berbew | 31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/12/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe
Size

90KB
MD5

9e604329de7fa7444c8bfe2b4e93fea7
SHA1

bf62c05e7a293b69e25ec02cc19457b14fbd221a
SHA256

31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95
SHA512

9a84b670744968bb1e7ccddda877e8fb4740d410952394bb67ea69046a3a3acc846e5c06a56815781608b32556965e9a683116f16f49a397724ba2e84b9ec299
SSDEEP

1536:9ulo27tM0boOInM32OrFmV+THuF/YCnVJUxNO2/MnFGou/Ub0VkVNK:9b27tM0bvwOhmV+THuFxn2/MnFGou/UW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Offnhpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncqlkemc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmipdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohlqcagj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaenbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhiemoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Panhbfep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qaqegecm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qodeajbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocjoadei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baannc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bogkmgba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngndaccj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhjmdp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ompfej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgnffj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbpgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnmaea32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2992	Nqpcjj32.exe
1192	Ngjkfd32.exe
2964	Nncccnol.exe
1060	Nqbpojnp.exe
2904	Ncqlkemc.exe
3500	Nmipdk32.exe
4756	Ngndaccj.exe
1876	Nmkmjjaa.exe
2780	Nceefd32.exe
2164	Ojomcopk.exe
4784	Oaifpi32.exe
1696	Offnhpfo.exe
1956	Ompfej32.exe
1008	Ocjoadei.exe
3964	Ombcji32.exe
4444	Oclkgccf.exe
1004	Ojfcdnjc.exe
1752	Oaplqh32.exe
4048	Ogjdmbil.exe
3632	Ondljl32.exe
2488	Opeiadfg.exe
2344	Ohlqcagj.exe
956	Pmiikh32.exe
2416	Pccahbmn.exe
1416	Phonha32.exe
2028	Pjmjdm32.exe
3332	Pnifekmd.exe
3428	Ppjbmc32.exe
2208	Pdenmbkk.exe
3176	Pmnbfhal.exe
4408	Phcgcqab.exe
1292	Pnmopk32.exe
4576	Ppolhcnm.exe
4500	Phfcipoo.exe
4220	Pnplfj32.exe
4440	Panhbfep.exe
2716	Qhhpop32.exe
1308	Qfkqjmdg.exe
3904	Qaqegecm.exe
2096	Qpcecb32.exe
3696	Qhjmdp32.exe
4264	Qjiipk32.exe
5060	Qodeajbg.exe
1724	Qpeahb32.exe
3076	Qdaniq32.exe
4856	Afpjel32.exe
2704	Aogbfi32.exe
4172	Aaenbd32.exe
4848	Aknbkjfh.exe
2636	Aagkhd32.exe
3456	Apjkcadp.exe
2864	Agdcpkll.exe
2508	Amnlme32.exe
4524	Apmhiq32.exe
1252	Ahdpjn32.exe
1952	Akblfj32.exe
468	Aaldccip.exe
3144	Apodoq32.exe
928	Adkqoohc.exe
4380	Agimkk32.exe
3040	Akdilipp.exe
3820	Aopemh32.exe
1484	Aaoaic32.exe
4328	Apaadpng.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ppjbmc32.exe	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Qaqegecm.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Boihcf32.exe	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhbebj32.exe	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Nqpcjj32.exe	31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe
File created	C:\Windows\SysWOW64\Opeiadfg.exe	Ondljl32.exe
File created	C:\Windows\SysWOW64\Phcgcqab.exe	Pmnbfhal.exe
File created	C:\Windows\SysWOW64\Oingap32.dll	Afpjel32.exe
File created	C:\Windows\SysWOW64\Lihcbd32.dll	Oaifpi32.exe
File opened for modification	C:\Windows\SysWOW64\Aknbkjfh.exe	Aaenbd32.exe
File created	C:\Windows\SysWOW64\Agdcpkll.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Dapgni32.dll	Ahdpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Boldhf32.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Dnmaea32.exe	Dgcihgaj.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File created	C:\Windows\SysWOW64\Lpghll32.dll	Ompfej32.exe
File opened for modification	C:\Windows\SysWOW64\Opeiadfg.exe	Ondljl32.exe
File created	C:\Windows\SysWOW64\Qpcecb32.exe	Qaqegecm.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Baannc32.exe
File created	C:\Windows\SysWOW64\Hbobifpp.dll	Cponen32.exe
File created	C:\Windows\SysWOW64\Ombcji32.exe	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Qfkqjmdg.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Opjghl32.dll	Aaldccip.exe
File opened for modification	C:\Windows\SysWOW64\Bgelgi32.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Panhbfep.exe	Pnplfj32.exe
File created	C:\Windows\SysWOW64\Ocjoadei.exe	Ompfej32.exe
File created	C:\Windows\SysWOW64\Dgfpihkg.dll	Oaplqh32.exe
File created	C:\Windows\SysWOW64\Pnplfj32.exe	Phfcipoo.exe
File created	C:\Windows\SysWOW64\Nceefd32.exe	Nmkmjjaa.exe
File created	C:\Windows\SysWOW64\Ejphhm32.dll	Aagkhd32.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dnmaea32.exe
File opened for modification	C:\Windows\SysWOW64\Pmiikh32.exe	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Pnpkdp32.dll	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qpeahb32.exe
File created	C:\Windows\SysWOW64\Oeeape32.dll	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Jlobem32.dll	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Cponen32.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Ngjkfd32.exe	Nqpcjj32.exe
File opened for modification	C:\Windows\SysWOW64\Oclkgccf.exe	Ombcji32.exe
File created	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oclkgccf.exe
File opened for modification	C:\Windows\SysWOW64\Ondljl32.exe	Ogjdmbil.exe
File opened for modification	C:\Windows\SysWOW64\Qaqegecm.exe	Qfkqjmdg.exe
File created	C:\Windows\SysWOW64\Eehmok32.dll	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Akblfj32.exe	Ahdpjn32.exe
File created	C:\Windows\SysWOW64\Bhmbqm32.exe	Bpfkpp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocjoadei.exe	Ompfej32.exe
File created	C:\Windows\SysWOW64\Offnhpfo.exe	Oaifpi32.exe
File created	C:\Windows\SysWOW64\Hccdbf32.dll	Ocjoadei.exe
File created	C:\Windows\SysWOW64\Phonha32.exe	Pccahbmn.exe
File opened for modification	C:\Windows\SysWOW64\Qhjmdp32.exe	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Ahdpjn32.exe	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Ciipkkdj.dll	Bgelgi32.exe
File opened for modification	C:\Windows\SysWOW64\Nmkmjjaa.exe	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Gbfnjgdn.dll	Phonha32.exe
File created	C:\Windows\SysWOW64\Jkmmde32.dll	Bahdob32.exe
File opened for modification	C:\Windows\SysWOW64\Cklhcfle.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Jilpfgkh.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Ojomcopk.exe	Nceefd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1384	2204	WerFault.exe	185

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnhgjaml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmipdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahdpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncqlkemc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaifpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhjmdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklhcfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmjdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkqjmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkgeainn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphgeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojomcopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phfcipoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panhbfep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aknbkjfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngjkfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjiipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caageq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpiplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclkgccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opeiadfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nceefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pccahbmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phcgcqab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppolhcnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akblfj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nncccnol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdbpgl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgfpihkg.dll"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ompfej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfpagon.dll"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amnlme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cklhcfle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbddbhk.dll"	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjghl32.dll"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekgliip.dll"	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chnlgjlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqpcjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll"	Aknbkjfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apaadpng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipeabep.dll"	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejphhm32.dll"	Aagkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aopemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmkmjjaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pccahbmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akblfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agdcpkll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	Bpkdjofm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpflbpa.dll"	Offnhpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnplfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhdbgapf.dll"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll"	Bphgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cponen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nncccnol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll"	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phfcipoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll"	Nmipdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihcbd32.dll"	Oaifpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpghll32.dll"	Ompfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll"	Ojfcdnjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Panhbfep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aknbkjfh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2992	2880	31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe	83
PID 2880 wrote to memory of 2992	2880	31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe	83
PID 2880 wrote to memory of 2992	2880	31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe	83
PID 2992 wrote to memory of 1192	2992	Nqpcjj32.exe	84
PID 2992 wrote to memory of 1192	2992	Nqpcjj32.exe	84
PID 2992 wrote to memory of 1192	2992	Nqpcjj32.exe	84
PID 1192 wrote to memory of 2964	1192	Ngjkfd32.exe	85
PID 1192 wrote to memory of 2964	1192	Ngjkfd32.exe	85
PID 1192 wrote to memory of 2964	1192	Ngjkfd32.exe	85
PID 2964 wrote to memory of 1060	2964	Nncccnol.exe	86
PID 2964 wrote to memory of 1060	2964	Nncccnol.exe	86
PID 2964 wrote to memory of 1060	2964	Nncccnol.exe	86
PID 1060 wrote to memory of 2904	1060	Nqbpojnp.exe	87
PID 1060 wrote to memory of 2904	1060	Nqbpojnp.exe	87
PID 1060 wrote to memory of 2904	1060	Nqbpojnp.exe	87
PID 2904 wrote to memory of 3500	2904	Ncqlkemc.exe	88
PID 2904 wrote to memory of 3500	2904	Ncqlkemc.exe	88
PID 2904 wrote to memory of 3500	2904	Ncqlkemc.exe	88
PID 3500 wrote to memory of 4756	3500	Nmipdk32.exe	89
PID 3500 wrote to memory of 4756	3500	Nmipdk32.exe	89
PID 3500 wrote to memory of 4756	3500	Nmipdk32.exe	89
PID 4756 wrote to memory of 1876	4756	Ngndaccj.exe	90
PID 4756 wrote to memory of 1876	4756	Ngndaccj.exe	90
PID 4756 wrote to memory of 1876	4756	Ngndaccj.exe	90
PID 1876 wrote to memory of 2780	1876	Nmkmjjaa.exe	91
PID 1876 wrote to memory of 2780	1876	Nmkmjjaa.exe	91
PID 1876 wrote to memory of 2780	1876	Nmkmjjaa.exe	91
PID 2780 wrote to memory of 2164	2780	Nceefd32.exe	92
PID 2780 wrote to memory of 2164	2780	Nceefd32.exe	92
PID 2780 wrote to memory of 2164	2780	Nceefd32.exe	92
PID 2164 wrote to memory of 4784	2164	Ojomcopk.exe	93
PID 2164 wrote to memory of 4784	2164	Ojomcopk.exe	93
PID 2164 wrote to memory of 4784	2164	Ojomcopk.exe	93
PID 4784 wrote to memory of 1696	4784	Oaifpi32.exe	94
PID 4784 wrote to memory of 1696	4784	Oaifpi32.exe	94
PID 4784 wrote to memory of 1696	4784	Oaifpi32.exe	94
PID 1696 wrote to memory of 1956	1696	Offnhpfo.exe	95
PID 1696 wrote to memory of 1956	1696	Offnhpfo.exe	95
PID 1696 wrote to memory of 1956	1696	Offnhpfo.exe	95
PID 1956 wrote to memory of 1008	1956	Ompfej32.exe	96
PID 1956 wrote to memory of 1008	1956	Ompfej32.exe	96
PID 1956 wrote to memory of 1008	1956	Ompfej32.exe	96
PID 1008 wrote to memory of 3964	1008	Ocjoadei.exe	97
PID 1008 wrote to memory of 3964	1008	Ocjoadei.exe	97
PID 1008 wrote to memory of 3964	1008	Ocjoadei.exe	97
PID 3964 wrote to memory of 4444	3964	Ombcji32.exe	98
PID 3964 wrote to memory of 4444	3964	Ombcji32.exe	98
PID 3964 wrote to memory of 4444	3964	Ombcji32.exe	98
PID 4444 wrote to memory of 1004	4444	Oclkgccf.exe	99
PID 4444 wrote to memory of 1004	4444	Oclkgccf.exe	99
PID 4444 wrote to memory of 1004	4444	Oclkgccf.exe	99
PID 1004 wrote to memory of 1752	1004	Ojfcdnjc.exe	100
PID 1004 wrote to memory of 1752	1004	Ojfcdnjc.exe	100
PID 1004 wrote to memory of 1752	1004	Ojfcdnjc.exe	100
PID 1752 wrote to memory of 4048	1752	Oaplqh32.exe	101
PID 1752 wrote to memory of 4048	1752	Oaplqh32.exe	101
PID 1752 wrote to memory of 4048	1752	Oaplqh32.exe	101
PID 4048 wrote to memory of 3632	4048	Ogjdmbil.exe	102
PID 4048 wrote to memory of 3632	4048	Ogjdmbil.exe	102
PID 4048 wrote to memory of 3632	4048	Ogjdmbil.exe	102
PID 3632 wrote to memory of 2488	3632	Ondljl32.exe	103
PID 3632 wrote to memory of 2488	3632	Ondljl32.exe	103
PID 3632 wrote to memory of 2488	3632	Ondljl32.exe	103
PID 2488 wrote to memory of 2344	2488	Opeiadfg.exe	104

C:\Users\Admin\AppData\Local\Temp\31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe
"C:\Users\Admin\AppData\Local\Temp\31f86b190d766ebf5923411fa2b70290f74e94c916f6a93144718d862b1b4b95.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\Nqpcjj32.exe
  C:\Windows\system32\Nqpcjj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\Ngjkfd32.exe
    C:\Windows\system32\Ngjkfd32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\Nncccnol.exe
      C:\Windows\system32\Nncccnol.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\SysWOW64\Ncqlkemc.exe
        
        C:\Windows\system32\Ncqlkemc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Nmipdk32.exe
        
        C:\Windows\system32\Nmipdk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Ompfej32.exe
        
        C:\Windows\system32\Ompfej32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ocjoadei.exe
        
        C:\Windows\system32\Ocjoadei.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Pccahbmn.exe
        
        C:\Windows\system32\Pccahbmn.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3428
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        30⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\Ppolhcnm.exe
        
        C:\Windows\system32\Ppolhcnm.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Qfkqjmdg.exe
        
        C:\Windows\system32\Qfkqjmdg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Bhhiemoj.exe
        
        C:\Windows\system32\Bhhiemoj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3124
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1772
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        71⤵
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        75⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        82⤵
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4224
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        88⤵
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 420
        104⤵
        Program crash
        
        PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2204 -ip 2204
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agdcpkll.exe

Filesize
90KB

MD5
cdadaafcce168fcaf8c1a025a4d89381

SHA1
42289ca99e5d36d3e5d21e0952472da7c34766b7

SHA256
e804016089181d1c7815fd3ce61b84aebd2494b7e3374cad59bc7b6742f891a9

SHA512
b35863fabcb0ef529445e6fdfcb0cd021192bf0bbcf726ef4ba004e70ffde3a3209c252fff217e2328792cbc776b32d89d23bb0a3c6c00f6736da1f5499d04bc

Download Submit
C:\Windows\SysWOW64\Agimkk32.exe

Filesize
90KB

MD5
4b81c9dc9b51c580ff9b1c196c1d0e5b

SHA1
79b8a67a9bfc44e16b9a686dcecdb0028e936fc0

SHA256
5bb31dc8b9d3c0ae0b628c2ef0b73d5dfeff282d9d5dbf7411b401617447d9ee

SHA512
57e3cc28d0ee340782b957ef432353a9d8fee20a069ca0b0d28b66ef4c1acbb8618ca174ae861e928a49fec86bc013baef9a2f16691765da1a52b0ce9c750819

Download Submit
C:\Windows\SysWOW64\Ahdpjn32.exe

Filesize
90KB

MD5
d7c6051fcb27149b6dba57fbc6083d57

SHA1
d776604639dc94e49de04677885a3b631a53ea0d

SHA256
f70fff239394e128368ea82627a46075f43547d7087c39693a437cc548aebcff

SHA512
f366f614f5510ad0f4b8771e696f61820071b04a1981a0dedfc8e3873018e739a73287686c94bc35fc4389cd489203365885e97f4ca5b8af0cac67e27d3231ed

Download Submit
C:\Windows\SysWOW64\Baannc32.exe

Filesize
90KB

MD5
44f79ada7142c4c40b228823f00be739

SHA1
d4472f29d7d24caae1b0298cdedb6e535c546734

SHA256
721ced6a9071f48327c36bc1b3ed3f08eeee4b33efb21d70a7d8f7df955467ec

SHA512
499029e5014fa1e3fa83ca47732eca5297b08484e73d4a4cd4ff9688802cb8763e365f36604e6059526babbf802c2532413005f7b573203d5dd58ce2734fde87

Download Submit
C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
90KB

MD5
f76fe4c68f16d8aeafff2d0a3bbf53b3

SHA1
b55090c3a01abd6fffbf5ffbcc409565bd6d9352

SHA256
8397b5cefcbb25e4dd6f9e1cece174b2515a4b6472ec4b0eb2916445a9e825fa

SHA512
9b8db78d0d1f6d946f99a96b4c8e4edc286a4fd9ba8a1db32cf5fb8255ff269e2f5d83929628c610cc2ad61213140099677d4e74201c5c93c484e6dd21cea2f1

Download Submit
C:\Windows\SysWOW64\Binlfp32.dll

Filesize
7KB

MD5
b821cd88a9a7f13936e117e1896ba489

SHA1
04fc763c5ce2cf0604649cd9bc6b74a87b753433

SHA256
cdb548b420f56b677a2ef18bc3a4beb576cd427d4798b6e203f3c072111194ba

SHA512
67c1b00d396a3b6111dfc761832568efc5e5e693a0f51520df36d5ecdb328390e2cd856a1f250a0c95821060db1e7823a99262a3df1a0442330520e9167274a5

Download Submit
C:\Windows\SysWOW64\Boihcf32.exe

Filesize
90KB

MD5
4ebefd41fe6f39ef5d73e0655cf73050

SHA1
b87015566731f830c9c59b9ba4417d297bdb65aa

SHA256
78658a4b285c36d4b431a77b30adf827fdcba69fbf421b9bd86921cb73be1706

SHA512
b837f196adaa591b0f4a5cf015bd96559ee108b4ca46cb83b144f408975f940707168cc897f4880f0930cfd7aed033c2ebc812cba3f77a5c72b8d381a35cd916

Download Submit
C:\Windows\SysWOW64\Bpfkpp32.exe

Filesize
90KB

MD5
ac406df73aa073c01841b12c3bda196b

SHA1
e3fbd4791f77673cb3b7ecddc14bcab595a74de2

SHA256
b04a81dcb2350178c5487434fbff280178c2e45d6582a06bfa8a53169d91e2ec

SHA512
5a35e4c31fc4c381b7d6c0d9d04550d107ee04e5d7b460835e94c247e16caa86c076d0ea2b6f114e465c56fe5ee3a85f6e8c14656224bf7e5f6f86640ab701ba

Download Submit
C:\Windows\SysWOW64\Bphgeo32.exe

Filesize
90KB

MD5
96eb1d527c98613ac7ed30aff56b2fc2

SHA1
b3a4b3a89c06787c0b458cd4981f6a68f908202d

SHA256
f2f2bea24bb5bf2dd012e8035f3f94206525241f6d7ecc945fe9390b1040f398

SHA512
e36811ece68c5636d4345fc555a72c66b5c6b632ef65cb0247081a8494dc01ede3da685ea9d5153e801815d2bd24f53b33817d7f2908f128c62db0352b3b7e61

Download Submit
C:\Windows\SysWOW64\Chnlgjlb.exe

Filesize
90KB

MD5
749b1123acf69c071b46f33296855424

SHA1
51d4e1a8a21869867feb8e9e7e7c2e16618605bd

SHA256
56204fcb0f65ea5f562215e7fbac7a121fd7d2b19ad3d2a52ebfb9e4e1faf469

SHA512
48e24ce9ba2bf3a111afaaf9daa25a878084757afd964d838b288c3e78ccc20febe50dc857e73ce063d6a3d26ca75dea89417c542e4902a63592966fd82c97f8

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
90KB

MD5
8bb6ccd83f35c0c3e125a37984b3d38b

SHA1
15bd0a962861a61d70d0c64dd6d38406812accf2

SHA256
2f76397f46d7fa200cc07e262b428232cb0cf353ea66c03f8f04905b2f5bd1e6

SHA512
d35c8b5e5e01dea4b3bf09214f18780f589866a37ddc27fc8d63a23478c759a26795bdfeec088b3175a13ec176ce84512b9a37b39f87cbe93568e8de500d636b

Download Submit
C:\Windows\SysWOW64\Cponen32.exe

Filesize
90KB

MD5
737f49adaff46a77d69d37598f8a1f1d

SHA1
d2864e524d22d336c50321f3fde36add41b40a2a

SHA256
6af596d6d44c1afb7d952bebd40e877a3c8f41983a1e231f92aad97e8355aeaf

SHA512
8be39bc4937feaee87afd472bd26fd95692348f32b69ba2e9e6c2e6994c3bea609060f486d8a47eb2fc5a4f103ad0c1bf73225bec8e625ab6be3eace4339560e

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
90KB

MD5
a10f41dc01d48b5c30042ea481e8d941

SHA1
83b39ec803777e4ccc136214f9875277ed720fcf

SHA256
38f6740f034f0d21873af7c1695285726b6f157bb030ff18b68def742bc29dcb

SHA512
22686dff4ed33fd563a3db669f2f5400265a92a32e41fbbc1e1c47d5f23caf46f45f0d450c69a7b2cc75317578aac60d1d42019b25fad2c7780bd205860808fb

Download Submit
C:\Windows\SysWOW64\Ncqlkemc.exe

Filesize
90KB

MD5
d349f4c12c6e9433f65d5f42a09629cc

SHA1
10b37ff331da26f5e03698247f782e8c34f33bcd

SHA256
54fc9e9ec9d7b7a6ef613ce002e26d2e16be6c9ff677e4afffd384ac47b79a13

SHA512
16485feb2b3c5313387b03adbe76e54c993e9ce8de1879e03ca8150f787271e79b8a6d27eab4f9b51c2720607320dab52a9a23f677d1f1803a6b0792c6a67293

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
90KB

MD5
239fd372c0ed724bdb92df482c693aea

SHA1
6371ca73c3a8c35ae5ac0b1999adada9ca081c38

SHA256
da41a74b910324b5eb77bae613b1e37f07d46ebcfd6da40fb9a14062fda14f85

SHA512
4355660568aa65f2783ade86983d33b3167bc77cb217a744fe2968ffb532a6eac7d8b9a6343c481ccb3d655a5e4b76a66c4be17bbb786e86a40c6dd7248bcafc

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
90KB

MD5
2ad7c1b8bcfe37459199f8d59cfed559

SHA1
67d9170efdf440ff9c4bbbc07ccd49b5a8ca02a3

SHA256
f76da48012a63c102c52223e34b666bfa554a20ba388a92d67e9def5c7e88af9

SHA512
342a60bb6e15fe7778678c11c191f3009ffdd33660cd1916544fcd6323a7b3d3b0295b71b29fc04fd18bbe9a32755a12356be03d71acdfaf299b2658ec97cf6c

Download Submit
C:\Windows\SysWOW64\Nmipdk32.exe

Filesize
90KB

MD5
13c8e1cd3807d16fe120ac1a9a1f30d8

SHA1
2283f33e592f8c1abef2a1fda8853c313c8c6cba

SHA256
c434f163ac7d15d3c3935c176a55a9ed81452e109f05b4296f1908295307949b

SHA512
1526ea235a2889bff6d35c071cb7491a7efc6796905f6ad573220540843aaa093794e10208f7636574d5d974662ff15d6fafbc83df19695abe5037c6a8a2613e

Download Submit
C:\Windows\SysWOW64\Nmkmjjaa.exe

Filesize
90KB

MD5
d0bca8aa026e5be794d403be4f11a469

SHA1
c58cfc4305df054548f300963dec26b57c6d9226

SHA256
c8d3c0bf11a51de22fca4ef4b3e2c59edcae9e186ac65d39c9c865094d56e426

SHA512
dd931e6ee617645cc18d55167ef483a2d48302d4098022d9dfd070c1452feef2a9b8bc855cbd938e5295e88fa788389111d89b0f79b365e98fddd47240993222

Download Submit
C:\Windows\SysWOW64\Nncccnol.exe

Filesize
90KB

MD5
ef1ecdff065972af1a51d53d4c41824c

SHA1
e0afa4f23dbf8aeb2e144e8c78dd9de5bd378f09

SHA256
a6fed6b8d6db41578bffb0f27111e8c691030ca4fc577d704445db3996eb20df

SHA512
70ca5cb7cc37d95b9fd8ab7c474d79ab427a0b71d44acf3460a4f3df20f321807d4ea8baa9d1f7ee0e794baf4c1cc459cba5375d7ed44ba58d14a203d55129d7

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
90KB

MD5
6fa29f6a10f9b1069f123340132943d8

SHA1
a8e791bf81750124293c5e6b8535bea067d46598

SHA256
8fd88e439e85158f9d7f6e70a87eee403a67df56bbdbcfefef4b52985cafc9e8

SHA512
325d14927de9d92f4d5672176cfdbc1ec90e693b07d03c63d00b2482f531199ac9b7727aabfa6dbdd2b5cb06ab571cd6f45840eaad6118dd8222389762be2f53

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
90KB

MD5
89cf8443b7c048e2027bb6b06c34bdce

SHA1
c84db274810784052905cd7284257e987da97104

SHA256
6d1aed3b829e23d200385dd77d29ba3130223f524a897e1b77145e157b034683

SHA512
6a781da9fded8efaae6b54402daaa458116df85327dc8fabc8d1f6b84ebfb79886d25c02a039e83b5afe02719d0472ed90834ce6eaf1ccf85f1e3068ff16583a

Download Submit
C:\Windows\SysWOW64\Oaifpi32.exe

Filesize
90KB

MD5
712e8207e129caf1bc26b2693f0ed415

SHA1
377d3053dea4f64714af11a12d47bd7d0aa8f5b3

SHA256
a8f2cb57b6a6dcca4b0f99f3f694108dfac3d77be7c8bc7401407de430e3e565

SHA512
822d6800094698d7d71066957a8e967b829ab6986b44b6202423e026662331cca9c4bcbe90c246678515a7dba818b0abc7bca14b99f876f8bd58fdbc935d5c7e

Download Submit
C:\Windows\SysWOW64\Oaplqh32.exe

Filesize
90KB

MD5
80b27f54d5f4b458f76e8c35522ba118

SHA1
2224f84cc4bfcc4124d2c79ad7359aae116459da

SHA256
34f06413768e68a7e8f99aa867b1b86d460d32f0c0be04c31822ae3238041ea9

SHA512
a9bb9a84e271fdab9894168016e4249fbb252aff89f20c94c0010b17946e7520add16be10cdaab97cbbe029ed1b61bb583f95c2ee529a422a2bb00822e89b165

Download Submit
C:\Windows\SysWOW64\Ocjoadei.exe

Filesize
90KB

MD5
5af7ebda9ad7536d126ef85c1f6b8a3b

SHA1
88cedf334c7b1be296eb29e0879841cfa5fd9163

SHA256
7167be7ce305ca15d1ab88b1b5551683e9c33a84d568735398f45bc1403f5716

SHA512
5f5b211aab9af5b60015a0e607f3232eae492ff5d1cd4062c7a126519c3da0fab9892a935ff7ee960f4470e70d2dc849f77a98cedde988d5f66a650d621c9c9f

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
90KB

MD5
2ee9757d5a277dea65231c5745bda11d

SHA1
b3183d7f3544eea39649c6158c26dabb83a84c27

SHA256
f54cc9c4f1710b237373f02284ce47416bb50eb0cabd0ae7886ce1924cdf7964

SHA512
86dcd113b1b7146213405cda8d49618448c3e7e92ce17f36e4a818ba488a9a834556ff9a4cf439f21add39d7adccf4fa8713d4cc0f530c6fa01b3a50ad41ff91

Download Submit
C:\Windows\SysWOW64\Offnhpfo.exe

Filesize
90KB

MD5
b110489bbf07d602b248db2f5a71a720

SHA1
6f7bf59c43c8ed136f51aaa52c91d338304f0f1e

SHA256
c06dfc9a9822bf5d57d8b034f355d01410d3d9ea41fd63cd9b96f5dbc50cf9db

SHA512
f9c7af4e7bc0786823de668f6a2bc2e842732e74f3e427e7d35f6e933cf5c2659f06ff68d3b0eeba7e04169e3f89a549444077d7179e4f683a696a28e088b84a

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
90KB

MD5
d9ed6defa5a98cc780a2d6531210dd62

SHA1
1ce6cfa797487388a6fb153a4eae45756f23471f

SHA256
e54bfa794ed78ab7d4f35e733c162b2f8ef221ca60b03735e25dc97e1a569925

SHA512
82089e9041020cf63063fc587f0a29b9772b75f652052d544e3d6c125ff9d3df18a393a8a78a478cd3af866d7ad202e43e9b3a944e80e3cdedb6130891482f6f

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
90KB

MD5
fd68a41bd16bcf8a35e3bd215bdf226d

SHA1
93e18bc3224e2ea60594484828423ca2114f0bcf

SHA256
519c39c824edb5e53aef4d3bbe822e2f764a357394befe358a5a3b62009911dd

SHA512
59c8042c0d4080b660322db952264c90b3dd249364605b89f625bd7b36a67c87e451c3959700320c02f4b54e3332ea113436bdc9b711f5a27bf5645319823330

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
90KB

MD5
c2e55f8aa748ac8bb6fa9f45b759d13f

SHA1
4277af112bbd9cd54103bd65acaece48ff31bdaa

SHA256
19ce63dc690aca2ebf5bba828c20a5ce2926a75f95ae1473cd69f46ed499bd92

SHA512
36f72b367e35e0530583eb655599cb8394d32acde628d14a0c043bf61fb81ce704d85f85b3b90ff6fd13af137f8317ceaca3047d6939564d6f69b04beb88ff53

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
90KB

MD5
1451026058924217e408f77baa86c1fe

SHA1
dc235ffe8e1421cd0bcb90bbad67d2bf7d7243d0

SHA256
b81d29fa35381caf2a9548e5d61f82b8ab631d406cadf145f0b1c5346799f05c

SHA512
bb651cfdb2a91a79a93bba83660ee106fa05491ee609d5413a23a47b1d230e5f6ae839eca77012432289042bbdf56d31b407d5392d86647e2d2ec3953a832077

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
90KB

MD5
5397aa0c3a57f988e34cdb9299220a7a

SHA1
c02707e7663f682c2e9571e229e8436f91820bc8

SHA256
80a0bbf195d60d6ff36c746c1534d8eaa12c8df0fed516de23a2fbce83235e72

SHA512
146638495f5ebe9e925aa85ee6f147a42e11e9da220489d42a9af305662ddd0ddad05fe1a004db77738ae1940765bbf2b71a74324b0bcc70f45db583e194fb73

Download Submit
C:\Windows\SysWOW64\Ompfej32.exe

Filesize
90KB

MD5
07fe4735e732cf255425f22024e529ab

SHA1
5fdcbb6f919c972b2edb3b5e887b7969bccc2a4b

SHA256
254bdbfe0f6f4c11fc236f6bd2dd42fcdd0266478ed056343ba4baa17143b20b

SHA512
5b1a418c06c7c91efc482fdbeb2174ff12b77243862bb1d245249f09c792e7f7d14b27391951e83ab127eb2a0b01d6d36498cc53fc72cf4e9a584ec839e65ac4

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
90KB

MD5
fec7503b65cf6460b5f67376ae5e0b5e

SHA1
e8b1acabdc888b8d20b26f3f705aa9d000897e8d

SHA256
6254d4178b37bb6dba3f4a9d14e90785f4ccbd207cd3bd9e64713b2641c59c9b

SHA512
88a99fa6153de1ba24c143ea8a3e5f848d8eaa85b260eed4fba42bf5421ed9ee4a2b344359b6922764ac813a62506b281744857f0fb1ed5e3ba451f9b12ff319

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
90KB

MD5
a85c85f0a8b5516e982ede08f1362b18

SHA1
141fe9bfa9743c2b39da55f8cef3d62a14c7d81c

SHA256
4785506f5d76a4d8cd6834d3241f3bce1d96581b173cb0eeea38468374d12242

SHA512
6dfa33d277f4e03680672988d0f7b917cb8d3e1096da7995925c980a6246350d0c31c484e57e8407b00e4fd2f4557e7a71101d30c65f6ecd6fa10c9e4797e9d6

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
90KB

MD5
2a6e1fb4fff3f38e8fc849fc02d155cb

SHA1
3a769b5d96bae65b174854ad4e2523835fdf99cf

SHA256
58634335d6c551722034f5883f3cf73aea516519a145dc589bde9643594b408a

SHA512
47dab4a30d1076b578425e60c97c26d455adeff18a17f3fe51eaf80850cd3b35bf438e061d0c7782ced4b88a2dd33731fad13794ae3ada09296034d266a0be1f

Download Submit
C:\Windows\SysWOW64\Pccahbmn.exe

Filesize
90KB

MD5
2251da1fd3863652b9f8e32d281e448f

SHA1
4d96b709d94e89c022534d0a7b1b6e6a1a29af1c

SHA256
831d5d3285e47ffce73908a6ad39ce8bf34d68c8840e78b0f777c0bfb6e69409

SHA512
9b01f89979bef3c8cbc381464e37509a3e9406c08a786687f29f18c3a61698ecb3e56eb1cbc199421bbb39580d6ed4df736d28ad4aedcb0a09e7d9f9eb0de5ab

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
90KB

MD5
7a452cf4f7ee69f1bcfb71315bcf0859

SHA1
d6c775ff3e89782a3426f19ca7d692bf37982574

SHA256
96a92a3c420f91c46e07a99304fbea32c1216353b91b7fc665abeaa4372759a1

SHA512
1f3705153ff2b858e9be3fa5ce3f212bdb0d89d82806de7572dd449fb025500ee11f5246a4d57bce29a18dd9507d3bd129f006eac854037c3d5d08aeac1e9654

Download Submit
C:\Windows\SysWOW64\Phcgcqab.exe

Filesize
90KB

MD5
f9d2987f0007c799b32bfd96bff85f25

SHA1
9865da12a9c3b7a2c120bcf54f5c51156debb55e

SHA256
248f2e8604f507ca4b4e7e524a7c52e4bf2a475b37e8524d3f05fb1c9cf7f60b

SHA512
d04d6580c51f84cc1da71b8e4721410f0cc3c8747dcaf6c4ec698f86e0cb46f5e6182551a5f47260fad8bb2050001543e439397f29bc50aa0809ef3163d7b47c

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
90KB

MD5
baca1f7737ded6e394a9cdbb6f956990

SHA1
03ca1c15b4059a1806fd97a57005e84ec02d9c6d

SHA256
ec62b1fce4141c00dee424189f6b717baddd1be137953d59048fe96388fa624f

SHA512
a02b7a7bfa89b79b3511682ec3cb83b11fbb5cae094fa9dce91529377c82f5cd382e1b85b43fa9273aa8e0f1c4ca28ee3de74b88d9e53a977be31bf8d3614ab6

Download Submit
C:\Windows\SysWOW64\Pjmjdm32.exe

Filesize
90KB

MD5
09a9b30e98c14f7e383798a02dc66d26

SHA1
b73c52344c1648d9369e27de133625538b4f3fba

SHA256
b4592cfea414888c22e96ce38959598afc0237ccea331bdf00f5ad8d10210bd5

SHA512
3d661ccf4c836e2093af179e15a503d5f6033942b9b41293bbb2d72ee6d7c517d10dd0649d49aa097e9162ecab87a9e9a776a006d260764b207924193c9dbe79

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
90KB

MD5
360ec987ccdf9d3da78debe42da130a6

SHA1
b9665568aefccd5d3acc1776ab925df2bd074ebc

SHA256
63f28e26755b629a35a84349b466ffc16bceb6b6c6c7195720a69cba0ce809f0

SHA512
e7e265a7a58d77483c3f476d04f9f684db0328c34131c777d5c4d2910be61bfd83019c736e71b034cf17aa7b0a0c2c7e9b4bef41d0dd0b929f1122553a446805

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
90KB

MD5
0271a917b57622fccf779ac87f26937d

SHA1
fb934fae348e1789cb748ff820f7dce4f5739af3

SHA256
fd6919cef59dd23834cdbd1cd229d757dabe322b52f357c4aa8c754fcf3b5812

SHA512
3f90ef7f7dd2188eebf6b4edc8200867c0c8948aebe9c4f039b0db09979cce82979f19e46fb26a57f3ccf42cbb1664815cb5c43219b66f1a03fac7030dc87a3e

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
90KB

MD5
88b135440d3650313c5abced31330a36

SHA1
0f60397943e626f51166818fc69b97586df2b7cb

SHA256
ff4e09652b60f1125fe37adcc67eb66cae050b941df05926cd78ef76b2e78093

SHA512
64b3a55b0e63b2d910b4e7d94df87c5d9290d45fbfe523733ae060d52288e0e05d581d1681f84016dd330b8edd1c6fc4721ecb97ee10fba42176ab714ab75377

Download Submit
C:\Windows\SysWOW64\Pnmopk32.exe

Filesize
90KB

MD5
70c3bcf195e91c5af9d49863e6f604db

SHA1
b5be88bfdd11cf425dddd11ecd068832a1141702

SHA256
5efd637143b432cc416e08677fa1db95f9dade3ccf2eec390d1e265ddb77cd0b

SHA512
267799a516a1431e12e9878efd079e3fb35a89a0746f05bdb56c94d4eb1e567fe66a1bf7b8c2bd3bd1764899bceaf7a74765787e584f5ebcafcf02f7bd2bd3f7

Download Submit
C:\Windows\SysWOW64\Ppjbmc32.exe

Filesize
90KB

MD5
6fa22193cf260d88e7bea2a81b2b9120

SHA1
ca2dd53f3b521f13a52424b7accced5db84bb2fc

SHA256
9870ffe846dcb98033fb5c42f44e7f4e06932ffaa33cbd7d17cd177ca7cf9f28

SHA512
13ca2b6a2ebdeb93f610ae3ff5909148595c34b87f47e094133ae580b1682bab09bc03470a12232e7304a13ae502def2e7ee6b42a5663f1b79451807a5ca89c1

Download Submit
C:\Windows\SysWOW64\Ppolhcnm.exe

Filesize
90KB

MD5
8c5b3a446e10f74e05093aba818905f1

SHA1
79cdcabe56b6ef2fa7abf220825add92063216c2

SHA256
bf3ef61f45f71bd460dcd2a0d34964bd586b6b4c754827fad77e752133d6f123

SHA512
aea7a83cb09be694d5094b6bc77026840398583ee727e3043ca07c869e913ff697f87f9aeb115a73d16a9557788f002e1b5ff68eb8e8e0d0856237b8c3ef719c

Download Submit
C:\Windows\SysWOW64\Qodeajbg.exe

Filesize
90KB

MD5
ccc85c829236216b971448633a94f99d

SHA1
28aa58cc90ea8e7bb3d474ef5f466920f3707047

SHA256
c49df0dbda54da10d3e8c6f25087e1f33cd9450a0776664a8badcfc085bd46ca

SHA512
c211e3fdf843e43246d8048146a3d702ceeacdce350115c16fb2b46e15b435f11812d48d5c4a2e649141bb72fc650cef16105fbafac6cfecfab00d53b1bd4a35

Download Submit
memory/116-514-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/468-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/536-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/652-460-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/928-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/956-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1004-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1008-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1044-573-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1060-572-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1060-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1192-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1192-558-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1252-394-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1292-255-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1308-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1388-552-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1416-205-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1484-442-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1696-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1724-328-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1752-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1760-532-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1772-478-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1864-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1876-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1952-400-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1956-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2004-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2028-212-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2096-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2116-472-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2164-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2208-232-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2344-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-191-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2488-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2508-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2636-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2704-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2716-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2732-545-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2780-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2820-520-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2864-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2880-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2880-544-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2904-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2904-579-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2928-559-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2964-565-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2964-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-551-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3040-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3076-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3124-454-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3144-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3176-240-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3252-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3332-215-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3428-228-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3456-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3500-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3500-586-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3548-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3624-508-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3632-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3696-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3820-441-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3904-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3964-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4048-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4172-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4220-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4224-566-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4264-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4328-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4380-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4408-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4440-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4444-128-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4456-466-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4500-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4524-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4564-587-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4576-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4756-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4756-593-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4776-526-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4784-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4848-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4900-594-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4980-580-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5060-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads