berbew | efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e

Analysis

max time kernel
95s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe
Size

89KB
MD5

df6ddd99c78516e3f79e54bb7b120485
SHA1

d03fdbf8e182c809397dfe408ab7b26494f50b21
SHA256

efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e
SHA512

1f9cacadcc008e21fe5a8385ce5a39bfeed5c0b39d47262d2f77b3d339d453d4341e9d70d31bda744a9dd96fcdab2dabee0932011f1084be93549f6d8ddb7b51
SSDEEP

1536:W0wHs+KoOyPks+WH5cb8oMPi0nCCN7rBDRQeD68a+VMKKTRVGFtUhQfR1WRaRORY:bwHsocsj5cQLi0nJdeXr4MKy3G7UEqMR

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3684	Mpablkhc.exe
2648	Mgkjhe32.exe
2972	Mnebeogl.exe
1600	Npcoakfp.exe
2712	Nepgjaeg.exe
3680	Nngokoej.exe
1388	Npfkgjdn.exe
2416	Ngpccdlj.exe
752	Nnjlpo32.exe
4748	Ndcdmikd.exe
540	Njqmepik.exe
1372	Npjebj32.exe
4256	Ncianepl.exe
4576	Nckndeni.exe
1592	Odkjng32.exe
1720	Ojgbfocc.exe
5068	Opakbi32.exe
4540	Olhlhjpd.exe
4172	Ognpebpj.exe
1528	Onhhamgg.exe
3484	Oqfdnhfk.exe
3972	Ocdqjceo.exe
2288	Ofcmfodb.exe
4368	Oddmdf32.exe
1488	Pnlaml32.exe
1128	Pmoahijl.exe
3948	Pcijeb32.exe
2452	Pmannhhj.exe
756	Pggbkagp.exe
848	Pmdkch32.exe
4336	Pcncpbmd.exe
1984	Pjhlml32.exe
4532	Pmfhig32.exe
1012	Pcppfaka.exe
3004	Pnfdcjkg.exe
536	Pqdqof32.exe
3064	Pgnilpah.exe
1016	Qmkadgpo.exe
3300	Qceiaa32.exe
4268	Qmmnjfnl.exe
2564	Qgcbgo32.exe
3808	Ajanck32.exe
4128	Anmjcieo.exe
1000	Adgbpc32.exe
3272	Anogiicl.exe
5016	Anadoi32.exe
3236	Agjhgngj.exe
2572	Aabmqd32.exe
3860	Aglemn32.exe
2748	Aminee32.exe
2240	Accfbokl.exe
4604	Bnhjohkb.exe
4420	Bjokdipf.exe
3796	Bnmcjg32.exe
4852	Beglgani.exe
4344	Bhhdil32.exe
2276	Bjfaeh32.exe
3052	Bapiabak.exe
4804	Belebq32.exe
4492	Chjaol32.exe
3988	Cndikf32.exe
3424	Cabfga32.exe
3104	Cenahpha.exe
2680	Chmndlge.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Mpablkhc.exe	efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nngokoej.exe
File opened for modification	C:\Windows\SysWOW64\Ndcdmikd.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ndcdmikd.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3756	3180	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nngokoej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkenegog.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 3684	1260	efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe	83
PID 1260 wrote to memory of 3684	1260	efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe	83
PID 1260 wrote to memory of 3684	1260	efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe	83
PID 3684 wrote to memory of 2648	3684	Mpablkhc.exe	84
PID 3684 wrote to memory of 2648	3684	Mpablkhc.exe	84
PID 3684 wrote to memory of 2648	3684	Mpablkhc.exe	84
PID 2648 wrote to memory of 2972	2648	Mgkjhe32.exe	85
PID 2648 wrote to memory of 2972	2648	Mgkjhe32.exe	85
PID 2648 wrote to memory of 2972	2648	Mgkjhe32.exe	85
PID 2972 wrote to memory of 1600	2972	Mnebeogl.exe	86
PID 2972 wrote to memory of 1600	2972	Mnebeogl.exe	86
PID 2972 wrote to memory of 1600	2972	Mnebeogl.exe	86
PID 1600 wrote to memory of 2712	1600	Npcoakfp.exe	87
PID 1600 wrote to memory of 2712	1600	Npcoakfp.exe	87
PID 1600 wrote to memory of 2712	1600	Npcoakfp.exe	87
PID 2712 wrote to memory of 3680	2712	Nepgjaeg.exe	88
PID 2712 wrote to memory of 3680	2712	Nepgjaeg.exe	88
PID 2712 wrote to memory of 3680	2712	Nepgjaeg.exe	88
PID 3680 wrote to memory of 1388	3680	Nngokoej.exe	89
PID 3680 wrote to memory of 1388	3680	Nngokoej.exe	89
PID 3680 wrote to memory of 1388	3680	Nngokoej.exe	89
PID 1388 wrote to memory of 2416	1388	Npfkgjdn.exe	90
PID 1388 wrote to memory of 2416	1388	Npfkgjdn.exe	90
PID 1388 wrote to memory of 2416	1388	Npfkgjdn.exe	90
PID 2416 wrote to memory of 752	2416	Ngpccdlj.exe	91
PID 2416 wrote to memory of 752	2416	Ngpccdlj.exe	91
PID 2416 wrote to memory of 752	2416	Ngpccdlj.exe	91
PID 752 wrote to memory of 4748	752	Nnjlpo32.exe	92
PID 752 wrote to memory of 4748	752	Nnjlpo32.exe	92
PID 752 wrote to memory of 4748	752	Nnjlpo32.exe	92
PID 4748 wrote to memory of 540	4748	Ndcdmikd.exe	93
PID 4748 wrote to memory of 540	4748	Ndcdmikd.exe	93
PID 4748 wrote to memory of 540	4748	Ndcdmikd.exe	93
PID 540 wrote to memory of 1372	540	Njqmepik.exe	94
PID 540 wrote to memory of 1372	540	Njqmepik.exe	94
PID 540 wrote to memory of 1372	540	Njqmepik.exe	94
PID 1372 wrote to memory of 4256	1372	Npjebj32.exe	95
PID 1372 wrote to memory of 4256	1372	Npjebj32.exe	95
PID 1372 wrote to memory of 4256	1372	Npjebj32.exe	95
PID 4256 wrote to memory of 4576	4256	Ncianepl.exe	96
PID 4256 wrote to memory of 4576	4256	Ncianepl.exe	96
PID 4256 wrote to memory of 4576	4256	Ncianepl.exe	96
PID 4576 wrote to memory of 1592	4576	Nckndeni.exe	97
PID 4576 wrote to memory of 1592	4576	Nckndeni.exe	97
PID 4576 wrote to memory of 1592	4576	Nckndeni.exe	97
PID 1592 wrote to memory of 1720	1592	Odkjng32.exe	98
PID 1592 wrote to memory of 1720	1592	Odkjng32.exe	98
PID 1592 wrote to memory of 1720	1592	Odkjng32.exe	98
PID 1720 wrote to memory of 5068	1720	Ojgbfocc.exe	99
PID 1720 wrote to memory of 5068	1720	Ojgbfocc.exe	99
PID 1720 wrote to memory of 5068	1720	Ojgbfocc.exe	99
PID 5068 wrote to memory of 4540	5068	Opakbi32.exe	100
PID 5068 wrote to memory of 4540	5068	Opakbi32.exe	100
PID 5068 wrote to memory of 4540	5068	Opakbi32.exe	100
PID 4540 wrote to memory of 4172	4540	Olhlhjpd.exe	101
PID 4540 wrote to memory of 4172	4540	Olhlhjpd.exe	101
PID 4540 wrote to memory of 4172	4540	Olhlhjpd.exe	101
PID 4172 wrote to memory of 1528	4172	Ognpebpj.exe	102
PID 4172 wrote to memory of 1528	4172	Ognpebpj.exe	102
PID 4172 wrote to memory of 1528	4172	Ognpebpj.exe	102
PID 1528 wrote to memory of 3484	1528	Onhhamgg.exe	103
PID 1528 wrote to memory of 3484	1528	Onhhamgg.exe	103
PID 1528 wrote to memory of 3484	1528	Onhhamgg.exe	103
PID 3484 wrote to memory of 3972	3484	Oqfdnhfk.exe	104

C:\Users\Admin\AppData\Local\Temp\efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe
"C:\Users\Admin\AppData\Local\Temp\efde581d5ea04bd4775e92fbcd46da93eff10c397d6cf4795d500d5e30bf1d2e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\Mpablkhc.exe
  C:\Windows\system32\Mpablkhc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\Mgkjhe32.exe
    C:\Windows\system32\Mgkjhe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\Mnebeogl.exe
      C:\Windows\system32\Mnebeogl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        26⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        27⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3720
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:368
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        89⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 420
        96⤵
        Program crash
        
        PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3180 -ip 3180
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
89KB

MD5
680d5d868471a65823cbbbc4bccb55b5

SHA1
a4e6877c94903e2253d6a094a17fef55ff02e974

SHA256
05d82bc34b91a99184c4b01b3cf69605778b309947a168e8a2659ff3f3183341

SHA512
1340f84ec819a6877af5962642699f9bb58cc630904e6e4ec11e99836a8145534d8ca3da3ffc7e85cb6bcc97c33124f5fc8d921d316afb72468bec1a8da419f8

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
89KB

MD5
73b9892144299b04b9c4221b30e1d161

SHA1
21c03c46016510d873a8f8e9193e915aa97c59b5

SHA256
7a8e12db202fdbd6ee5656c224a4c20ae9f088830c991f679d3d7e171a67da22

SHA512
0d91b907290459beac17a9f3d978ea0085a38415abc638ce64e38894f7abcd52820897ffbf969642f6a55456c9e82f64fb76f300a2d04d411e038897821447ca

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
89KB

MD5
0ee4b2ab6a4a9b3eb16d639561979820

SHA1
1cde2340f6a055e729fdfc090fe28bdb40b514b9

SHA256
4ab2b11481e3e8c8d74a5d290c587e09fe4506d8d1700fba3cadde702e332924

SHA512
dd1c72a237369872c9f7fdd66fded802e999ddd05eeb1d9e532d36fbceba84de73743b91556dbf2632c6c92b2c588de73d85bffb10e9e37f4fccb16b197b784c

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
89KB

MD5
bc2943dce4fb2aad7547f4d44d5f1292

SHA1
a72e0e11459399471e2d7c5815c33bfe4773794e

SHA256
32158c0d909803aa2cfcba86cda7277f558e146870064320d1cbca87226b14ba

SHA512
41b873e250da02eab0cd33f0bf2cf881028fc54ca52f5e4f70da054a9144b3e20ab0be7226236b2d8abd655119e704962cd653b0ce26af0d4adfb53b0ce231f8

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
89KB

MD5
49f2065ae02410b2daa3ae9f075a7f1e

SHA1
e3b0f420c8f67138fd8214c82f8ff844635e0f2c

SHA256
f14a9ae1e217e9e9f6e8989196dddbe40034b8ca124b74c9d165debec0a86d1a

SHA512
479984c90f74623a9771c63b085d30b9087ba93742005b32fd24a163a0ab5f530b05c05adb7e5f30ae70cc12036e16d67cd8ed96f7615ce2b31deb43e3ccd1fc

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
89KB

MD5
7c993f6f6ab5f13376644e3d161f3cfe

SHA1
66522043e64c2ff15101cc35615bcaef6d1ea5c6

SHA256
9d70569db39ab923e5d956bb7300c17159b2718c5d4a3306f7d1b9a46fe712a9

SHA512
7b34beb3cb09b7b68e52ef94e7e0c4723072d4352bdfdbcf45a89676975d0eef36b775bbd1434f49bbf4aa1f57cf4150aabf7b48de7e307fbb513aeceff9b8e8

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
89KB

MD5
84df17d5e389b0210e6bc6ffc1e538b5

SHA1
af6c7bad9f340830a51fc64cfb4237fa262cbd42

SHA256
1c5d876135942a92fba67fa9654cc8f018ca7ec40e4125f1782503f0a666ff84

SHA512
3838efe772af8d99118f5966103636b4a5ad92a1fb5ef232f886e35e38420d7b2d0b6402f02394b425ef9e24b1cc275d5d4cdd408c34139918b955b983796a8a

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
89KB

MD5
b1e6e5cda996d4c63450ed670d56e126

SHA1
4ab45837dd27a534b9e331a7c8aec23a8593c3b4

SHA256
01e7192a3c48854fbc98a02d9f390104c1e600da965baa460cfa86a9d4a42560

SHA512
4a26b82f2003a1df56e073e04bf07a91e2ea9c4e1af804eb9600624124d0943d8237b51b02439f14e17034a7e2f1314edb1e1a79ebaad7e4e35510d9fcc8be30

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
89KB

MD5
f1ebebfd50c64f0a0aadfb5bcb330ae9

SHA1
4ba7313e407a9ef39becc79cc6a6d9627306c725

SHA256
f1f879604d4aebadd9bc06ca637ba54d2ab2b31826fa56ef6d05e1a55a635757

SHA512
21df2300f506f9c5f31fe302e6643494ae8022c5705f8f0c4eb91af070e49867684565190d4ae8c72c04b3acbbcbec1e94b2e6c0da0161fd19bff465938767fa

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
89KB

MD5
78023328c0d182a017776077985cc301

SHA1
88fb3a0d001c6783e4f24c2f9c76c46ae0547753

SHA256
fb57587e74883278218b04f5b26ff2babe73f407373cfb5267024d27ba98aef7

SHA512
e3c9bf1539ac96380d4ad91b496c3a9879e3b26c4f47e183c897b370414fd56a800ba22ef31845894f6f5e1adf1eb79e808a240c2efd995c90e9c08d1c0afbf1

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
89KB

MD5
1d6f452884885515f42a8f6ad8d20d74

SHA1
b43c1e7922cc641d08a8ca0b4040508783ba00d1

SHA256
4e00b63f911489b3ac5d427a8981b1cb47f3f3aaff89331e0b6b49add686cf4e

SHA512
225af4e143c1b560479891a44c9f2d3eaae14393d018c3b907cff3c2c0796518a4b6244a6c6bc4f895bc4b8b59d0951edff183dcc3d412f0165da1dd69b4a1cb

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
89KB

MD5
bb7936f88bd5ebe457426f65c2300efe

SHA1
6d9aa8f82bc0501d066158c89e077b62b1bb5842

SHA256
caa8de2b9d03ec67c91c69f302ddd5fa60c56f00996a64edf78ee7dc745dd9db

SHA512
583944a5723dd1f0632560715eb6146a9d38d373d8b8405d65ace2f26ceabd80e4d58e047821e2d5bcfceee5ca4769f45f48d1910e3f0f35bce96e647f541e9f

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
89KB

MD5
7848a97971029e8a30f1ab6f5443a3fe

SHA1
b5bbf4c39939b429efac6e1050b495ece13eeb7d

SHA256
5166fa64ca55c3fd2a8815897c79c516b04f45264eb1113481cffccc4ada9185

SHA512
f3deb5652d49c3c188504486d0787d13eeb2493d1b822e9127b15cd698ac3c31af597033e105e1b1b5b0b5a8da322e28189c4cc54c75c32b3319694fcdb28725

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
89KB

MD5
49bdf6e72dc1b67707e59e16d2b35c0a

SHA1
cb1232bd50f88936e43c0df857ba83460a8af0a8

SHA256
378bac8e832a8df26e66970a9afff60dcad9d9fff994eec06e0ef40a243e2d7e

SHA512
7353aa76ed8ac52d965209e2ccbbc10508c23d6cc04edde801849b2b95f48fa478208c74a23a15637f003291a8f38bd1d1c46608b425b0b53425c9562f12bb67

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
89KB

MD5
86eaf89e36c6772262df0e27e45bb0df

SHA1
3be53b0b86503974df14a88880c73ff88253804e

SHA256
4351672ea2bc04c16f94f95d23651b8f982f6f8c5600babb50d12df28c9019fa

SHA512
65f712d4f7fff43b98338bdeedbad4e14826320b62ecad65fa34a0ea2069860d26a890f096ad61933bea884a2a651a0054602a592a7b78c6239a6fe98700a399

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
89KB

MD5
931366a7050cecf4fc8bb0bb4a501043

SHA1
73ffd32c20ae619fb75262af4d5ed5de67e73cb1

SHA256
34922a942b7cfc025643517baa1ba79ddadb768ec619f7df65085a99353a73f6

SHA512
21c6afff029e734e32ccc58221f9be6d0b6fae7ef94220dcf2e097b6492f0256f3e081455b851f97440ae6354cacb8ea454461c760cb395f5fb35a438e135c61

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
64KB

MD5
5a612d19fe146eeb487013aa5a86396b

SHA1
6fca99c4bdcc1bb4ce187fd9c088dd0336a236d5

SHA256
727b1ce855257ae4ad83959b4fc28513c357ab71dec67897bd70947b5d9a8773

SHA512
395adf5ad3b7c6bf04ba164cb8abe4f423339c6dd17a58634be4c0264d57ba4ba4e82caab1f1c0ff9d260f7a1280fad088d0c088da10c427e35201f150b905fb

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
89KB

MD5
3ba0bfdbefac558b3bf6af0e290bfed8

SHA1
be71f0bb3554f9a258d72f5227705522f20fdf0e

SHA256
e93770293cce1ea44aacfff4af8e7f4d55595d93e94a10b032b674a13dc421ad

SHA512
f2a30666ffe5e8d1771d3109ff52e976ead8663e0e3522463146acf05697300a0044145083bcfd32a0b69b58ab4af5f7a104cd00581cd8af7d9beb1b783feaa3

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
89KB

MD5
2124128d9305db0023ecac51617116ab

SHA1
e7314b8853e756507f96ff1909999a3781c9227d

SHA256
7a7b58ba6e2ce020f04718877a2b633d470dc7bce6a05bfb28a8a3ca64392351

SHA512
01de86f067c2e91361599cedcf4dea70e397ca3fc4cff62579b1dd443d295061a8fb5832a72292d0e551c099c6165405f43cc10cb1bfdb1dd5638668f2503c8e

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
89KB

MD5
b4b1a022b504c971cfe966cfc0e7c536

SHA1
9eef587d5ed2604c8fe264267db6b5053be2d5f0

SHA256
c9051051b518a798f4eec1fd13f6d849d5ad52d1063ca78a78590bb7445f379c

SHA512
438e501af36a66a998afd3156d6205c13d1fa91d376d8a570c67728ac3e27e97fdb2d152bad34b378f4dfe789669456707d01a4dd927d65cc178991c71b59749

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
89KB

MD5
93f33591e66401cba65cdd47b3d3fb28

SHA1
d6f8e3638dd0a00fd46843e29367f74f19646dbc

SHA256
0912bf4fcaf029c74519cb16546a4812a7d60ebbc4344e45362611a1a49e41af

SHA512
b0e37db449104d1065af4b7cf1beddd182029ebf76c7f33b9071a1b8155149b6f6627bd9cb16a6a7c794d68eb7b5114efbacc2db23e79ed9aa60a90641f51e6d

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
89KB

MD5
56be421f1a241ee6bd97bf04ba9a2bf7

SHA1
9922f08e479f2dfd67b41c3b441bf957384a3adc

SHA256
1af26ca4dcdc0db5eb586125a8867dcadc6b9dd3c7ec81fcb25f19e7bc9b1e7e

SHA512
1919bdf4f12703ee4c3969316e127b87a933c2b71c49adc697c4f8c89280f7488e084fb63da43dd5335e793ecd459cf639caedd726596c7d67210f35c2fb9592

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
89KB

MD5
df44a514d61778653e543e7460bddad5

SHA1
8f6616f2497dada2b6f3a68b1ef118a04fa782e0

SHA256
7cce79225fff962908a57f4a9c39ac6ea42620c0eefca3e548c139a20fe101b6

SHA512
4fda537b3467b9cd2e0970777ed72759721e4d8019157167c22bb675e45606be42b9af8f65e5fcb4f591d280e079e26aa2aba40b95677fa32761faf9cee0a041

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
89KB

MD5
f010daffcf8fbb91504cd6644bc10def

SHA1
b8cfb3954c492d8e0fd30454ad7f885aed5e32a8

SHA256
7fea3512d14f781a0eb9ebca1728fa2c7f20d42f5741350ec864507ffa8851f8

SHA512
9c37246e3a74e63b97f0bcbf7cfe8b5e87e8d52c11a888ddb6aca23fbb5ebc53e716b725c243b39eb1f68d4076ae5a0a25166b9317c28e306c734a33a285343c

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
89KB

MD5
4473761f803779f74d9b788340f7ebea

SHA1
b75565fa4b7c1665a619f2b92001c922f149ad97

SHA256
36ad363f0509ec4668f0e4941a46a69d0305b1c8e5d62fa221d1204a1a3b82cd

SHA512
1152cf0013036473675a8aa0cde7770483ed737068ed378e4ab833c20ea7863c892dd782f7ae5857991e08224dd08e1a475c6e7b05ab36197f7c3f903cb4f6a6

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
89KB

MD5
753fbba469b430e63a8ad2ff15f09c73

SHA1
d0c13e9bcf162d9a13edb8117f20b9395427e293

SHA256
001bb4b408fdf726ba9fbfde3f41f39b6ffe0211c26a61d27ac68cbe82061a0c

SHA512
f5e7a9f5e7cbbdc27f1252dd41e61da3325027a59d79f8f443b441a873cc33c20857535d4ca4a78eb50756ef7e1c909448b5baa2fd674dd20e0443a24058cc0c

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
89KB

MD5
6a3fcc5e123ae5efe0a342d0507705db

SHA1
933767f83cd16fbaddd809a958a9ba87a40867dd

SHA256
6b74eca1ffac3e3cf01764a8bcb91a1ca916c31798c81ddb50b8ed2203f38b58

SHA512
8acc7cb3acefd3947fcf5b9c0f16e7fa9da92266fae774b267410cbac330bf9231c05d2c9ff5eea5cbfa5ee5a2ab740d4d98dafd5c97d53390b6268bd60a6abe

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
89KB

MD5
fe102a0192171d2bc84bd65fd827d72d

SHA1
5adb075cc8d8ef03904df0cf97dc7ed098b06efe

SHA256
70058ea1e1289edf8499899583129d6bd90e4489a9923fa684612d2a2a1526e9

SHA512
a9afd8018c5a9f35e6361e40d1b616b38e6b77cee05dcdc5ee1d65a09c57c98e54d060be80d3b270cce0ebe7533a687bf0ba8b5692f932940086bb34b34b7348

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
89KB

MD5
cbd0199ef09830dc64468181adb4e215

SHA1
3918ac03fdf4790a7b26c286fc13af55b3646178

SHA256
8942fbbdc8e03a7a931a8df25b984eac1a7d1db53142d68254984e38f647868f

SHA512
4da17723c28298234ed731adfee0dfab56305622effd2f40295f039dee2387f858ba1050875cb90b5a51866ec06925d8115f690f02e126980edbe5eaeca071fa

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
89KB

MD5
49d3b80b4acda69d9132acc3d4ab8fe0

SHA1
32d8c8d369c2599d564141dc15f03c780cde9957

SHA256
2fa64e8101370d4e8640528228ec85e3fbad62639c887b5348b45d302adc178f

SHA512
7763589d00882ac87d3867eb0c591fb34c7b02d915c13a7613905db7925e1e0759fbb4704a209a55fb64e3e8ce58d8105057e4eda4a4d94ec4985d49ab86c4a8

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
89KB

MD5
c04ab97f5cdc35218ab9a45300ce4aea

SHA1
3376e76bf356e39e7aa711b7e8d42d87206be8cb

SHA256
5776b26fa0ec48cfc8100bc924feb0d0cee7259e433781dc962b34ed95728dc9

SHA512
1ab7ebf974aa2131126bfe1c38de811f2111fbf6bfaebb429aae69c10dfce310c45dd527b157de14e3401ac501489cf762d54c48869a152e058dbf1541be7c58

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
89KB

MD5
45e949630c9ef7ca1580f910044f8cc8

SHA1
43964430d05ec6abf446cbaf9c30f0be25274c15

SHA256
3352f6e559156dfb1fea0b4a4691f25a60e03b7a33ea28343e8fb91aff0dbfaa

SHA512
5a893f0fc3f02206c4e665dae57f4d33ad30f76ec2bcd12993207bf28d2b09ebf4430d037be75b0756176f96f78497d9a976b829f5d05018e5fccc46ec0401ec

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
89KB

MD5
f2671b984d8989d298b6bc06d9a0d42e

SHA1
115be43dc5bf18a91706edd6e0a61a63d734c3a0

SHA256
5b8d30380c07ab685f86057d5e65a60b21c5f4ff2496ffadc078081b1584aa91

SHA512
c6b87f752a7814d997e7308ecfbd4ea18195a3ebf335d037dc07bd4573a1fc3bea99d5433d87bc356ad0d755305214fc8d627f845dd0d8f86834aed185a024df

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
89KB

MD5
60b24f86503990c3286a2b812667915f

SHA1
08a437cb074778cfd09666061ffc14e6bc806de1

SHA256
24e15e21a74e9eaa7ef6f55db3e9d9984492998afddfc1a0c1ab568dded8071b

SHA512
2f32b93baf8a790198f3f331a66da18640ca7d7edbabd440563b4c194d8541aafbfcb9058521b6aceb8fff1efdce895a6dac214454de26e37dff2028149ca7c5

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
89KB

MD5
63cda0ee5a6f832b519592c1c03d0e2c

SHA1
da1a7b5e9bfd0867e9ff6b850ac59e27aa1bf7fb

SHA256
821bc4171582e1346e1ff3fd397c553e0981c475d8b82ce9826881a8aa7cc698

SHA512
f2a1e97ea208d57cdac6bb3b526eca9d7b7a17b8ba97db8f93a2095484d13a08df4bbdbe7bd8276fa5531cfb1f3b146ce18150685a73be62e9d98962343229cf

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
89KB

MD5
7f9b732e768458c48181af5f2b16a47f

SHA1
a53a8f668ce9b5b7194120b217235c473b562554

SHA256
42afb260c6618ab72456d99ad82d0b4cbbb7b0be626920edb7fcfbe421fc316c

SHA512
1ea930c2841e5ad1ba7898960da8effb68323810939613fbb80263b22985750b0295da989a42f0efb37bbff5316d0601ceceafcb8d6cd91417838a7cd2320ef5

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
89KB

MD5
0396264a7946add307e1e2aecf356816

SHA1
bcd161c53cd7ca5f6134b3c0a5d6dc9447247d22

SHA256
b627184f6e640f6719b912e465ca69d9bdde3d53e7a2ed4d71cfd53a59ba5aa5

SHA512
26ba8d39e92a21103d6d3ec308c9529d3c1a58e55bbe9a3205bc676a2dbf13bde93dd4a12c9791b43a15c8525f1e287ebca8effd8f01515363cc5432afa0e979

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
89KB

MD5
e8061a7465fadc75d4631ea7cdd5a473

SHA1
0c74506ba14247f363c7643c7e4733d1e284b6d2

SHA256
53fed7024161142062266b52121883e0d38e8fc0e5428b55c8c11e875dfe5864

SHA512
f524ffef05b56a1ef46063603af958b667e192ca12b0b224826b0ac71f914447dec5f9b2a7df67cb039c6339d1064a110067c8b5e6f92af41207939b649d9bcc

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
89KB

MD5
bfb031e441d6eff54d31e14540baec3d

SHA1
154228e7b08dcaba1770a94fc7472f51f769df4b

SHA256
c6f7743a85cfaea15c92ca4e67ad6a478abc48fa9aceb43b5e026d43219168b4

SHA512
744cf99d518f6cd474912896d3e4bc53ab1fad9c201865bb3d0755cc27131f6be6defc58161bb43793eefa19203d5194491f3c04f2dd57eed991ad4d70133de1

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
89KB

MD5
a51d61244b6c97b2402eb4026e02aa60

SHA1
b4ddb0b829d9732d0dcd0938407ac836afcb2748

SHA256
fe29607f5b2791c90afe9a3a7c267d08d712cecbdcb56633bf2a5ae03292669f

SHA512
a0ea409a19981b21b1f6263050165ac72e112c679f55f2ab312215c2112e3ae1a85a31c56b89bdeb21d9b402a44c6a441f29e4e64ab02b28b0ecd6fd5daac324

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
89KB

MD5
eb0f113d0f3b5ecb97b616f8d7e430e1

SHA1
b679dfcfa2a763361bceba6cfe622abb58a92f99

SHA256
74e47d8e42bd9a947e7d98c62c78836635e61ea4f5cc44162485ac2c57955968

SHA512
6c4200fcdc4c860b5fe90ba6a6a025e1c22b8a1da77a48bf08c21e176eca22b00699562712a87c3d565d3af02246b48adfa68008679f9aadfc2ed29eff7e87a1

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
89KB

MD5
2171929e6f64583f07104510231aacdd

SHA1
841d6946b40a360eeee30058cf73d2cf7d6fc21c

SHA256
03eadf2a3469b6d357cb885713b4757d7dbc9bf51d3275b568a41f5402abc6d6

SHA512
fe559cad694f0d83b056e2b62d97c12d96de50ad8e69889cef68e653f3634ce21d882d5ec8753b513d87add3ea931dc085729ed9f2713586c21ef1033abf8c9d

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
89KB

MD5
3c1a445a97a6ad30965800d1d3f48a57

SHA1
9a7e349463435d559e448dd54b6d71aa4da45123

SHA256
1614635a5f5bb28d7b0834fd28a8eb5387509348dc64a8a0b90d63a3a160c728

SHA512
403d911385cf76690bad7a8c4b296e49d2358e5201eb560ff3073ea09ecccb6cd5e6e7b2552ca48f539d849c511e38c2fdebfa9e481579ec21bc2b2570259ab3

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
89KB

MD5
2fcc69b3b1d3b85acf24a5d30a80b252

SHA1
01c7aed4023b35a1c43b1081c3975995d97296db

SHA256
4963424c3bd6a250dcbb499874340d0bd5384108ebbfef8638aa304e1821f2b3

SHA512
fae1c5f85b819bbfb2cebe4e6e22439bddd3bc57aeb0b34aa4287b241dca11be081f1a1aaf24f2c4e4b5caaaf480dfdfeefa4348425b3f89d6cd7b357140835e

Download Submit
C:\Windows\SysWOW64\Pnjknp32.dll

Filesize
7KB

MD5
b6d3c35561da6b26d3a8226b49f446c0

SHA1
9e7eae404a3e798815bbdcef7fb490e638f2edaa

SHA256
c521bb3a9aff5d82cd23a96f74181d81e6e4fed176c5debd92f37bf55c880826

SHA512
dbc5d7d3f5c1eb85df7a4ff5bdd71365fbde8e75a5957d020df93644753028737a0b72a4b1b47cac13118e3998e5f0a09a1af9163fc5b2d9620ff93980c172a6

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
89KB

MD5
f9eb2347c6b82ddef517f171d086e63a

SHA1
7fdf95b13a08bde22f64435e9daa01e898992bf5

SHA256
30098bf2bde64fba62705a4d672555dccb39f6e732d9ae090532c7b649266c38

SHA512
a09e492a39ef8522116121582ad305b49288e29eabd62a3e277707a826e922602914819765dd9592dcf0b0491b5ef52e4323ef0079c05609c3402593550497c2

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
89KB

MD5
26cfd9f7742518d00f6ba219c87f795d

SHA1
4d0d68b5a8deea5818241bfce2d72a30d543424b

SHA256
87312ba193f07df2ca84e57d4322c0dc528880318af7fe01a60e526ca0cb95c1

SHA512
d8780efb4cc40fee2f475ea1e747b40916b8e93b4e2347b6b4a5a9ee922860c7b76b76d1534446ef445eac0b5404578d316c87ae7b98585622a410df65be9924

Download Submit
memory/536-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/536-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-181-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/752-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/752-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/756-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/756-325-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/848-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/848-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1000-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1012-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1012-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1016-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1016-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1260-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1260-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1372-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1372-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1528-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1528-259-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1600-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1600-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1720-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1720-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1984-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-409-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-389-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2648-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2712-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2712-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-403-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3004-367-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3272-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3484-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3684-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3684-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3808-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3808-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3860-396-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3948-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3948-234-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3972-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3972-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-423-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4172-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4172-250-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4268-402-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4268-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4336-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4336-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4368-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4540-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4540-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4604-417-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4748-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads