berbew | c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3b

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3bN.exe
Size

96KB
MD5

2b13c6ce8cd574c4ba95f3ba4c9de190
SHA1

b0ffd1647774bd7fbd518492dc223099b50558a9
SHA256

c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3b
SHA512

74c2618fe066c3d681bb3c10ef150fc8d06a96f1c09e8bbe10cfc164bc75effcc1dcaf73d7aaa590325b539ff6eab120c189741b40bea3d25699ed61112835e2
SSDEEP

1536:ylwKqLjCC9BVJcD9kF+x8hvOhWHs/Omg2LN7RZObZUUWaegPYAW:yeYAwOmRNClUUWaeF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qimfmdjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfqgfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bafdjoja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckfnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihdkgll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojljpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhobced.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qadnna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcbjjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aflfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdgmlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocmhhplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omhifeqp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjgikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpljbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmalldhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bibioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Didnkogg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caijfljl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockkbqne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcbjjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfapmfkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfegc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afepahei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Badgdold.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpofhiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqhobced.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjemfhgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppbeno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjjlg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bplakkoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caijfljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfpehmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgkilok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ockkbqne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhqbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpqjfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgjbcebq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojecok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnajk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfqgfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjlcfgag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakdnqdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkdkeaoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmljjgkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqhfkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qadnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aiaphc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidlmcdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgolnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbblbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbfemnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbibcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amdbiahp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofbjdken.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblhokip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afepahei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmmdoppe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckfocc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omacef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oijqpg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1048	Nbblbo32.exe
4424	Njidcl32.exe
3828	Nofmlc32.exe
876	Ncailbfp.exe
940	Nfpehmec.exe
2840	Nmjmeg32.exe
2496	Nqeiefei.exe
3044	Nbfemnkg.exe
1212	Nmljjgkm.exe
3880	Nqhfkf32.exe
4984	Nbibcnie.exe
2980	Nicjph32.exe
1216	Nomclbho.exe
3948	Nfgkilok.exe
884	Omacef32.exe
3436	Ockkbqne.exe
4960	Ojecok32.exe
3496	Oihdkgll.exe
848	Ocmhhplb.exe
816	Oijqpg32.exe
1736	Oodimaaf.exe
4652	Ofnajk32.exe
3988	Omhifeqp.exe
1948	Ocbacp32.exe
672	Ojljpi32.exe
920	Oqfblcgf.exe
4852	Ofbjdken.exe
4276	Pqhobced.exe
1484	Pbikjl32.exe
1880	Pblhokip.exe
2580	Pmalldhe.exe
620	Pbndekfm.exe
3844	Pjemfhgo.exe
3648	Ppbeno32.exe
3672	Pbpajk32.exe
5100	Pjgikh32.exe
3584	Pmfegc32.exe
5072	Ppdbdo32.exe
2096	Pfnjqikq.exe
4720	Qimfmdjd.exe
536	Qadnna32.exe
1460	Qcbjjm32.exe
3952	Qfqgfh32.exe
3332	Qjlcfgag.exe
2668	Qmkobbpk.exe
180	Qcdgom32.exe
2140	Afcclh32.exe
1208	Aiaphc32.exe
3344	Aahhia32.exe
3692	Acgdelfe.exe
2328	Afepahei.exe
2548	Aidlmcdl.exe
1988	Aakdnqdo.exe
1404	Apndjm32.exe
2112	Afhmggcf.exe
632	Amaeca32.exe
5080	Afjjlg32.exe
2884	Amdbiahp.exe
3084	Adnjek32.exe
1844	Aflfag32.exe
228	Amfooafm.exe
5016	Adpgkk32.exe
1120	Bjjohe32.exe
1500	Badgdold.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Omkjed32.dll	Nqeiefei.exe
File created	C:\Windows\SysWOW64\Omacef32.exe	Nfgkilok.exe
File created	C:\Windows\SysWOW64\Pmalldhe.exe	Pblhokip.exe
File created	C:\Windows\SysWOW64\Jkmplmef.dll	Afepahei.exe
File opened for modification	C:\Windows\SysWOW64\Bkcbnd32.exe	Bdjjaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgolnd32.exe	Cabcfm32.exe
File created	C:\Windows\SysWOW64\Pjemfhgo.exe	Pbndekfm.exe
File created	C:\Windows\SysWOW64\Cdonbebb.dll	Pjemfhgo.exe
File created	C:\Windows\SysWOW64\Kidbhd32.dll	Amaeca32.exe
File opened for modification	C:\Windows\SysWOW64\Nmljjgkm.exe	Nbfemnkg.exe
File opened for modification	C:\Windows\SysWOW64\Omhifeqp.exe	Ofnajk32.exe
File opened for modification	C:\Windows\SysWOW64\Pbikjl32.exe	Pqhobced.exe
File created	C:\Windows\SysWOW64\Okfkbcef.dll	Qfqgfh32.exe
File created	C:\Windows\SysWOW64\Acgdelfe.exe	Aahhia32.exe
File created	C:\Windows\SysWOW64\Bplakkoi.exe	Bmmdoppe.exe
File opened for modification	C:\Windows\SysWOW64\Oodimaaf.exe	Oijqpg32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfblcgf.exe	Ojljpi32.exe
File created	C:\Windows\SysWOW64\Pfnjqikq.exe	Ppdbdo32.exe
File created	C:\Windows\SysWOW64\Pfljelhj.dll	Afcclh32.exe
File created	C:\Windows\SysWOW64\Aahhia32.exe	Aiaphc32.exe
File created	C:\Windows\SysWOW64\Amaeca32.exe	Afhmggcf.exe
File created	C:\Windows\SysWOW64\Mifceapa.dll	Aflfag32.exe
File opened for modification	C:\Windows\SysWOW64\Bakmen32.exe	Bideda32.exe
File created	C:\Windows\SysWOW64\Ghfjckaf.dll	Bdjjaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgjbcebq.exe	Bpqjfk32.exe
File opened for modification	C:\Windows\SysWOW64\Dkdkeaoj.exe	Dcmcddng.exe
File created	C:\Windows\SysWOW64\Nofmlc32.exe	Njidcl32.exe
File created	C:\Windows\SysWOW64\Qgmihlci.dll	Ocmhhplb.exe
File opened for modification	C:\Windows\SysWOW64\Pmfegc32.exe	Pjgikh32.exe
File created	C:\Windows\SysWOW64\Badgdold.exe	Bjjohe32.exe
File created	C:\Windows\SysWOW64\Qebpgnkb.dll	Bafdjoja.exe
File created	C:\Windows\SysWOW64\Cpcglj32.exe	Ckfocc32.exe
File created	C:\Windows\SysWOW64\Nmjmeg32.exe	Nfpehmec.exe
File created	C:\Windows\SysWOW64\Odcbjd32.dll	Pmalldhe.exe
File created	C:\Windows\SysWOW64\Bblebh32.dll	Qcbjjm32.exe
File opened for modification	C:\Windows\SysWOW64\Aflfag32.exe	Adnjek32.exe
File created	C:\Windows\SysWOW64\Bdjjaj32.exe	Bakmen32.exe
File opened for modification	C:\Windows\SysWOW64\Cpljbi32.exe	Caijfljl.exe
File created	C:\Windows\SysWOW64\Bpahcn32.dll	Njidcl32.exe
File created	C:\Windows\SysWOW64\Ockkbqne.exe	Omacef32.exe
File created	C:\Windows\SysWOW64\Ppdbdo32.exe	Pmfegc32.exe
File created	C:\Windows\SysWOW64\Bncpqm32.dll	Badgdold.exe
File created	C:\Windows\SysWOW64\Lgekgpjm.dll	Banjkndi.exe
File created	C:\Windows\SysWOW64\Nomclbho.exe	Nicjph32.exe
File opened for modification	C:\Windows\SysWOW64\Oihdkgll.exe	Ojecok32.exe
File created	C:\Windows\SysWOW64\Dmaacp32.dll	Ojljpi32.exe
File created	C:\Windows\SysWOW64\Ofbjdken.exe	Oqfblcgf.exe
File created	C:\Windows\SysWOW64\Fekiekni.dll	Qimfmdjd.exe
File created	C:\Windows\SysWOW64\Cmidknfh.exe	Cgolnd32.exe
File created	C:\Windows\SysWOW64\Bqghqo32.dll	Cgjbcebq.exe
File opened for modification	C:\Windows\SysWOW64\Dnbgamnm.exe	Dkdkeaoj.exe
File opened for modification	C:\Windows\SysWOW64\Nqeiefei.exe	Nmjmeg32.exe
File created	C:\Windows\SysWOW64\Nipckqjl.dll	Oihdkgll.exe
File created	C:\Windows\SysWOW64\Cchiie32.exe	Cagmamlo.exe
File created	C:\Windows\SysWOW64\Pnhflm32.dll	Ddjbhg32.exe
File created	C:\Windows\SysWOW64\Nqhfkf32.exe	Nmljjgkm.exe
File created	C:\Windows\SysWOW64\Hiodmnil.dll	Oodimaaf.exe
File created	C:\Windows\SysWOW64\Dcmcddng.exe	Ddjbhg32.exe
File opened for modification	C:\Windows\SysWOW64\Cchiie32.exe	Cagmamlo.exe
File opened for modification	C:\Windows\SysWOW64\Didnkogg.exe	Dgfbochc.exe
File created	C:\Windows\SysWOW64\Iljnongi.dll	Oijqpg32.exe
File opened for modification	C:\Windows\SysWOW64\Pfnjqikq.exe	Ppdbdo32.exe
File created	C:\Windows\SysWOW64\Hgmqll32.dll	Ppbeno32.exe
File created	C:\Windows\SysWOW64\Binafnin.dll	Ncailbfp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4104	2032	WerFault.exe	189

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnbgamnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nomclbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oijqpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfqgfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Badgdold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpofhiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjjohe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabcfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncailbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgkilok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqhobced.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmalldhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidlmcdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adpgkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojecok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qimfmdjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amaeca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhqbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdjjaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nicjph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aahhia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffihe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckfocc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagmamlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmpjlm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pblhokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfegc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkobbpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amdbiahp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjfk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpgqgjel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmhhplb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afepahei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakmen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcglj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchiie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmidknfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmljjgkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqhfkf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbndekfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbpajk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjlcfgag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bafdjoja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omacef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfblcgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbikjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcclh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bplakkoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjbhg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmmdoppe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdgmlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njidcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofbjdken.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjgikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcbjjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhmggcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjjlg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkcbnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dckfnd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oodimaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofbjdken.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcbjjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haeknohg.dll"	Bmmdoppe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lldllaon.dll"	Bkcbnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccfmcedp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apndjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adpgkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnnfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofbjdken.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfqgfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njidcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjggaiai.dll"	Afhmggcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmddk32.dll"	Amfooafm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdgmlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbblbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbfemnkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgmihlci.dll"	Ocmhhplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfegc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aakdnqdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caijfljl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcpmqhb.dll"	Nfgkilok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekiekni.dll"	Qimfmdjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjjlg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bplakkoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpqjfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbhpfh32.dll"	c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiokb32.dll"	Nbibcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banjkndi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igdnkeof.dll"	Cpgqgjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcmcddng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbibcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjbmk32.dll"	Omacef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qimfmdjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afcclh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Licooc32.dll"	Dcmcddng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njidcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmjmeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqkkcooa.dll"	Apndjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmejibbn.dll"	Didnkogg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmljjgkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oodimaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aflfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmlog32.dll"	Cchiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkdkeaoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpljbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abigbemk.dll"	Nmljjgkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omhifeqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omhifeqp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ppdbdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjemfhgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmplmef.dll"	Afepahei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adpgkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bncpqm32.dll"	Badgdold.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkjed32.dll"	Nqeiefei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfnjqikq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qimfmdjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qadnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apndjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bakmen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncailbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkefkqi.dll"	Pmfegc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjlcfgag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 1048	348	c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3bN.exe	84
PID 348 wrote to memory of 1048	348	c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3bN.exe	84
PID 348 wrote to memory of 1048	348	c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3bN.exe	84
PID 1048 wrote to memory of 4424	1048	Nbblbo32.exe	85
PID 1048 wrote to memory of 4424	1048	Nbblbo32.exe	85
PID 1048 wrote to memory of 4424	1048	Nbblbo32.exe	85
PID 4424 wrote to memory of 3828	4424	Njidcl32.exe	87
PID 4424 wrote to memory of 3828	4424	Njidcl32.exe	87
PID 4424 wrote to memory of 3828	4424	Njidcl32.exe	87
PID 3828 wrote to memory of 876	3828	Nofmlc32.exe	88
PID 3828 wrote to memory of 876	3828	Nofmlc32.exe	88
PID 3828 wrote to memory of 876	3828	Nofmlc32.exe	88
PID 876 wrote to memory of 940	876	Ncailbfp.exe	89
PID 876 wrote to memory of 940	876	Ncailbfp.exe	89
PID 876 wrote to memory of 940	876	Ncailbfp.exe	89
PID 940 wrote to memory of 2840	940	Nfpehmec.exe	90
PID 940 wrote to memory of 2840	940	Nfpehmec.exe	90
PID 940 wrote to memory of 2840	940	Nfpehmec.exe	90
PID 2840 wrote to memory of 2496	2840	Nmjmeg32.exe	91
PID 2840 wrote to memory of 2496	2840	Nmjmeg32.exe	91
PID 2840 wrote to memory of 2496	2840	Nmjmeg32.exe	91
PID 2496 wrote to memory of 3044	2496	Nqeiefei.exe	92
PID 2496 wrote to memory of 3044	2496	Nqeiefei.exe	92
PID 2496 wrote to memory of 3044	2496	Nqeiefei.exe	92
PID 3044 wrote to memory of 1212	3044	Nbfemnkg.exe	94
PID 3044 wrote to memory of 1212	3044	Nbfemnkg.exe	94
PID 3044 wrote to memory of 1212	3044	Nbfemnkg.exe	94
PID 1212 wrote to memory of 3880	1212	Nmljjgkm.exe	95
PID 1212 wrote to memory of 3880	1212	Nmljjgkm.exe	95
PID 1212 wrote to memory of 3880	1212	Nmljjgkm.exe	95
PID 3880 wrote to memory of 4984	3880	Nqhfkf32.exe	96
PID 3880 wrote to memory of 4984	3880	Nqhfkf32.exe	96
PID 3880 wrote to memory of 4984	3880	Nqhfkf32.exe	96
PID 4984 wrote to memory of 2980	4984	Nbibcnie.exe	97
PID 4984 wrote to memory of 2980	4984	Nbibcnie.exe	97
PID 4984 wrote to memory of 2980	4984	Nbibcnie.exe	97
PID 2980 wrote to memory of 1216	2980	Nicjph32.exe	98
PID 2980 wrote to memory of 1216	2980	Nicjph32.exe	98
PID 2980 wrote to memory of 1216	2980	Nicjph32.exe	98
PID 1216 wrote to memory of 3948	1216	Nomclbho.exe	99
PID 1216 wrote to memory of 3948	1216	Nomclbho.exe	99
PID 1216 wrote to memory of 3948	1216	Nomclbho.exe	99
PID 3948 wrote to memory of 884	3948	Nfgkilok.exe	100
PID 3948 wrote to memory of 884	3948	Nfgkilok.exe	100
PID 3948 wrote to memory of 884	3948	Nfgkilok.exe	100
PID 884 wrote to memory of 3436	884	Omacef32.exe	101
PID 884 wrote to memory of 3436	884	Omacef32.exe	101
PID 884 wrote to memory of 3436	884	Omacef32.exe	101
PID 3436 wrote to memory of 4960	3436	Ockkbqne.exe	102
PID 3436 wrote to memory of 4960	3436	Ockkbqne.exe	102
PID 3436 wrote to memory of 4960	3436	Ockkbqne.exe	102
PID 4960 wrote to memory of 3496	4960	Ojecok32.exe	103
PID 4960 wrote to memory of 3496	4960	Ojecok32.exe	103
PID 4960 wrote to memory of 3496	4960	Ojecok32.exe	103
PID 3496 wrote to memory of 848	3496	Oihdkgll.exe	104
PID 3496 wrote to memory of 848	3496	Oihdkgll.exe	104
PID 3496 wrote to memory of 848	3496	Oihdkgll.exe	104
PID 848 wrote to memory of 816	848	Ocmhhplb.exe	105
PID 848 wrote to memory of 816	848	Ocmhhplb.exe	105
PID 848 wrote to memory of 816	848	Ocmhhplb.exe	105
PID 816 wrote to memory of 1736	816	Oijqpg32.exe	106
PID 816 wrote to memory of 1736	816	Oijqpg32.exe	106
PID 816 wrote to memory of 1736	816	Oijqpg32.exe	106
PID 1736 wrote to memory of 4652	1736	Oodimaaf.exe	107

C:\Users\Admin\AppData\Local\Temp\c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3bN.exe
"C:\Users\Admin\AppData\Local\Temp\c60ccdc804c80601d72b7cf5ce1149f79cb4bf8a37531266ef1b7656e4e00b3bN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\SysWOW64\Nbblbo32.exe
  C:\Windows\system32\Nbblbo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\SysWOW64\Njidcl32.exe
    C:\Windows\system32\Njidcl32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\SysWOW64\Nofmlc32.exe
      C:\Windows\system32\Nofmlc32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\SysWOW64\Ncailbfp.exe
        
        C:\Windows\system32\Ncailbfp.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
      - C:\Windows\SysWOW64\Nfpehmec.exe
        
        C:\Windows\system32\Nfpehmec.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Nmjmeg32.exe
        
        C:\Windows\system32\Nmjmeg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Nqeiefei.exe
        
        C:\Windows\system32\Nqeiefei.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Nbfemnkg.exe
        
        C:\Windows\system32\Nbfemnkg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Nmljjgkm.exe
        
        C:\Windows\system32\Nmljjgkm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Nqhfkf32.exe
        
        C:\Windows\system32\Nqhfkf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Nbibcnie.exe
        
        C:\Windows\system32\Nbibcnie.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Nicjph32.exe
        
        C:\Windows\system32\Nicjph32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Nomclbho.exe
        
        C:\Windows\system32\Nomclbho.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Nfgkilok.exe
        
        C:\Windows\system32\Nfgkilok.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Omacef32.exe
        
        C:\Windows\system32\Omacef32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Ockkbqne.exe
        
        C:\Windows\system32\Ockkbqne.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Ojecok32.exe
        
        C:\Windows\system32\Ojecok32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Oihdkgll.exe
        
        C:\Windows\system32\Oihdkgll.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\SysWOW64\Ocmhhplb.exe
        
        C:\Windows\system32\Ocmhhplb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Oijqpg32.exe
        
        C:\Windows\system32\Oijqpg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Oodimaaf.exe
        
        C:\Windows\system32\Oodimaaf.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Ofnajk32.exe
        
        C:\Windows\system32\Ofnajk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\Omhifeqp.exe
        
        C:\Windows\system32\Omhifeqp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Ocbacp32.exe
        
        C:\Windows\system32\Ocbacp32.exe
        25⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Ojljpi32.exe
        
        C:\Windows\system32\Ojljpi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:672
        
        C:\Windows\SysWOW64\Oqfblcgf.exe
        
        C:\Windows\system32\Oqfblcgf.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Ofbjdken.exe
        
        C:\Windows\system32\Ofbjdken.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Pqhobced.exe
        
        C:\Windows\system32\Pqhobced.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Pbikjl32.exe
        
        C:\Windows\system32\Pbikjl32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Pblhokip.exe
        
        C:\Windows\system32\Pblhokip.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\Pmalldhe.exe
        
        C:\Windows\system32\Pmalldhe.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\Pbndekfm.exe
        
        C:\Windows\system32\Pbndekfm.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Pjemfhgo.exe
        
        C:\Windows\system32\Pjemfhgo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Ppbeno32.exe
        
        C:\Windows\system32\Ppbeno32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3648
        
        C:\Windows\SysWOW64\Pbpajk32.exe
        
        C:\Windows\system32\Pbpajk32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Pjgikh32.exe
        
        C:\Windows\system32\Pjgikh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Pmfegc32.exe
        
        C:\Windows\system32\Pmfegc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Ppdbdo32.exe
        
        C:\Windows\system32\Ppdbdo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Pfnjqikq.exe
        
        C:\Windows\system32\Pfnjqikq.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Qimfmdjd.exe
        
        C:\Windows\system32\Qimfmdjd.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Qadnna32.exe
        
        C:\Windows\system32\Qadnna32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Qcbjjm32.exe
        
        C:\Windows\system32\Qcbjjm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Qfqgfh32.exe
        
        C:\Windows\system32\Qfqgfh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Qjlcfgag.exe
        
        C:\Windows\system32\Qjlcfgag.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Qmkobbpk.exe
        
        C:\Windows\system32\Qmkobbpk.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Qcdgom32.exe
        
        C:\Windows\system32\Qcdgom32.exe
        47⤵
        Executes dropped EXE
        
        PID:180
        
        C:\Windows\SysWOW64\Afcclh32.exe
        
        C:\Windows\system32\Afcclh32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Aiaphc32.exe
        
        C:\Windows\system32\Aiaphc32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Aahhia32.exe
        
        C:\Windows\system32\Aahhia32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Acgdelfe.exe
        
        C:\Windows\system32\Acgdelfe.exe
        51⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Afepahei.exe
        
        C:\Windows\system32\Afepahei.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Aidlmcdl.exe
        
        C:\Windows\system32\Aidlmcdl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\Aakdnqdo.exe
        
        C:\Windows\system32\Aakdnqdo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Apndjm32.exe
        
        C:\Windows\system32\Apndjm32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Afhmggcf.exe
        
        C:\Windows\system32\Afhmggcf.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Amaeca32.exe
        
        C:\Windows\system32\Amaeca32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Afjjlg32.exe
        
        C:\Windows\system32\Afjjlg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Amdbiahp.exe
        
        C:\Windows\system32\Amdbiahp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Adnjek32.exe
        
        C:\Windows\system32\Adnjek32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Aflfag32.exe
        
        C:\Windows\system32\Aflfag32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Amfooafm.exe
        
        C:\Windows\system32\Amfooafm.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Adpgkk32.exe
        
        C:\Windows\system32\Adpgkk32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Bjjohe32.exe
        
        C:\Windows\system32\Bjjohe32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\Badgdold.exe
        
        C:\Windows\system32\Badgdold.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Bfapmfkk.exe
        
        C:\Windows\system32\Bfapmfkk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2788
        
        C:\Windows\SysWOW64\Bafdjoja.exe
        
        C:\Windows\system32\Bafdjoja.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Bbhqbg32.exe
        
        C:\Windows\system32\Bbhqbg32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\Bibioa32.exe
        
        C:\Windows\system32\Bibioa32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4688
        
        C:\Windows\SysWOW64\Bmmdoppe.exe
        
        C:\Windows\system32\Bmmdoppe.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Bplakkoi.exe
        
        C:\Windows\system32\Bplakkoi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bdgmlj32.exe
        
        C:\Windows\system32\Bdgmlj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Bffihe32.exe
        
        C:\Windows\system32\Bffihe32.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Bideda32.exe
        
        C:\Windows\system32\Bideda32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Bakmen32.exe
        
        C:\Windows\system32\Bakmen32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Bdjjaj32.exe
        
        C:\Windows\system32\Bdjjaj32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Bkcbnd32.exe
        
        C:\Windows\system32\Bkcbnd32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bmbnjo32.exe
        
        C:\Windows\system32\Bmbnjo32.exe
        78⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\Banjkndi.exe
        
        C:\Windows\system32\Banjkndi.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Bpqjfk32.exe
        
        C:\Windows\system32\Bpqjfk32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Cgjbcebq.exe
        
        C:\Windows\system32\Cgjbcebq.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Ckfocc32.exe
        
        C:\Windows\system32\Ckfocc32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Cpcglj32.exe
        
        C:\Windows\system32\Cpcglj32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Cabcfm32.exe
        
        C:\Windows\system32\Cabcfm32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Cgolnd32.exe
        
        C:\Windows\system32\Cgolnd32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Cmidknfh.exe
        
        C:\Windows\system32\Cmidknfh.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Cpgqgjel.exe
        
        C:\Windows\system32\Cpgqgjel.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Ccfmcedp.exe
        
        C:\Windows\system32\Ccfmcedp.exe
        88⤵
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Cagmamlo.exe
        
        C:\Windows\system32\Cagmamlo.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\Cchiie32.exe
        
        C:\Windows\system32\Cchiie32.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Ckoajb32.exe
        
        C:\Windows\system32\Ckoajb32.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Cmnnfn32.exe
        
        C:\Windows\system32\Cmnnfn32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Caijfljl.exe
        
        C:\Windows\system32\Caijfljl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Cpljbi32.exe
        
        C:\Windows\system32\Cpljbi32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Dckfnd32.exe
        
        C:\Windows\system32\Dckfnd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Dgfbochc.exe
        
        C:\Windows\system32\Dgfbochc.exe
        96⤵
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Didnkogg.exe
        
        C:\Windows\system32\Didnkogg.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Dmpjlm32.exe
        
        C:\Windows\system32\Dmpjlm32.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Dpofhiod.exe
        
        C:\Windows\system32\Dpofhiod.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\Ddjbhg32.exe
        
        C:\Windows\system32\Ddjbhg32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Dcmcddng.exe
        
        C:\Windows\system32\Dcmcddng.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Dkdkeaoj.exe
        
        C:\Windows\system32\Dkdkeaoj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Dnbgamnm.exe
        
        C:\Windows\system32\Dnbgamnm.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 400
        104⤵
        Program crash
        
        PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2032 -ip 2032
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhmggcf.exe

Filesize
96KB

MD5
968076ca9a40beb7d395a8a7f9a1d07a

SHA1
3b7abe0749d13bf64ba6716595248ea76d44277d

SHA256
14e8c03b39bd51db6623084ce5e05d8b3497e520d04750e645a08e8c1b3d0731

SHA512
923e0b8f3b7c4126b706c4d8d9ae53785a90ae7777350b89f9ec5bd62b26915a7152cc7ab436aba4181c0bf33cfbb626383e9f718dbf445596d9f99c19b5f10c

Download Submit
C:\Windows\SysWOW64\Badgdold.exe

Filesize
96KB

MD5
9913709914be41c3bf6fdeb7eaeaeb29

SHA1
24b1d87684e8844a3e5e63b15b757009fa0a24d7

SHA256
14d8368022c3a103e51acd4204059e756dea20c72fa77de53200e378e96471de

SHA512
a5a41982a1ca0518a1371ea3831a0c8a712a1107c02e77533262218b50bc8ce26f35bee1bf8672cd7280a45cd9d9c06496a4314a100cb873b1628a8c05a4f80e

Download Submit
C:\Windows\SysWOW64\Bffihe32.exe

Filesize
96KB

MD5
bef1022efd8b764395134dec37ee7242

SHA1
d35badbb723723b827f839410264497c577b99b7

SHA256
b96d4f66b8b9fa6f68860c4bcf0dfa2f492ff485a8aed3791e0db739885c983c

SHA512
2ea2465bbcfd5d5902b82e21bfeb2354cc9d82cae1c2c4bda1573d764b7f0b0facb4ebf653fae4c7cf616ed286c34a357553db0d55b1f65f0838227e10d88f17

Download Submit
C:\Windows\SysWOW64\Bkcbnd32.exe

Filesize
96KB

MD5
fbda9a88dc478567b43816ee97c7fe6f

SHA1
8887236bf3000eec51d64953e4d38266eadf8a19

SHA256
883b76f2554a1a3f5704356012e857f95eb07987b1f7eda64de0fea45d3849f5

SHA512
c531bd62f6b5a2b1d7258eb403d9860fe4f2c1285e337d96076c640ca908dec3bf80912594423939116432ee242d93973c1b9b16b76a3ab04063e477bb092c23

Download Submit
C:\Windows\SysWOW64\Bplakkoi.exe

Filesize
96KB

MD5
8208d5253b84bde871820562171a4a36

SHA1
9c518b7d7294534fc208532f982d3b2f114ad67e

SHA256
01c882ed5d481dc686c00d4db4aa00011933b0bd0190ce514f012a5749cd3651

SHA512
087aa102c3e758c03cf7285b6f0cbb545ebc3b69333d385ded0f2d41adbeb55d6b97fd50d69a3400c23e476e3819cc3a62abc2db5d750ccc3ef63274fa1a25a0

Download Submit
C:\Windows\SysWOW64\Cmnnfn32.exe

Filesize
96KB

MD5
e69b8928d26a41837a26e13be9123968

SHA1
c964218b814905a4659084de91f356c5b635a370

SHA256
b74b844055d06f6053f73ee5d2b70e2c629bf1b67e3e2211a501c4869a9daf70

SHA512
31affffa86c60ef50fb2e96cbd827bba7cdeeed04bce03eb251b6f14c52f9882b7e303d317c7471021b201c1b9d3c0e46d3bf20924405a73b522a1daa3758cea

Download Submit
C:\Windows\SysWOW64\Didnkogg.exe

Filesize
96KB

MD5
3fda28c2cbbece9d6d10215ded5b1c38

SHA1
ec3d0e1088fe908afd2185df8543ec035b142eab

SHA256
687d87d2ec49660cf62f06dde993808eb15d0bcb51e2087e5d2ca93ad178d7f7

SHA512
4f76918c5bafbd944ec5299a136e6fa6c8c568ddc67bfa2f975f64bca625a33d6ed98cdf91c4e12356df29182f4cef7498a594c6bab6d7ed9ea9e59d233d316d

Download Submit
C:\Windows\SysWOW64\Dnbgamnm.exe

Filesize
96KB

MD5
fac24abb1818792a1ad1581c295f24ff

SHA1
a4f660cba021cd6c8d461d764ec7e883bcd42d8f

SHA256
4b98544160ea6d80c2a6d048857c61feecd286ea1a2441a9aaafba8a71ca0950

SHA512
1927a3a8378bee9a9affc7056e9dc80cf74e6b92934def9a29decaf65d93cc7dd277e94444a5732de93aa39dc0ffb6835c0fa9da50fa1ed58c9e2c21eb5f4c4c

Download Submit
C:\Windows\SysWOW64\Nbblbo32.exe

Filesize
96KB

MD5
59de5f244e7f56f512bc3d65acf3db63

SHA1
df73a12d62d4c73b6a4a984cf3547b5769482eed

SHA256
3d1df006aa1141f1d4a6c931e8722cc6cf9f82eefdde1dee478e214227666661

SHA512
fd02b5ed0bd75dc026bff4afcbbf5525c5f973daa18192cbe1b872ce435cfc89b464a249fd7e326d0b1b451590c1b5b21b0e16403330ddae9b05a8463a142661

Download Submit
C:\Windows\SysWOW64\Nbfemnkg.exe

Filesize
96KB

MD5
7e368d7a5f34335d412dfd1fa8fb026f

SHA1
156e35805158a54eee567afd7bcb829e3f67805a

SHA256
12ec6ef42d49b537d8918631ea798f22df1c8139511fdc4d45c74b69c0490b99

SHA512
e3a40f84614005a9fc18b229ae2a8a70b3662a228174dea2348783fb5aaa1ec4747062c3991999d1a5f22717f69997069ad60437b73aaed2860973d2b6685d5a

Download Submit
C:\Windows\SysWOW64\Nbibcnie.exe

Filesize
96KB

MD5
bd1208e13a3eec5e6b23e0b68bd96967

SHA1
ee3986dd20529bd037946da1892353b22d277b6e

SHA256
86a06c6aa6cbb5e1a6b810fc286bcffc68770c946b77b44719b08ae9aca41ef5

SHA512
8b2b0a9e94c021567ce04ed4d43246a0ce50752489476c5619a7d0120a39f7a437526a2c675e4e97fc4929d57a38c7d41022190a5d3f6168365075fd4f1be484

Download Submit
C:\Windows\SysWOW64\Ncailbfp.exe

Filesize
96KB

MD5
e341bab5b5fadb034f1ce90bae2cdd0c

SHA1
9278f47e4edf1fcd07b15fe827c4abdd1e752030

SHA256
8438164bd7dfaeeddfef055449c5053f1d4730932efa6ce7c1634571c53c8269

SHA512
c2c4453ceb40c80332190a50f769493bb36ef1d47f1621a7f2a0dc8295a6822a5886d6f05afecd04ae4d9675f6100c3dbc73d067614558b1903e2fae68617405

Download Submit
C:\Windows\SysWOW64\Nfgkilok.exe

Filesize
96KB

MD5
8e80a191563afa14194a8f7ac90e0b0b

SHA1
bb0e31c75d5af8dcf03a66b527abcb43e9104f33

SHA256
0142f637788a770ef9c66fa313b88e250fbba27c1d573601c83914be3de10a49

SHA512
c954d5d0aaa21a19c8df743cacea4f2e332b97cd27fa170abdcb918a42be020c0c774b554b60aeb691c662e13ea737689e1824aeb952e18ec04bd07104c033e5

Download Submit
C:\Windows\SysWOW64\Nfpehmec.exe

Filesize
96KB

MD5
c64355c07da7194c087b8b52d9280f65

SHA1
9855f8cb20fe63e8b5f91a123890effdc65b1f42

SHA256
052cb3e1a1ceb4795daee222c369cb06ac2ffadd9104cbbe18ea16252975d3dc

SHA512
5eb52d971a6135cffc522182678ed2150b87b3bbef353992bf952bcf4edadefa3a37d6531f944452165c01f996da2b21bdafdcce2af901393aaf2771564367c4

Download Submit
C:\Windows\SysWOW64\Nicjph32.exe

Filesize
96KB

MD5
30fca1c01197c7f36e692119d811dd61

SHA1
370a3c054d557cff0c6d31117514ee147184be57

SHA256
a9724a114daf3731ec926a6f3948763e77fa17e0c77400a8b34f880c036f8a07

SHA512
0ba57ebc78bccd72d722f4785c5f0d1b799bf0ed6c7547fdb31cac5553a49e6cea5ceb983f56fb173d65aff46013b7f874d6a546732d3203d8599f7b2f1ea4fb

Download Submit
C:\Windows\SysWOW64\Njidcl32.exe

Filesize
96KB

MD5
6a507c4f8028c3b09ab832c1e509ef35

SHA1
c8c8418076125a0b569d90b5ae04e3a8a4ae8f68

SHA256
44de1d192da5948666d0e015efb7694f1be19f0eae685f61e5c6209e97d35241

SHA512
7c7ad7398328822d7a7356c9e1f6869b585a333d8257bcac6b7a9cb74d5b7b4cf2fc33fffac84f6eb7e0bbde9bd580e97c14edfb634929f4153a838795b3302d

Download Submit
C:\Windows\SysWOW64\Nmjmeg32.exe

Filesize
96KB

MD5
6730570b9dc9d72703fbda9e2a8ca3fc

SHA1
35afb82090e8f3b66bbd7245f70efb1388523567

SHA256
309e7529393cd6baf037ccbf7bca2d540ed551f6bd503a3d15e7c5fd19fde2be

SHA512
dd79fcddc765997a9b8a45479d463ea99f2824afc4a5ba322d2d04b5df2f959af6d450bef4cdea98d8220c11f807a52348c335c20157b10fafc15f32eea07e96

Download Submit
C:\Windows\SysWOW64\Nmljjgkm.exe

Filesize
96KB

MD5
3e9dba813925b8fd3ff8e1c119ec60ce

SHA1
79cd567e555f360517716ea66a67389d409a7fbf

SHA256
ab052ce37d48bdf7c023e8b076d9f76b832d8cb878d5ec2fe115b2c53ff61a88

SHA512
339bd816ee1d283ea8581bd020248e1249b9427fd6b3d37355cdd00f5502e0871faa07488964425cc2b478657ec52cd8c30358536261dc5555b37d5398e903f1

Download Submit
C:\Windows\SysWOW64\Nofmlc32.exe

Filesize
96KB

MD5
3f739082e36ff142260402745c282727

SHA1
f2093758ea305f4de3f01611e70b0bbbe8a1b58e

SHA256
b4497931f1909bfe822748d37d9748e8a8cd1fb4cb9e286bebaaa5768e07ae33

SHA512
3cff28f4d7aa02748c3e49487d2bee5f3f13421712fda9e0f8b90c940bcb109cb2ff2cac9dd8659e9f5fc101fa8e7c646857d89ac3dc024977004d2fd66d0517

Download Submit
C:\Windows\SysWOW64\Nomclbho.exe

Filesize
96KB

MD5
8997422fce19decb52a3676a91715650

SHA1
2b9237c90e66628bd3a920eeff7b56059be0edaf

SHA256
015421419080161eecb210184723289ac9bde3d285cedec24e1ad8fe7c24c97b

SHA512
21f802a4b49d285a429d923289126e941bcec151688db34e76b0902460bbd6a29bc42778dae15374b4b243a561c968445033f3a98bfc4edec5fed17641ddde43

Download Submit
C:\Windows\SysWOW64\Nqeiefei.exe

Filesize
96KB

MD5
dc4bd054add4a0a55ff4c4972dda400e

SHA1
ed404f805535270d87c01fbe61f6a18fa44be29b

SHA256
559e3a4c8fcf6feb3b9f9768056a28d10ce55e120e3f816a0c2619ddbf1b449c

SHA512
a0053d95b79125468753fdc4e82eb4fbea5f9fec79fd5642449b3b97bdcb27895c4478391034ea0c0e720dc31341d95de22f56997c391f77a1013b49bda3377e

Download Submit
C:\Windows\SysWOW64\Nqhfkf32.exe

Filesize
96KB

MD5
3928ab67e8fb06d7da195bfb0af15d2f

SHA1
0e248790fad835e2894af1436e08a89eb020ab40

SHA256
60cc84524229536d7655a232d32b54bdc0c49fb75b9767de138cf2bec58587f9

SHA512
a39ebac568b71184d2fecbf8e32f0fdbdecd6034f7061258b10e8bba6e293a0d07805fa37bbc9c6bdfc386e21f6ace5ccebae808f17062bde26b6e95baf57917

Download Submit
C:\Windows\SysWOW64\Ocbacp32.exe

Filesize
96KB

MD5
a7b8b2e3e512a7b7fd77112a9f505554

SHA1
3926133e3f1f11890b9c0c4b0c113975687a918d

SHA256
3111d66d7c260e57f5cfc7e91e7bcf5f500412298ddd8bc4c0f1d4755f4c80ce

SHA512
ecfc5e63759240c396bc5b6180d2e45ee090b8126794326ffea61372506920d122137c3e8d42fd20a32b0a834ba437748aaecb71f39707c31fb9641db469e0dc

Download Submit
C:\Windows\SysWOW64\Ockkbqne.exe

Filesize
96KB

MD5
631a2b24944e40e0f26536582618f6b1

SHA1
e6b02932c8b5c82c46d313abb092340eb366ad05

SHA256
c74ba0ac772d5c1b26b0e27b27aaa73ab4cf2c93419329852437335fb7176dd2

SHA512
7b06840f800e12d51f9fb36012bde3659b86c2873272d00ab15555878ffd7f35cc9aa792d1bd301c26222b2f5eb0f738e5ff51ee5c3341073551e2c62b6e25ec

Download Submit
C:\Windows\SysWOW64\Ocmhhplb.exe

Filesize
96KB

MD5
33109e1170dac3d09a295bbced8db4a4

SHA1
931e7aae75af957ed489440b33d391c4a05c4cfa

SHA256
10bb07e56a1dfb667c67524ccd805e0bf996f49317491d806e4bd5a36befe3d6

SHA512
41e66cdba752593521cc6caa97d8e625750e31ca5d9dc41acc32ebb609a3bb199bd6ce74fb00ef91acc789f48ab3772b5a38bb36a0aa8368b0361adcf2e64550

Download Submit
C:\Windows\SysWOW64\Ofbjdken.exe

Filesize
96KB

MD5
0f17ac262f4ae4e5616cf17a72e50483

SHA1
006a750a8da3a9b0a76ac2bf8295e4919093756e

SHA256
d7c5d01de873930081245a5fc2b2f0ad1bd5b3a9524d6b4f3f131cf791fba896

SHA512
aac2aa0447e35a38e9ca1beb9d983bc55ae64b8ba69cdcf911d8bda7219a5715b8d7dd566a0e5018cb2ebfd772810995e73a9e947a8129a5c6300bc574f51155

Download Submit
C:\Windows\SysWOW64\Ofnajk32.exe

Filesize
96KB

MD5
ca75a5edbaff048b77e97fd03ef1e591

SHA1
65333fb7bb88ecab1ae4f9e694398c8757920dd9

SHA256
5d5dc62f43f551254050d3a47a1514c0afad6d8001d460f87ec22e78b0239b6f

SHA512
0c6a7ff6f82951b8a1d9a5696eea93b123448a0ad80054d9deebcd4d2582ea58a301f63dd544ffef3d9b5f49cc6a723c0edd0b62154200d53fcb81a3c21b19aa

Download Submit
C:\Windows\SysWOW64\Oihdkgll.exe

Filesize
96KB

MD5
bc7a08c06ff3ec1f66a8f60756266ced

SHA1
e6971340b4750bcbbe9b03686ffc7a99a23a1ec6

SHA256
203adaddb3c2d9acc96a185dd766de23430f047e85de57afb0f4d8ba5bced5b1

SHA512
2d31ff45d1e9a32ed2f3cf01a7fdc89ef317ff24018d2450753cdbea5046e8d9c20c4ab427f5d5a777b9ea305fd185894a60f679c588ca204ea598a4c15ddb56

Download Submit
C:\Windows\SysWOW64\Oijqpg32.exe

Filesize
96KB

MD5
9defe067ff000181eeaa9c043d7a1aad

SHA1
a16e40858fb227bb6ce587915bcbb82e781192a7

SHA256
57c8ae3f29c9162a77371b8ae9e4e76f395a3da315ee701612df39697eea20de

SHA512
8e4077c5b20601285fe550a566140b2770ffa36f6c13c4f3f948ca7b86c7694de808e12c857e7f33b8d582a1adc9b17674200ffaf28a495c766ce6325b44823b

Download Submit
C:\Windows\SysWOW64\Ojecok32.exe

Filesize
96KB

MD5
8f8bcd0ee13c73c08efaf4ca790d5fad

SHA1
ea571cd898602b796f59c23fb4546960f581f4e5

SHA256
4e522434950d886aecb0d6a8a998beac82e7c1740a3c25e52afc7712ebc3fc3b

SHA512
0c16d708160d1193f28cf89345f195a51db95564687f19272906592fb65fb34177b24712a0671ab95f3bc3aa7367810f32dd05158f5d5b278dd53b1587f62f97

Download Submit
C:\Windows\SysWOW64\Ojljpi32.exe

Filesize
96KB

MD5
13501ac6ea3b4380837c69ab0c0bc87e

SHA1
81375068d444c0a393e197b8beb443935ae870bd

SHA256
e4809f4ca88cb8a55f16f0120a42f0630a79d7820c1eeb5955a21f85a4985c4e

SHA512
819c55ea95083699ccabc17110a8eb7a9c30b6b77c449e4ad92330d49e522a0bac5c3ce48b0c991c1469be60d0e5866dedb47ea2bc41c248edd85c93ea505435

Download Submit
C:\Windows\SysWOW64\Omacef32.exe

Filesize
96KB

MD5
8e7118ea979c86b7313a27218d242565

SHA1
b915c434a5bad97c63935c28df65dde0af19f09d

SHA256
08d5075e9049ba27060a22c57aca9f8f56a5e014a4c5e05c06eee5234789723c

SHA512
d60c54910dda47619a8d5fd1d3b50d82e2d771a8c48383c82d86f481b4f8b38dd44d4748ac8f133d77eb70c51eb12305a6b41363ee40904e8b8188435f790635

Download Submit
C:\Windows\SysWOW64\Omhifeqp.exe

Filesize
96KB

MD5
61a0a079f2571e19f5ac870f1929472a

SHA1
e5bb2fe5bdc44b009012e05419aace394ea365c3

SHA256
fad74a866188a28952a74956890386087f11ffc7e9da726a2ceed0b4e2d4e5da

SHA512
0aee4e571ce579b016a6f666a82d98ec6a55ef3e57e6657fdc0d19b035d57077649031e6bc32c6e9ec2e2d187ec8aa436b8246f4f429b60689bf16433e0cc2ec

Download Submit
C:\Windows\SysWOW64\Oodimaaf.exe

Filesize
96KB

MD5
4cf9413a70068c75ed76da74fd6470e0

SHA1
b3aa80de7cee609aee59fd7c776475e2ee527932

SHA256
a6633c23cf79e22646bd8d751145d882982ddd4d9efcff56d4173097ce72535f

SHA512
b9b440305e6adad0b6013b774e0e65eda3458aa704dad491eaeb8a2587314996495c39640a269dc518af722d7a04dce59cdf8f4cbb1525862ee5f69328ce4517

Download Submit
C:\Windows\SysWOW64\Oqfblcgf.exe

Filesize
96KB

MD5
837a5a776e8b9fb9c3bf7063a75e5299

SHA1
4db827dba78d8cea56fb7c1c40a570aea5031369

SHA256
6cb2067dbaf3d51f06c656404d523e8856c8e02620ebe093ff8e20c9390491aa

SHA512
839ab49e324a2eea2f6d9cd6b24f1410ba8edb5dc834dc8132e5e8914eb452574ab333d6eace191a591b1c9c824c35f96cc2d6b8997bcd716747d4c37719e9d0

Download Submit
C:\Windows\SysWOW64\Pbikjl32.exe

Filesize
96KB

MD5
02d2786c975a3ddc4413a3897f3eac80

SHA1
5c2e81ace02002da2d89ad9e1fa4ad2f555c8d10

SHA256
8a151c8c3797a31ccd4a51f726fa94d656cbc0fd05b3bf5c90c49ce6e9c40e6b

SHA512
74f7d04b90ae852062093af3df2fdd05172b19653d0012c8df17bc5f43b7b161c75f6cd069ca41684b4c3b4c756075830e66653634b5e89a8276130e24fb2748

Download Submit
C:\Windows\SysWOW64\Pblhokip.exe

Filesize
96KB

MD5
73b9cac7ae4334c77b6baa84fa365150

SHA1
62b0a9cb1dd8a9ea995f5a430a976c82cb09731b

SHA256
3f77353c25344039c7998ba9578408ce6dbd500aff2a44e86d704e744d471e04

SHA512
8752111594e378f44625a3b22c2595baaa2b6e91f4bf56b37d8c1076670e88c29bff5766392cd62d491a1399f560c604ecc18c38c735fb5bb0ed6c111972e809

Download Submit
C:\Windows\SysWOW64\Pbndekfm.exe

Filesize
96KB

MD5
093ae5fca570ca2172a91869f86dcadd

SHA1
b38b97910e3dc47b5b304b5fd3bae60d22f475f3

SHA256
f0d273178127fb96bc0c9ce0dd70a66d923f12acacd8aca9f1b5f3b6cf55981a

SHA512
1c44c65e39d93fd57a10e9dda47218c97996d240749c53b3be34878fb9f462c216855baf7016353d853d449d5fee6ab572ec7aa687ad9ac00acb5089e285430f

Download Submit
C:\Windows\SysWOW64\Pmalldhe.exe

Filesize
96KB

MD5
529b01feeca3a0a6f3f4b5d24451ab26

SHA1
e454850db6e4bb2fe07fa48d1a16875d05ef3a5b

SHA256
74dd0fe990d0d3f9518c0a9215779ff8b7d76b1ccf575ec2c415cf91d79bc418

SHA512
55c2e4d0bab99e22127741bb4ae86b28a37059cecd57e812b585976a8e0ff06899b201e6ddd711720936722acb75176ddbcff7d73c736b679121eab6708b9b43

Download Submit
C:\Windows\SysWOW64\Pqhobced.exe

Filesize
96KB

MD5
a5b281dd220470130bd102efe4d4637b

SHA1
04767754edc1f4ba3ac31fbba56643e5d5f78b5b

SHA256
6860bf90a97cdd99245f88e40e5163d05cbaa995d5338f37c1084fe6600284fd

SHA512
d45d4d0d63f9ed022441968314a1b17074d3ef0e3b0b3431174810977f663c0b4dd9951ac2a85dd870a63f11541736bb79e64f9b4a36a01aaf20092a49d7fbb7

Download Submit
memory/180-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/348-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-592-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3496-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-586-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads