.dll"	Llpcljnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njgjbllq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfoee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dalhqlbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfjo32.dll"	Opjeee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhdmdld.dll"	Qfolehep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhagbfnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opjeee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpakh32.dll"	Ajanffhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpgoig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oielhq32.dll"	Njgjbllq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdkbie32.dll"	Cepnqkai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmnpjmla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjddbcgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdlhki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkafloa.dll"	Cnamib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dalhqlbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opjeee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbnlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bncqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bncqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagfooep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogohcl32.dll"	Cdoeaili.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcodf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npcodf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghdockp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mljfbiea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpbed32.dll"	Mlqlch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhijdp32.dll"	Qncgqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbpoofo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpebch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnpimkfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajoaqfjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifmdmap.dll"	Npcodf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 1536	416	1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe	81
PID 416 wrote to memory of 1536	416	1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe	81
PID 416 wrote to memory of 1536	416	1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe	81
PID 1536 wrote to memory of 1132	1536	Llpcljnl.exe	82
PID 1536 wrote to memory of 1132	1536	Llpcljnl.exe	82
PID 1536 wrote to memory of 1132	1536	Llpcljnl.exe	82
PID 1132 wrote to memory of 1164	1132	Lmppfm32.exe	83
PID 1132 wrote to memory of 1164	1132	Lmppfm32.exe	83
PID 1132 wrote to memory of 1164	1132	Lmppfm32.exe	83
PID 1164 wrote to memory of 3504	1164	Ldjhcgll.exe	84
PID 1164 wrote to memory of 3504	1164	Ldjhcgll.exe	84
PID 1164 wrote to memory of 3504	1164	Ldjhcgll.exe	84
PID 3504 wrote to memory of 476	3504	Lghdockp.exe	85
PID 3504 wrote to memory of 476	3504	Lghdockp.exe	85
PID 3504 wrote to memory of 476	3504	Lghdockp.exe	85
PID 476 wrote to memory of 4592	476	Mgjadb32.exe	86
PID 476 wrote to memory of 4592	476	Mgjadb32.exe	86
PID 476 wrote to memory of 4592	476	Mgjadb32.exe	86
PID 4592 wrote to memory of 636	4592	Mdnang32.exe	87
PID 4592 wrote to memory of 636	4592	Mdnang32.exe	87
PID 4592 wrote to memory of 636	4592	Mdnang32.exe	87
PID 636 wrote to memory of 3088	636	Mljfbiea.exe	88
PID 636 wrote to memory of 3088	636	Mljfbiea.exe	88
PID 636 wrote to memory of 3088	636	Mljfbiea.exe	88
PID 3088 wrote to memory of 4760	3088	Mpebch32.exe	89
PID 3088 wrote to memory of 4760	3088	Mpebch32.exe	89
PID 3088 wrote to memory of 4760	3088	Mpebch32.exe	89
PID 4760 wrote to memory of 984	4760	Mpgoig32.exe	90
PID 4760 wrote to memory of 984	4760	Mpgoig32.exe	90
PID 4760 wrote to memory of 984	4760	Mpgoig32.exe	90
PID 984 wrote to memory of 2712	984	Mlqlch32.exe	91
PID 984 wrote to memory of 2712	984	Mlqlch32.exe	91
PID 984 wrote to memory of 2712	984	Mlqlch32.exe	91
PID 2712 wrote to memory of 4564	2712	Nnpimkfl.exe	92
PID 2712 wrote to memory of 4564	2712	Nnpimkfl.exe	92
PID 2712 wrote to memory of 4564	2712	Nnpimkfl.exe	92
PID 4564 wrote to memory of 4580	4564	Njgjbllq.exe	93
PID 4564 wrote to memory of 4580	4564	Njgjbllq.exe	93
PID 4564 wrote to memory of 4580	4564	Njgjbllq.exe	93
PID 4580 wrote to memory of 2660	4580	Ngkjlpkj.exe	94
PID 4580 wrote to memory of 2660	4580	Ngkjlpkj.exe	94
PID 4580 wrote to memory of 2660	4580	Ngkjlpkj.exe	94
PID 2660 wrote to memory of 4964	2660	Npcodf32.exe	95
PID 2660 wrote to memory of 4964	2660	Npcodf32.exe	95
PID 2660 wrote to memory of 4964	2660	Npcodf32.exe	95
PID 4964 wrote to memory of 3264	4964	Nngonjqd.exe	96
PID 4964 wrote to memory of 3264	4964	Nngonjqd.exe	96
PID 4964 wrote to memory of 3264	4964	Nngonjqd.exe	96
PID 3264 wrote to memory of 396	3264	Nfbdblnp.exe	97
PID 3264 wrote to memory of 396	3264	Nfbdblnp.exe	97
PID 3264 wrote to memory of 396	3264	Nfbdblnp.exe	97
PID 396 wrote to memory of 5044	396	Ocfdlqmi.exe	98
PID 396 wrote to memory of 5044	396	Ocfdlqmi.exe	98
PID 396 wrote to memory of 5044	396	Ocfdlqmi.exe	98
PID 5044 wrote to memory of 1984	5044	Opjeee32.exe	99
PID 5044 wrote to memory of 1984	5044	Opjeee32.exe	99
PID 5044 wrote to memory of 1984	5044	Opjeee32.exe	99
PID 1984 wrote to memory of 2136	1984	Ojbinjbc.exe	100
PID 1984 wrote to memory of 2136	1984	Ojbinjbc.exe	100
PID 1984 wrote to memory of 2136	1984	Ojbinjbc.exe	100
PID 2136 wrote to memory of 4020	2136	Ogfjgo32.exe	101
PID 2136 wrote to memory of 4020	2136	Ogfjgo32.exe	101
PID 2136 wrote to memory of 4020	2136	Ogfjgo32.exe	101
PID 4020 wrote to memory of 2752	4020	Odjjqc32.exe	102

C:\Users\Admin\AppData\Local\Temp\1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe
"C:\Users\Admin\AppData\Local\Temp\1a9092f730a43ddf1efcdd0a458cd700eae3ff15f9fbd335cb59da0ec1a1eadc.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\SysWOW64\Llpcljnl.exe
  C:\Windows\system32\Llpcljnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\Lmppfm32.exe
    C:\Windows\system32\Lmppfm32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\Ldjhcgll.exe
      C:\Windows\system32\Ldjhcgll.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\SysWOW64\Lghdockp.exe
        
        C:\Windows\system32\Lghdockp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SysWOW64\Mgjadb32.exe
        
        C:\Windows\system32\Mgjadb32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\Mdnang32.exe
        
        C:\Windows\system32\Mdnang32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Mljfbiea.exe
        
        C:\Windows\system32\Mljfbiea.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Mpebch32.exe
        
        C:\Windows\system32\Mpebch32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Mpgoig32.exe
        
        C:\Windows\system32\Mpgoig32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Mlqlch32.exe
        
        C:\Windows\system32\Mlqlch32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Nnpimkfl.exe
        
        C:\Windows\system32\Nnpimkfl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Njgjbllq.exe
        
        C:\Windows\system32\Njgjbllq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ngkjlpkj.exe
        
        C:\Windows\system32\Ngkjlpkj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Npcodf32.exe
        
        C:\Windows\system32\Npcodf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Nngonjqd.exe
        
        C:\Windows\system32\Nngonjqd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Nfbdblnp.exe
        
        C:\Windows\system32\Nfbdblnp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Ocfdlqmi.exe
        
        C:\Windows\system32\Ocfdlqmi.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Opjeee32.exe
        
        C:\Windows\system32\Opjeee32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Ojbinjbc.exe
        
        C:\Windows\system32\Ojbinjbc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ogfjgo32.exe
        
        C:\Windows\system32\Ogfjgo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Odjjqc32.exe
        
        C:\Windows\system32\Odjjqc32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Olfoee32.exe
        
        C:\Windows\system32\Olfoee32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Ojjooilk.exe
        
        C:\Windows\system32\Ojjooilk.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Pfqpcj32.exe
        
        C:\Windows\system32\Pfqpcj32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Pcdqmo32.exe
        
        C:\Windows\system32\Pcdqmo32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Pqhafcoc.exe
        
        C:\Windows\system32\Pqhafcoc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Pjqeoh32.exe
        
        C:\Windows\system32\Pjqeoh32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\Pfgfdikg.exe
        
        C:\Windows\system32\Pfgfdikg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Pggbnlbj.exe
        
        C:\Windows\system32\Pggbnlbj.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Qdkcgqad.exe
        
        C:\Windows\system32\Qdkcgqad.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Qncgqf32.exe
        
        C:\Windows\system32\Qncgqf32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Qcppimfl.exe
        
        C:\Windows\system32\Qcppimfl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\Qfolehep.exe
        
        C:\Windows\system32\Qfolehep.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Aqdqbaee.exe
        
        C:\Windows\system32\Aqdqbaee.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Windows\SysWOW64\Afaijhcm.exe
        
        C:\Windows\system32\Afaijhcm.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Anhaledo.exe
        
        C:\Windows\system32\Anhaledo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Aqfmhacc.exe
        
        C:\Windows\system32\Aqfmhacc.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Ajoaqfjc.exe
        
        C:\Windows\system32\Ajoaqfjc.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Ammnmbig.exe
        
        C:\Windows\system32\Ammnmbig.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Aqijmq32.exe
        
        C:\Windows\system32\Aqijmq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\Ajanffhq.exe
        
        C:\Windows\system32\Ajanffhq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Aefbcogf.exe
        
        C:\Windows\system32\Aefbcogf.exe
        43⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Anogldng.exe
        
        C:\Windows\system32\Anogldng.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Bnadadld.exe
        
        C:\Windows\system32\Bnadadld.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Bappnpkh.exe
        
        C:\Windows\system32\Bappnpkh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Bncqgd32.exe
        
        C:\Windows\system32\Bncqgd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Bnfmmc32.exe
        
        C:\Windows\system32\Bnfmmc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Bgnafinp.exe
        
        C:\Windows\system32\Bgnafinp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\Bagfooep.exe
        
        C:\Windows\system32\Bagfooep.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Bnkfhcdj.exe
        
        C:\Windows\system32\Bnkfhcdj.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\Baicdncn.exe
        
        C:\Windows\system32\Baicdncn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Cffkleae.exe
        
        C:\Windows\system32\Cffkleae.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Cmpcioha.exe
        
        C:\Windows\system32\Cmpcioha.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Cjddbcgk.exe
        
        C:\Windows\system32\Cjddbcgk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:244
        
        C:\Windows\SysWOW64\Cmbpoofo.exe
        
        C:\Windows\system32\Cmbpoofo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Cdlhki32.exe
        
        C:\Windows\system32\Cdlhki32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Cnamib32.exe
        
        C:\Windows\system32\Cnamib32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Cdoeaili.exe
        
        C:\Windows\system32\Cdoeaili.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Cjhmnc32.exe
        
        C:\Windows\system32\Cjhmnc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\Cmgjjn32.exe
        
        C:\Windows\system32\Cmgjjn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Chlngg32.exe
        
        C:\Windows\system32\Chlngg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Cepnqkai.exe
        
        C:\Windows\system32\Cepnqkai.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Dfakhc32.exe
        
        C:\Windows\system32\Dfakhc32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Dagoel32.exe
        
        C:\Windows\system32\Dagoel32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Dhagbfnj.exe
        
        C:\Windows\system32\Dhagbfnj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Dmnpjmla.exe
        
        C:\Windows\system32\Dmnpjmla.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Ddhhggdo.exe
        
        C:\Windows\system32\Ddhhggdo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Dalhqlbh.exe
        
        C:\Windows\system32\Dalhqlbh.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 408
        73⤵
        Program crash
        
        PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4848 -ip 4848
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ambgha32.exe

Filesize
352KB

MD5
89d28714539093bcb51c758f945d302d

SHA1
ad09256dff2f6eb710a1563c6c0735d3dc71015b

SHA256
5288677e962af762ff279ab335412e1b2dbdbc03a1653c064734a809cc9c82f5

SHA512
0e2a4af158aeffad5f279c8d0122c22a1ee271dd108d7d16c57cdd6dc373480c0908fe177a769a1d233ef0bf178c703f49ca3ac7e7e5bfe12ea29326cf12885b

Download Submit
C:\Windows\SysWOW64\Bncqgd32.exe

Filesize
352KB

MD5
2e27fe4ea379a0df8ee9d8172747b5c5

SHA1
c1984b111cff0f5df9b37bc05971ebc3d1348e8b

SHA256
6ca20b6b8ee0799e914cf74d32016c2ebf0dbfbc3b0b0023200246cd7edc00c2

SHA512
56cdb20169483a332ead04561ae01c2416782f4d96cbac841250ddb79ec5455c43eebfd407528ed9173fe9e1553339844ddd0fe6d0c334950e9f2ba4798468e5

Download Submit
C:\Windows\SysWOW64\Bnkfhcdj.exe

Filesize
352KB

MD5
becd05c14011a59144f5d142d80aa3af

SHA1
26fa06e55025ce06535d68407020468809b4cd57

SHA256
c35c927d8b52bc38aa2228fc0ce197417f1928bc619459766a8e162619a7ee36

SHA512
c4b6f0d353e9d19ed7d70afdce5fc5fa234cbf791ef05e4c6aefffb492b7a2a514c9c91a39eeb2a38649297d279a28b7ee0d9173b4bcbe97adec9133a72a9658

Download Submit
C:\Windows\SysWOW64\Cepnqkai.exe

Filesize
352KB

MD5
96bf063e8c3ce716913e4653e8493502

SHA1
b2dc5e16ae248a7cfdd7f16c5a81a0b285b1e109

SHA256
676103121466644cebd43501118fdf5f3bdfc18c541534c79803410254c92e89

SHA512
f0508db9aec07573e33c2171d85d8451bcdc66d2708025f7fd26a7180c38db3917f8f120f1b540440547533213c421079ca7acc2e772434c3ddf356852df4bce

Download Submit
C:\Windows\SysWOW64\Cffkleae.exe

Filesize
352KB

MD5
295ab39add16d885ad0c3d2f2b605106

SHA1
f4c8f4254f542a6c8434e53323a252a2de80fa04

SHA256
4212013d905a268017186420a4c005e81b049783692cd552a81371dafd5c8fd6

SHA512
4fec49987f99e89c9485943687caf69d83e0c902672c410326c1498218957b50bd22a658cef03eef541226ae75aa3c78900cb7aaf90a35fef47eb72121b3dfd2

Download Submit
C:\Windows\SysWOW64\Dagoel32.exe

Filesize
352KB

MD5
e9f61178373d8d208b0d961b098d2eaa

SHA1
81832ab258c8226771b05e46b03a44b242aab172

SHA256
22c1eae11219589514b2bf65e73d5f8a956ccac2b6a1da119fec70f60842a2a7

SHA512
dc3f024bfe3174014615ab92873746bd7d700d7a6a64578c9c96df77d790c8688b1a7c5fe82ad4d207df41484b001e9d4aeb07190dfc60bb28f9855332f491de

Download Submit
C:\Windows\SysWOW64\Dalhqlbh.exe

Filesize
352KB

MD5
97857b41c4aef16e18ef90336f8d0dd0

SHA1
9a7e1eae35709c9054efd74a587bd6d4313c55cd

SHA256
77a941811389979e18a7d61652f619a92a14a7756cf606bef2c3368a01d0e122

SHA512
93f3251877e7fe3ff60dc932bc5de73919ad36a848f46b7b15c9ec856452e4cc4b1525df949cc9e726740940ba2c08085a3143c3e472f5039a4425d68bf1bbad

Download Submit
C:\Windows\SysWOW64\Danefkqe.exe

Filesize
352KB

MD5
9d8cfaefc24b3d261446bf0e289b63cb

SHA1
586248f0de845718a1916ca4de388d8c7a83b150

SHA256
c9e5b280096f04c8c392383d0c95aed2c0aba67930d39cd21fc042dbb451e69a

SHA512
1ae5b53f87445ba581e7ae1d56129c4153d40485b4f1f377c1b6e3984a08a8377bc1eeb76b4a2d2b712ad03d9bef12dc38696ce007339cb3bc70fadcd81e2ed7

Download Submit
C:\Windows\SysWOW64\Ldjhcgll.exe

Filesize
352KB

MD5
def667fa28c7e64496c2aef7f97a984a

SHA1
5345550e372e442260d12668c36d24f2c014c0ee

SHA256
d14006995da30b8543a2cd64a8ba43ebc84d263c7c0f24bd366ddfac1a63ab14

SHA512
2f7872fb20a34f2dba54add068f29bef27764dd8a810eccab373cb03b7c8c3711b47aea41f6a1a8cfbd7788f62922ecab30256d3b54b8229e560e16e603e7723

Download Submit
C:\Windows\SysWOW64\Lghdockp.exe

Filesize
352KB

MD5
0537c401ad1ff2b0e5d0a78bd0a57ecc

SHA1
0712c86be07e6e379d32a7af27426638bc12367d

SHA256
13dbd74f5fd4ba687316f426f5bab900851bcd22d7938cac0db78f56880a6eed

SHA512
52647b747f0b36c560f43aab0ed6b240b3c2eb3d35654437b37e2ac820de9f359e86f5b9eb394b6f5d1344fe12b0c68a97e062a4632ebefa7eeea0ebbefc2c74

Download Submit
C:\Windows\SysWOW64\Llpcljnl.exe

Filesize
352KB

MD5
ac44de9e5b9fccb638fe350f0f2f8e7a

SHA1
8db1ca93301f88dc02602dcd26afe21fc6b427de

SHA256
f52d9e5a28de35c90eea2784190a5f9107990ee3b4ddbc4111f11d2500ae0771

SHA512
f3cd05f5ab6ff306fe94bcf14ad042cdd0cc2b067859532fa1c556dbcc6c40d47571456e57b37ae2abfb50e901ef521fd15cf5bb12eb669b28106381c67c59ca

Download Submit
C:\Windows\SysWOW64\Lmppfm32.exe

Filesize
352KB

MD5
2b7b6040da3bd904cd2d6cced87d5413

SHA1
dea2d02626bf40571b387bc808c3d0349d7b2ff3

SHA256
e7e4cfd9a4a33a009be8b097af8cf8db071a43551ddf70c0aac8f5d014cd8daf

SHA512
461a376abaa0ed2f2deabd2f322a8dd63db4ad6e7a7eeb8a5503b52e5e77f04a972fe6227ca2215a4191d127b2e8a74ddffa94a6b846ab727ed2377ef0b72f3a

Download Submit
C:\Windows\SysWOW64\Mdnang32.exe

Filesize
352KB

MD5
88cfdf6238edfe0c34eba7e5592d5442

SHA1
bc4204a5aa38d81e2e347904c6cad9ed4f60ae5f

SHA256
4ea61b364530d3c3988752a7cc5d0f2309a70d9ad85b4cd0f4cf0059977c5830

SHA512
4e9a29e2ba0f7291a8b415c771f96c4099afc1c9499d4eca0571644214a5fca5b4b60726236df8115097b89321d796ac9e88684d2c4ca2a1241d1bb447e2ccde

Download Submit
C:\Windows\SysWOW64\Mgjadb32.exe

Filesize
352KB

MD5
a6eab6013ba34e8877601d7d827bbef3

SHA1
0c46870654a223e0b6a1a38e9b972f5f0a669d8a

SHA256
3e9f9c7ce911c6907b5aa702c8fcdc767907f4cc0d62894f5ef52796e57bc085

SHA512
358e0cf2adb3c83f5ff5441dab8b19311bd171356f1abb35dfe8b725770fe4a248eb8a1a21aeda7be5feba7bd8683cdade15592ce41a3e781c4258445cb306b5

Download Submit
C:\Windows\SysWOW64\Mljfbiea.exe

Filesize
352KB

MD5
601d07883cc9b2e5563eccd95867c7ce

SHA1
b824b874484d7ec6397c84bb06073c3750e7f7d9

SHA256
e143c8bb4efe2698449b87f3e92100501d9a9a9985732aa2ead0d03c799ed1a1

SHA512
769bc234dad8ac2a5e4a67d4b86dece41510d56d404ab8e945e8b5d4986fadde220125430bf159140d1baf4c492760d5eaf8c2ce0b8767eeb14670aa0ad5f0ad

Download Submit
C:\Windows\SysWOW64\Mlqlch32.exe

Filesize
352KB

MD5
a3a14b37dc2cf68510aa1d28e41f4cc3

SHA1
34616b9a80201ed18ebfc1b60daa0813d066733d

SHA256
398b6e14fbe6b525f95adc6f18783fffb53700a82f1c81c14a8b9cd5366fb48a

SHA512
62f7efdf364c1fdfce53d2d3390229c25a7405efa1585aef7ce772413b60cd827e941843f7bc0acd7559365767e61955687fa26ed807761d918b738ca3dc9463

Download Submit
C:\Windows\SysWOW64\Mpebch32.exe

Filesize
352KB

MD5
01a53429de628bb9d33aafe7af147e71

SHA1
da2cb524933b1b30f770d4529153d60da1902735

SHA256
07a7fc6bfc56e13eaa17de4b795a72f7ac1b9c6a9a55d61e45703ae83759c967

SHA512
f817bc1aff2108ff48997dac3ba0fe1c679137f35e79a51294e027df17c26e86cf13ba99e59337dda9a8dcf6976172362bb518d019decebbb8745e6003d591dc

Download Submit
C:\Windows\SysWOW64\Mpgoig32.exe

Filesize
352KB

MD5
bcbcf4d6fcc04f0a8be25eb607d70a1f

SHA1
13d4907e0a2392888b7ea35800c135854f857171

SHA256
a2d3fed33d02bffd1f9b1a58b4f86d365ecb7cb9f97ab46a899fffa56a9f61d0

SHA512
9a595f1d97ada163ab34cae168d26fd8f3129692c105aeb3df70c4edfc7ec2e3a7c7d98f8b2cd9155e2d2c8e258ae1aae6f55a10b29beb50f121e94ffe344799

Download Submit
C:\Windows\SysWOW64\Nfbdblnp.exe

Filesize
352KB

MD5
36a02d03d24f0d107b8565b4bd6d926e

SHA1
e5d6ce9eb09465ccd55bdb8121a8b9b138c869d1

SHA256
eb47fee37abfc7b37d5b9d4e8cab8497c97711ce6dc24336d9a07dda1ed78d07

SHA512
a8d8c53a62a076259ad00fddd9fa8b096cf29e10dbab5c6ceeaabd1b384a74282144ccb241d508f5caccabcd54dfa2213dec07dddef09a717c4875ffc0d8404e

Download Submit
C:\Windows\SysWOW64\Ngkjlpkj.exe

Filesize
352KB

MD5
e24c0bb6b9f9e2f5075d09b8da568e53

SHA1
0ff7f0c7570322578608e2021ec1900c2df270ab

SHA256
96c64c710d342145c945bea1864bdd4e5021d796da0b8a80b0aed7130b9a9ea2

SHA512
758978b05fd83b3e6b53aae86cb012233e762b502d3e7694ea70019eb0bef13cf3cd9498eec32d0aebdfc7d30395922700ba722d48aef2c194666bd7c53bf085

Download Submit
C:\Windows\SysWOW64\Njgjbllq.exe

Filesize
352KB

MD5
9fa46e5108d64639fc1b5340f11a1286

SHA1
b82e5bfa57faf63a1fe3cbf53215e429bd60b2fa

SHA256
b3471a685eb7f5270697cb50d3bd0c5774e8d0768e7ae3a83ca91ae3a2075666

SHA512
747a53aa735eaa63a64a88dd7ca94b5f27e30de550f9ee0d14ef9502e1daffee75c9f53d1bb9bf7bd2e7477c6f2daa872ab014caf3d25d4e70d92b73373c7671

Download Submit
C:\Windows\SysWOW64\Nngonjqd.exe

Filesize
352KB

MD5
f3fee4e1ca1e43f730a1c97a8397bc2f

SHA1
0512d9960d6130913b6d4589f0a27fc0013431d9

SHA256
5ef6937c6a0a66f782f9bb9aa8513c26a61e88b966a9dec3b4487c78e8e57f91

SHA512
f50bc466bbdddfcdfe95b53f59d2141d9abd7202219e08193c1a8503ca867ee44726d2c1967b578b27c9f6e64d1c901300b6c19d7c42469abe121f59b4069b04

Download Submit
C:\Windows\SysWOW64\Nnpimkfl.exe

Filesize
352KB

MD5
4f30d624a06e97f0c3fba2089d83482e

SHA1
1da539b99446186fed984096d3f64dc7db93c080

SHA256
e09b4b72e4b8984ba65e92c73d79adfb6def75496a79a5271df267a08a17f6a4

SHA512
c4ad55de6841d5345088feea59d0e7f644b7e689f53130ffb4f5ef82f6f990e49702c7f5c9ce5dfaaa12f36c89068dfc972af27a6065e096bf6e02342b0a758b

Download Submit
C:\Windows\SysWOW64\Npcodf32.exe

Filesize
352KB

MD5
2313184ba01d2a7645249583d4c19598

SHA1
9d04a9e2f03966a244d86751c122f7db6f22a6b7

SHA256
76da96c30ff5dacd9d936872458afec7c8540094a977096e07d90190f774f054

SHA512
a67b8d87971f9999a4d5f6afd1b8402be79d0bd326cdacf49a44a3fb24a420c85a11202f27429173d281fac40845a267bdc1c3a9cd5cde35d5814b0abc7088c2

Download Submit
C:\Windows\SysWOW64\Ocfdlqmi.exe

Filesize
352KB

MD5
f45503ca5c2306447562a5a618af97ca

SHA1
cd31e774d70beac284cb1c9adfd7ee6c575a6322

SHA256
1fe0b77af5fb6d3842f362c806cb7c545f9a0b561e3240f5bd6a6e1e4817435a

SHA512
6eb7d9c09a00db18fd3771767c1498194d3404ce3b6e7f84f4a708acb0137c341f0d7c4d560daa1cf3c55c9d4d815c8da1a4c61b33aa42ee5742617790a9d945

Download Submit
C:\Windows\SysWOW64\Odjjqc32.exe

Filesize
352KB

MD5
01b36c5be449b39b40a8a23fb5575793

SHA1
6803b6f891acf771c90f3e8ec6c6b1919ab1fa0a

SHA256
ae85535ec971a7d81b59d6713e71fe85f547fe04b47ddf7ddf459b109e2a12ab

SHA512
544a7329d85f694c5d88b78054c72d5e7dbef06b3076337811f8113171e7869717d3686ca1cb77790e9c03431b9d2fd20a17da1e612740d99bb39e533ab7c5bf

Download Submit
C:\Windows\SysWOW64\Ogfjgo32.exe

Filesize
352KB

MD5
c0d71f73f9da725f5881a6c459b79d18

SHA1
67ad5d72517cf12dd2dfd7fa0cd65ed8259792ba

SHA256
46e3055822f9d9d24e32490a0dd505edf71544028ee54cdcdca867cf751ae4f3

SHA512
b644b2867889c1eff4c7e57f418f22aa7d7697509bd6e649104e5d1a48ace1fd340578609282490250220e2287a7765469ce7982a9626c6e3e1196e1297044bd

Download Submit
C:\Windows\SysWOW64\Ojbinjbc.exe

Filesize
352KB

MD5
f035cfaf850f92068513abec857e2be9

SHA1
52e9daa071338c8c09a81628a288d11e775ad4c1

SHA256
f267d29301a94983ccd6fed637c3a75c01cbe80a89dc2fc7457901c1f6d63be4

SHA512
f109357f0c265b32ade1da35b6080320566d6e3c045bc45329120a9f229c492619a0f74189b38a54dbdba5ca2e5ec748fc25dc4ff7e2a8dfe934d81333193280

Download Submit
C:\Windows\SysWOW64\Ojjooilk.exe

Filesize
352KB

MD5
0251462235d7eddfdecb9da8675c856c

SHA1
3facb7545096e8a542368b899b7be21bae69314b

SHA256
bd8a9d0dfe892da7d0fa84387e16c2c900b9608b7d27d963e27287603ce0b168

SHA512
9a8224bade7e3c0c0c86382482727c146cad93aab60a7ebe15dce6a216bf5c0558b873ccd35b6b057ee38228c2fad710f6027f55d11487076f5017ef195a6a94

Download Submit
C:\Windows\SysWOW64\Olfoee32.exe

Filesize
352KB

MD5
475d04b7b5c6236621f6fc0dd8b7586b

SHA1
ad2c5b3225c2ac1a5886767bd650d100a1a75e7a

SHA256
7402f13cb758ae19e4fb0f9d6e857ea7f794d4c03ee414381e39055d5055d9ae

SHA512
cbce9998b5dc112b6bf20241c5f8113f044baa97159472a5bdf7736e00ad0f54c1587fdf308355d3e70c0e25b4b7584295a8736eda6beb397905e43698463289

Download Submit
C:\Windows\SysWOW64\Opjeee32.exe

Filesize
352KB

MD5
ef01e00576edf17038ad08fa748183ad

SHA1
ac14d1197565a51f6dffe5bb76b6b919ea95834e

SHA256
08d0fc09cce53f9e690cc008ba3c2ece0ec38f259c0d6542765a6da5b9722778

SHA512
f78f1607ec6b5dd1d517f9b20527e9f84f5a6b2dddb362c8599d93bc358358b002f6d516cbb774b255a4601470f2592fd83b752d6d47a299d152e2c6df9e6adb

Download Submit
C:\Windows\SysWOW64\Pcdqmo32.exe

Filesize
352KB

MD5
b64ad9422f1aa3823c04478ad2599c29

SHA1
94328fb1cecae2bd0edf53e00adcc74fb4f562c8

SHA256
6d5167302e1b00943c4a43b4cb21e6007cc64ef30ca7cac29b544b53ed1b94d1

SHA512
4e0d32a12d0629003c3bf1d319670c7501ee76c4bcf13c7d073b82cc4010ba72bfd5e074c419f67582b081caa8974a1f7d44e093b691f69a3335de95a9c9933d

Download Submit
C:\Windows\SysWOW64\Pfgfdikg.exe

Filesize
352KB

MD5
6e1865c100bcdbdd24b9cd3a7afb3d7b

SHA1
ecd8d747d266061565c8b41171d32c493bcd9581

SHA256
df2e2cdff61da980919325db499f72d6936f480f4b78f56e83b4b4f5678150f2

SHA512
600e7565ee0708f141472690fb2cd1a35e916f1cadd81b7621c37917e0994b6ca096d8bc20e9045e54f09831aaa97f74205f9ada60ac908056357e7356c2ce49

Download Submit
C:\Windows\SysWOW64\Pfqpcj32.exe

Filesize
352KB

MD5
5d76bd882b2d5f30ae31db7c98789537

SHA1
0cc742ff5160e75e16d1df26eccc9f8b348bd3db

SHA256
b0b8b6014873cf74f3669a0f5a94a82af416a28785cf13fac79d9807d10d68a4

SHA512
03e36fe8403e105d568f78279fd9021633a9bf05ce868bc1f563151aa1ba2393938dd31f299f2856bf67702d55daaec2910d05e7a3946602f32714ad6eb34b1e

Download Submit
C:\Windows\SysWOW64\Pggbnlbj.exe

Filesize
64KB

MD5
7e190bfab14f05e3da82dc2dbedac38f

SHA1
bb31eb267cf7561576ba66300846440e0e413ca3

SHA256
bc53c70a6a1d417d9e7ec3f9943eeb1b7ef11cde261d3102eb62bea5d3fd3e83

SHA512
276775b0ef4cb29cf7b652c87afcc2a7b11a21ef99b1df34fdced8ef7fbc8bc7c31fabce7144e91bad35469f5441b1dd6988a927382723f625307cbdf754cb72

Download Submit
C:\Windows\SysWOW64\Pggbnlbj.exe

Filesize
352KB

MD5
a69cdf9df28f37c1dbe379e271e75cf8

SHA1
96c96bff406172df8a08f5f5cb9051519389a823

SHA256
f92275d4ffd381e92236f182daad1f385cdc6c3aed199d9e09e467f5ba037581

SHA512
7a2a33ddc3eb52e66f2d08f5ad8451f1114e395f75bb14710248807498947ba3252114f0277b7535d617c4ef365a6602d48d73a364ef0d8abcdcf73a993b905a

Download Submit
C:\Windows\SysWOW64\Pjqeoh32.exe

Filesize
352KB

MD5
d220098830ba8ef4dc165ecfb41de415

SHA1
e0b796f3e3a5f4e06c5861c6d696ed714cc74ed9

SHA256
11b9715d986a020bb4116a7f9981cffbc00d5fb90b182021333ff84d3a48850f

SHA512
c7ec4ec60cefb2b503e3ecbb23a8cc9b649073d9792c68b5b77b6ae57c2a9871eff2347b80daabff4273feaf187e7b5a38311830ec0d1e743f7930ad97aaf138

Download Submit
C:\Windows\SysWOW64\Pqhafcoc.exe

Filesize
352KB

MD5
fdb1e9f7ea99961f49cb6e0806a67d33

SHA1
afb4888bc4df91d9ce49101c1039413fc771d23d

SHA256
98a88575b669328ab9b830d20decd20ab168d6e5c5fdc30dbadfaa26658df9e4

SHA512
91fb57597fcb3952d9d88d71f0ad47946ff1204ac2b702ef091d93cca03c58fec58305d7c2c83e3060a991cc95227686bb6dd6e90b121298ac07e2919ab6a872

Download Submit
C:\Windows\SysWOW64\Qcppimfl.exe

Filesize
352KB

MD5
daf886652a4470eff1af4c570da3c9af

SHA1
7d41e5e76cf846cf0c807490392caca715c7a267

SHA256
0abce4811d309533a8f08a8733fcf526ba7fb57ded215f7c46c8f4b6c1813767

SHA512
1815c59c907424f675a38ca52dab96ad56995a2b25428553a106f3294071f393d59c5afa3264724b47d243f56123ee71a181cda7a67a59abcf76eeb8568aa52b

Download Submit
C:\Windows\SysWOW64\Qdkcgqad.exe

Filesize
352KB

MD5
05895a86dcfe0ea8ae62aad4c6cf1e14

SHA1
1f0df1fa2d3dbf5bff4e84b868d6820491a1cc1a

SHA256
d536464eb50414180abecf2f354f6b962fccc8291575a47093b8d1db81abc199

SHA512
1a257552d30a340d1bca49edbdf232b423bb3640d957fdd2d368b05b67a3d7d7451086cdbd7c5e8fafd0bf4e3aeca9671a348da92dfcda8bcf4fa99a5232a949

Download Submit
C:\Windows\SysWOW64\Qncgqf32.exe

Filesize
352KB

MD5
ecfbacc8989f640735c5ea22a22051ac

SHA1
755f5dc07011c268e36f8c61ef1cb6cbbec9d8bd

SHA256
4cf7d7df4245af6c3fd8e020b9dd4dc60e39a6b68763cb10e30193177cd8c29a

SHA512
b54a58a86dad9c8c87fcf1be14603eaf12a5b6c2adbed95e14fc286e2a8618ef0e8342002bfc4d506a9eae5e463d5bff24fb1a980ffd07eba41012eba7967d1d

Download Submit
memory/244-518-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/244-397-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/396-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/416-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/416-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/476-40-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/636-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/640-328-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/640-540-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/688-286-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/872-346-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/872-534-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/876-522-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/876-381-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/984-80-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1032-316-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1040-480-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1040-490-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1132-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1164-25-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1292-213-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1404-512-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1404-416-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1440-526-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-224-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1536-8-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1620-192-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1832-263-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1892-499-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1892-461-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1920-248-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1964-216-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1984-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2012-387-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2012-520-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2136-160-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2168-536-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2168-340-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2364-322-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2364-542-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2432-451-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2432-500-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2600-298-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-405-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-514-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2660-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2712-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2752-176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2800-403-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2800-516-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3088-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3104-200-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3264-128-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3460-297-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3504-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3592-430-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3592-508-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3856-304-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3872-495-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4020-168-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4088-310-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4100-334-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4100-538-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4116-503-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4124-232-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4176-510-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4176-422-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4372-504-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4372-445-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4548-474-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4548-492-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4564-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-104-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4592-49-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4608-506-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4608-434-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4680-240-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4716-358-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4716-530-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4744-528-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4744-364-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4756-496-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4756-468-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4760-72-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4772-532-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4772-352-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4788-279-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4800-285-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4824-524-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4824-375-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4848-489-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4848-486-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4964-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5044-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5080-184-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5112-262-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads