berbew | 209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f

Analysis

max time kernel
96s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f.exe
Size

128KB
MD5

9debc18db9d1a402a641167d6b85de1a
SHA1

70a8c4ae2d2aa916fee71b541a6a427035a77d5f
SHA256

209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f
SHA512

71563f612c6050ce835f6303a602d158fc6e5e877dfa1150df772c0db5e8e3926e9ef3c38fd310063323785e34a4a2793e32840940b9ad61b3b57873e5fb1010
SSDEEP

3072:AGvcR8h3/MvD+6Gym/PwidSX3ReDrFDHZtOgxBOXXH:AGvj3/Mv66iP7dSX3RO5tTDUX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3540	Npcoakfp.exe
1428	Ngmgne32.exe
4808	Nepgjaeg.exe
2396	Nngokoej.exe
4604	Npfkgjdn.exe
648	Ngpccdlj.exe
1948	Njnpppkn.exe
1288	Nphhmj32.exe
1744	Ncfdie32.exe
1436	Njqmepik.exe
2768	Npjebj32.exe
4124	Ncianepl.exe
4632	Njciko32.exe
4676	Nlaegk32.exe
4316	Nckndeni.exe
5048	Njefqo32.exe
3768	Oponmilc.exe
3040	Ogifjcdp.exe
1240	Oncofm32.exe
3316	Odmgcgbi.exe
1660	Ogkcpbam.exe
872	Olhlhjpd.exe
5080	Ofqpqo32.exe
3284	Ojllan32.exe
2296	Odapnf32.exe
3260	Onjegled.exe
4444	Oqhacgdh.exe
3392	Ofeilobp.exe
4180	Pnlaml32.exe
1676	Pdfjifjo.exe
4216	Pgefeajb.exe
3204	Pnonbk32.exe
5076	Pqmjog32.exe
1284	Pclgkb32.exe
4104	Pjeoglgc.exe
456	Pmdkch32.exe
4460	Pdkcde32.exe
4656	Pgioqq32.exe
2516	Pjhlml32.exe
1336	Pmfhig32.exe
1216	Pdmpje32.exe
2876	Pgllfp32.exe
2164	Pnfdcjkg.exe
724	Pmidog32.exe
4456	Pqdqof32.exe
3256	Pgnilpah.exe
4464	Pjmehkqk.exe
4412	Qqfmde32.exe
3108	Qfcfml32.exe
1064	Qnjnnj32.exe
3480	Qqijje32.exe
4324	Qcgffqei.exe
3808	Qffbbldm.exe
1588	Anmjcieo.exe
4320	Ampkof32.exe
1580	Acjclpcf.exe
848	Ageolo32.exe
2104	Anogiicl.exe
2184	Aqncedbp.exe
816	Aclpap32.exe
3384	Afjlnk32.exe
1944	Anadoi32.exe
2248	Agjhgngj.exe
5056	Andqdh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Nphhmj32.exe	Njnpppkn.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Eohipl32.dll	Njqmepik.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pjhlml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5344	5464	WerFault.exe	215

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngmgne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3540	2992	209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f.exe	87
PID 2992 wrote to memory of 3540	2992	209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f.exe	87
PID 2992 wrote to memory of 3540	2992	209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f.exe	87
PID 3540 wrote to memory of 1428	3540	Npcoakfp.exe	88
PID 3540 wrote to memory of 1428	3540	Npcoakfp.exe	88
PID 3540 wrote to memory of 1428	3540	Npcoakfp.exe	88
PID 1428 wrote to memory of 4808	1428	Ngmgne32.exe	89
PID 1428 wrote to memory of 4808	1428	Ngmgne32.exe	89
PID 1428 wrote to memory of 4808	1428	Ngmgne32.exe	89
PID 4808 wrote to memory of 2396	4808	Nepgjaeg.exe	90
PID 4808 wrote to memory of 2396	4808	Nepgjaeg.exe	90
PID 4808 wrote to memory of 2396	4808	Nepgjaeg.exe	90
PID 2396 wrote to memory of 4604	2396	Nngokoej.exe	91
PID 2396 wrote to memory of 4604	2396	Nngokoej.exe	91
PID 2396 wrote to memory of 4604	2396	Nngokoej.exe	91
PID 4604 wrote to memory of 648	4604	Npfkgjdn.exe	92
PID 4604 wrote to memory of 648	4604	Npfkgjdn.exe	92
PID 4604 wrote to memory of 648	4604	Npfkgjdn.exe	92
PID 648 wrote to memory of 1948	648	Ngpccdlj.exe	93
PID 648 wrote to memory of 1948	648	Ngpccdlj.exe	93
PID 648 wrote to memory of 1948	648	Ngpccdlj.exe	93
PID 1948 wrote to memory of 1288	1948	Njnpppkn.exe	94
PID 1948 wrote to memory of 1288	1948	Njnpppkn.exe	94
PID 1948 wrote to memory of 1288	1948	Njnpppkn.exe	94
PID 1288 wrote to memory of 1744	1288	Nphhmj32.exe	95
PID 1288 wrote to memory of 1744	1288	Nphhmj32.exe	95
PID 1288 wrote to memory of 1744	1288	Nphhmj32.exe	95
PID 1744 wrote to memory of 1436	1744	Ncfdie32.exe	96
PID 1744 wrote to memory of 1436	1744	Ncfdie32.exe	96
PID 1744 wrote to memory of 1436	1744	Ncfdie32.exe	96
PID 1436 wrote to memory of 2768	1436	Njqmepik.exe	97
PID 1436 wrote to memory of 2768	1436	Njqmepik.exe	97
PID 1436 wrote to memory of 2768	1436	Njqmepik.exe	97
PID 2768 wrote to memory of 4124	2768	Npjebj32.exe	98
PID 2768 wrote to memory of 4124	2768	Npjebj32.exe	98
PID 2768 wrote to memory of 4124	2768	Npjebj32.exe	98
PID 4124 wrote to memory of 4632	4124	Ncianepl.exe	99
PID 4124 wrote to memory of 4632	4124	Ncianepl.exe	99
PID 4124 wrote to memory of 4632	4124	Ncianepl.exe	99
PID 4632 wrote to memory of 4676	4632	Njciko32.exe	100
PID 4632 wrote to memory of 4676	4632	Njciko32.exe	100
PID 4632 wrote to memory of 4676	4632	Njciko32.exe	100
PID 4676 wrote to memory of 4316	4676	Nlaegk32.exe	101
PID 4676 wrote to memory of 4316	4676	Nlaegk32.exe	101
PID 4676 wrote to memory of 4316	4676	Nlaegk32.exe	101
PID 4316 wrote to memory of 5048	4316	Nckndeni.exe	102
PID 4316 wrote to memory of 5048	4316	Nckndeni.exe	102
PID 4316 wrote to memory of 5048	4316	Nckndeni.exe	102
PID 5048 wrote to memory of 3768	5048	Njefqo32.exe	103
PID 5048 wrote to memory of 3768	5048	Njefqo32.exe	103
PID 5048 wrote to memory of 3768	5048	Njefqo32.exe	103
PID 3768 wrote to memory of 3040	3768	Oponmilc.exe	104
PID 3768 wrote to memory of 3040	3768	Oponmilc.exe	104
PID 3768 wrote to memory of 3040	3768	Oponmilc.exe	104
PID 3040 wrote to memory of 1240	3040	Ogifjcdp.exe	105
PID 3040 wrote to memory of 1240	3040	Ogifjcdp.exe	105
PID 3040 wrote to memory of 1240	3040	Ogifjcdp.exe	105
PID 1240 wrote to memory of 3316	1240	Oncofm32.exe	107
PID 1240 wrote to memory of 3316	1240	Oncofm32.exe	107
PID 1240 wrote to memory of 3316	1240	Oncofm32.exe	107
PID 3316 wrote to memory of 1660	3316	Odmgcgbi.exe	108
PID 3316 wrote to memory of 1660	3316	Odmgcgbi.exe	108
PID 3316 wrote to memory of 1660	3316	Odmgcgbi.exe	108
PID 1660 wrote to memory of 872	1660	Ogkcpbam.exe	109

C:\Users\Admin\AppData\Local\Temp\209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f.exe
"C:\Users\Admin\AppData\Local\Temp\209dd2f3da4b631a020d8b7a300cc5b8fb70ed73aafcc9caf688149bad0e286f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\Npcoakfp.exe
  C:\Windows\system32\Npcoakfp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\Ngmgne32.exe
    C:\Windows\system32\Ngmgne32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\Nepgjaeg.exe
      C:\Windows\system32\Nepgjaeg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3260
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        35⤵
        Executes dropped EXE
        
        PID:1284
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        48⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        59⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        62⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:772
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        69⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        72⤵
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        74⤵
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        77⤵
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        85⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        87⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        90⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5736
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        94⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5152
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        102⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5304
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        105⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        110⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        111⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        118⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        119⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        120⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        122⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 404
        125⤵
        Program crash
        
        PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5464 -ip 5464
1⤵
PID:5864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
128KB

MD5
8d9085510ccb406544bc667178860aba

SHA1
792c3aa1de376b6417d90aea5e92e0e1d563148e

SHA256
053f14c9e00cadee63b10a03fe3ce151594839e67cc426590e1228a4c9b2487e

SHA512
a399bdc53be3d50220767dfd79952e3c243773e1c2bf85c6498513afa38765c82b40b87e3c868f05719740b4270f4abfe734aad380ba2f917b68f7fac2723029

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
128KB

MD5
a28604612d118ffe48a306fe181d58ae

SHA1
8ef6585c42800fcee4254a8ff1ac638f552e080a

SHA256
0bbb3eb87f5b3d54df41e2a46b0e1098b85b5a03b068eeb79b56b1995f97e700

SHA512
a900485bad4594b23d6eddbbcb8bd155f1a71df9125ac0d0e6b2e7081b6a11205e32aa3593f128acb448b09f4f78f8a54201f8df9d51c3749947754ea09ecd05

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
128KB

MD5
68ded063ae26bfcd2e21d38eaf371f37

SHA1
e66a4d9c1afe4f2f906ccf68eb775c66ddc92722

SHA256
b0f64446e9c2435c9cf7f300f49f3756cd38fada7e045f8949c434fc1fc36790

SHA512
3906d72babce85f50e192579650856581843db6fd4334c76fd08eaa45de7f76a33c7697aec6ecb0a920562c43941325fab8d5d83f14eeee032039c5f91a344ff

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
128KB

MD5
502ec3ebf8da3d20c1c565d5e49444d4

SHA1
ffa8c1cbec481ef3f444104869922108f93d5ffa

SHA256
bccc8d4eb1f02736e9a667ca3b86486370512d1b203dd996b5820a3d3b54d84e

SHA512
61179a227a9ab454051f365a0692c06a88dcfb9b9e6c53181e04394e31695d3627bf84d586d3b7c50711f52669f6ce4ce5932236db19fd1df95a87a56e3beb73

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
128KB

MD5
5147abae6b92727ca9736792d82e92e6

SHA1
6ada0ea9b80b39b518ec961574fa1de089f7095b

SHA256
32ef4b270a1aa5cdeb1ac5ffe04405b7ecb13dc15459cbec67936c483a893da9

SHA512
733f314dc9ae32e777960791640e8396e3e1e5a567cf58081331d2cce1576c1bc466ae71c67f995ffb8cd7009aaf329572ec2860dcc5883bca1a300d4f8dcdeb

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
128KB

MD5
1f9fd3ad9d0dc4a7be135539adf8ae8f

SHA1
aecf1029ea75ca0d768931a579bccde35b39c99d

SHA256
c4ced1d920e8adc5c8f91aea703bc199493b6c3e44347089f790aa5cf72a6c7d

SHA512
9ad82c982bbd43229ec01e94d62218d09c72ed4c16246243208b4f4c635b4a0a23dc552dd864ad6fcff8b4f9af0ce76220562a037415d7697f8ea2c3e9f29e92

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
128KB

MD5
c70f6f6ec25247db4c668212879d240e

SHA1
2800a448f0c15fa36b29fd3215e0406c67b67928

SHA256
bc3aee65e36aec64b29549bf8d1977ec4db2add587f1aebe1a60a4562f6b357f

SHA512
cae9de784f103fcd3495df8e7e62cbbe5c715203cfeeb1b18a7a2f863abf2e0edb62a4796f5123dc71817c6993898400e5ea1ca97ad9000749a4c238691c29c7

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
128KB

MD5
837c2b10f3ae9dd8920c54c62cd135ef

SHA1
376de87a50415556170416c306a91d76ece1c14a

SHA256
a57ffe449fec80b4de039d0cac44cf802fc434e413b7f8153687510b31f5069a

SHA512
1713c67ca596187bfb7634e57a760565e00b4b6c3d7b91ac30c7d735b61ed808fd8ad1c4e9a432779479e8bd29a12512664286212ff20cb09680d56b885f3e34

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
128KB

MD5
6927cd5af28d65c944ed5e9adffb6011

SHA1
83654e2908563f191623999522b50895ee9613a0

SHA256
77460a8778592c71a8ce536df51e662eeed437e6cdfd23d29e4cbbfe829c1e24

SHA512
ae1612df96e2f8949070f6f9cf31a26d46f2e83366ac1af787848ca36959e151db966acd8f3851e97df13bfead39113d24cdcad0819126fc643035dcc507649a

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
128KB

MD5
5c497863b2768977f2bc9c7d80a0ec22

SHA1
37654c097178cb6822e5436fd14d24ed6100754a

SHA256
b161a8a2dfeff1a3e084ebfb9fd651a4d9ccea8d59e91ce0f8b022fcb0aa92a0

SHA512
128a864bf0881307920ec30ee554604d8e7ff8b92e020f0db9de0ea155f477a0af744b351fda5387cb5527505aff45cd3ee58f9b6f25a74989f21d3160e92a92

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
128KB

MD5
d66b282c527197a27dd52059270fb4d3

SHA1
c65bff4f4dd46e7997a2df4c24366cbaadd4dd9f

SHA256
7286ece83cd808219c959841b6dbd80fbb1ff668e8da9e953abe805ea97303de

SHA512
6560d9fe9f997270c9881098413152430f28a83b953d90203363fa836399349e3240393ac65316e93767ea552c70deacd2b886ed83d1d13f5600a15c01219dd5

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
128KB

MD5
3798f39ca4fe25c1dfe1da1096303dc4

SHA1
d7bf690f39ad365dd6236049d35624432b3340f6

SHA256
863ad6b993b6ec0fe452969685978e013ac67851fe072dde1fe674d7cb083972

SHA512
f64fcbe73257b288f94b80f76234c0ab8ac49984ddb0ce4e8e0becb7772fe756a76c75a6a1444d0b021df834386ca2aaeafba155691d2c2d479271bb5b3a67db

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
128KB

MD5
ec447106b71fe1e858b212164b3f559f

SHA1
62c98631dad5ec15cc5f47673ccc2294d851a20b

SHA256
6f087cf82ffcf55d69a1efac640adcb056dd51a4ce557d30cb15f546e2b8cc1a

SHA512
dee849682eda002db28f75baf68530b4d2ce84bfdd643b301201f13dc02418c5e9e9ebed373b9c5dc8527ad4879dcf484ab7dc02f1b59d2f82aceb3032894449

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
128KB

MD5
0d26c4bed0f0f1a40cdcf0b1e7514fa4

SHA1
fdd926b70946d866a274cdb315f9e0223532d900

SHA256
5aeefe30646e165f76fabf9ee02d92483e21f31ab1de891b05d1704b86dbb35a

SHA512
a3151eee479a8bd2f3fa2ff3ce07f80e425bbc960ee7f58f94f0c1ec311b5ec9320fb8db90e47f106489e9f04022f8892a4b169d8b444093641237a092530ef1

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
128KB

MD5
9a81e2b7f5900139108c05580d3c9b78

SHA1
1c01c5e631f379631000e82d541ecd433bf367f0

SHA256
e47e86795ac35b1286a183e8f4e31bf0553964f8d1d4ba20bdfc4e516e921f14

SHA512
dab6ec2926346849c61c55c8f73be4bc8a2ec5fe42d7be5f17d49ccb86250e6f81efb6f971ae7f22bd0509d36031dd959c20fd19c9a21619a0314aa6a83866e5

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
128KB

MD5
f06d5a62454f2398d2dfd893dc6834a5

SHA1
33852d333251451e95b7efa41bfe867b9da52cf6

SHA256
51714d073bc70c94e734eadeb145f2eea72af18fe1b5e170e3d2a8fdc83e1910

SHA512
c24d2ae3b2e9fe02cd674f179420d8404705bcfaa842a02c343dc0f22107818b5a7fd6645672808463b069b109ac811b04761a6926b31b020d35897fcb6998a1

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
128KB

MD5
1f200331e5125b98361c4785bc066851

SHA1
e9dee92bb366ea816852955bc9acf572b8cef6bc

SHA256
1f1ca479d671f69241840da7de2c7ca423dd7ec841d957d2107b9b73e7d6fbd1

SHA512
b095539d20a06a57fad1b3a4bad627398ab9a1431157c6166bdd437b2c568135072e19b6d555affcd28d07fc16f174ba0f09a55c7aa60d62dc7adfbf28e7f9d3

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
128KB

MD5
7d0c1449ff4855d7074906e35d3a1836

SHA1
cc8a03d3fe225dc77efd84cb9db3ae8d3c99bab6

SHA256
4cec8368769a1d3b02d3329dfa0d8b854e5f5b64a6e5b673fa080417bed6c6ba

SHA512
3a47fe5558f3f3818035f1a303a9cebb4cd21bd45a2265b4d441721d072180fd43335fd13b5e63e6efc4ff75cf473b3015ea5edce2ab5f993970bf459bc97578

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
128KB

MD5
9f27697c53a68ca9b7d8cc615483d93c

SHA1
7d68a1392edc9e5bbe0002ded6209564b2b48dab

SHA256
33c21180fcccf084308bf0ffaa690c6c99bd67aca703a397cc8c87164c31c022

SHA512
5440f7019e5a36c283aefc6c7bd257db45ccec648268f90c47d85d6b9c10a3ffe07fc389d0d8f9c4d18e6f873e59d5b50939f52b9207e94f0f82fa7ac1f1a9e6

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
128KB

MD5
36b2526de9087390f821c07928868de5

SHA1
475f82088ed73ab5496c90cfd26d15b2ef2a511b

SHA256
9134ad381a05b2212cf5c86c07c6c58cbc72bf7a0e867aa5f14ebb7c6aa04220

SHA512
60d29ba37cb03c0b661b0816445893b434d0171f92af4e8699ab7d4b8f29978318e122f7389a36e2cbd0bb5aed97132c7572ab58d9c8891abe91551c8cccec2b

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
128KB

MD5
28ea4fd2ef6ba7d44ab8aad32fa68576

SHA1
26fd37d3e9c1cfb30425872acd18e04d2222f742

SHA256
c06214a83b2ac307af8fcc7b4315de56ab87ecdc60ecf2c498d4d8e5b2b2f291

SHA512
8a4009b7d9ec5c549de01744b2c519f6bca192559d6bb6b221edd4a81493579759821b6590e6c92eb2994bb3f1c215757ec7b0a643fe5a95a463c35cba5d1bd4

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
128KB

MD5
e70d34c6ec9f90b6f34c4cde1b9ca5cc

SHA1
131f4731367e114b52d82695e2314aa0ab697f09

SHA256
342ab2112b00da0eb4b8de959df877a79ccbc77a023232e8bb0cabfc54bd9b62

SHA512
16e6032215ffca766525b231140d1b85df6c78c33beb4395cf216489a6aca4ea502ada5a5b6e2bd4c41ce8ccc43ef5c4bab5b6d032a3ec5453941e0e5219938f

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
128KB

MD5
de3f955b78a1e52b94c2fb77a2c10fbf

SHA1
a1be7dc379fd4e90592bbbb6509ffba186651505

SHA256
667bf7e104ca8d485ca21f4688e76b22d79ac44e0f98f04a548cb35d57653214

SHA512
6bd808851588fafaa3e14c18e12ad0b81769f869270bb8e821e8ee690283e5b3e5d820d3234e33b19e0690bcb9b63c031aa5a4507605e1ea7dd06ca607cfa0b1

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
128KB

MD5
d15441fe48dfd5bf7a036ae803f55f98

SHA1
44ab4f76342d949bc8378afd3ac264a1c0f0e1dc

SHA256
66da9ba36a002fcca48c59de563ea66466b3e44042ee45ee8db6ff7e433dad8c

SHA512
fb8204dd8b6e372f8dd2c5129c0f02fc021643a3e9200d96dfbe63c23735d53d34a6970ada1b30b152883590c912d420f803a71c348ddea5925f052c5436b69c

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
128KB

MD5
21111d1f5ced30d86ff7ec9b2b5283dd

SHA1
3681e8ae25ef854b30e91168d4505547ee9dadfe

SHA256
659cfea878b3a05287b96a9200d9c0a4cc793aff7ff88e9915f3235eec123275

SHA512
4774477f806244b09202bcdcd4fa48f219e1db507c65dd043d0f27dcbc6a45d74a384851229c91ced6cbc465cfbd1ae4fb8908cd71ad14944e82d93e0d799cfd

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
128KB

MD5
7908e9358ea7842c4fd55cd72dd32a98

SHA1
43d09f9a4e193bda48965f43558fa0dc4c87ded0

SHA256
914c9b7fef965c1290711416e67f3bb626676d147cc24a497d76943f820d8d64

SHA512
5f371c184c81a0ee3b11a8b22a71263962927552817ebc7bf90e1535cee2e8aacdb75ae8b9ac84d28021813367f1b1b7f55b1485e26b893da7569b892317f7d4

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
128KB

MD5
fecaca3c6d2217aeb3c4e40f1fdc4d70

SHA1
838c2b61ffa73d2889fb1ab226c3d023a3ed78b3

SHA256
ac63c787ba0d5668eb7124c1f54692658181f5bf07bf487422a985a913126d1a

SHA512
d65ffbf5d26f71a08097facf2937fe8a563a48a9e320860971556faaf182221d2d8817acb808707976fc9ebfcec044ae2fe865f8a51756ac79a993be08ba45ad

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
128KB

MD5
025e8bb553f5954d9c4e4baa69d76405

SHA1
7cf89f026c5952004617762814b1192fa374fc86

SHA256
9a0e76d98f0caf14fcbdf159f47d4e2ed93a6f5fbb46a79391e0a31285507d6b

SHA512
3a0815d4905450f7e93493aec95ece81c43a8d4a19e0ddfeb57cc09e8b90fe3a73f01d38d7d002104e1025008ba1914add6f32a4045926e1e8ae55c0bdcdf5ac

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
128KB

MD5
e7c942047888ccd9f8d652b69f123177

SHA1
a689aaa3d4a804c1847929ac43d7a378750f2245

SHA256
010b6bcb4e7f4287582e5c586f6fb92d8639d6c7fe76ae70adb206f0e92693ae

SHA512
3e41fbe3415d163e475f1af1c442bfef6a47d9c9578452407ce6a9291da846a056be3d3bbcbc12620e2c490eb6c9a676ae4cfa52b3043395ad5f14460ff601a4

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
128KB

MD5
cae53280da1b53c35e3a36aab42f495c

SHA1
16323529c1d9384146e70ad2d47b94548c42a76a

SHA256
e34d449c4af61539ff96d377136a47f4707c969b8e0254bd9597854073cf7ad4

SHA512
fa25ff106f691676504d3da6ca147f4b43e095db3fc2e283adee33b03bead1a5937e8410c02f2178219f199dabf88750d6d02e866d7cbfdaebcf8d081a19ed62

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
128KB

MD5
2dae7d916cbee6d84f88eb6dafdc46fe

SHA1
5ec9be41dbc716cc3780b30d0a4eea517c3bd7fc

SHA256
77e5a9b7bc8ded4935b6e2488bf458590a0c93e13c9cdff1fd678e295897ee0d

SHA512
5f00ca0cf50be33381c686befa46e33d8587f456275db21202932747a970e1e692dc479442072e332673c86a733f39717841becf09f909cc5d2d1f692fd334e1

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
128KB

MD5
0c2963660a4e173d0df120f862ba07de

SHA1
c6f41fb4f51c8f0e4cc6e3916d8d074c41f5966a

SHA256
9fa193090c1db2073c697ddab091ef32e95a909b3c988cd3d09f4e44ea4f6d2a

SHA512
0f791f21bb74d4a2ab857e8b1aeda13b431ba330e9b3accf471808697b94ce798825648268c9ad2f622a13fd872464c6ca290a80203bbe0dd579a0ec95795f69

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
128KB

MD5
ad092dd13dd6674d36affc92b2d93e9c

SHA1
a7603ccf35a9397391df7f31699d27f0235bc45b

SHA256
3a913e97cda131ede9e611d64472f57b0cb9631b9cce96e6d937f43fc3b3806f

SHA512
0bdb1fd7f970a3f1354ced6e3bea15cdf2f9fce9fc06843e8163ae5bb4b3fa16fbfdd2f68ec1002ed77427c67de202fe1ec1ccf7bf5693ac6e3ba230eb01bb6f

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
128KB

MD5
1c3b17cf3e8546ee7ed9203b4cc93fd1

SHA1
75b7b7acf314e3ac3f2fe34ae15320cdb4f34552

SHA256
a06a4fd98810231c6e1b4055c494feaad96e95d88c17200f6d1e28f8914a6b0e

SHA512
b542daea300aca664513b0677d5c838882ef72fc4d45bee36bed3b39f6450abfba843839775e3705a318e12fe5705ff15fb4811bc0c867deee2de61ce53e25b2

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
128KB

MD5
2bed33502a0bc9c1cefae5fc28782ac0

SHA1
1f1ed66b9077ab334fb676d09de2e8760b140097

SHA256
2b0d7545d511b6293132cd28510046e189efe3a5bf5f3521d605468744817de3

SHA512
12c51913481d3a072a906a63d6433858585a419f1ada2cf56bff57575c87c7eef8709dd009c41fb09c5c65e1f98ca0c51c4082808e783b5e6cf35c35852a9f8c

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
128KB

MD5
2cafe1714d8284c1454c3bd88b5c849a

SHA1
825bc6d5b0fa16aeb251cd7a08ab9061dc291767

SHA256
d1c354e2331a69b45fd4e491153f76103d23837212666c83c0220a72e27ee1ab

SHA512
8f424068c48ca192978e1dcd608515655f9eaba5587c5a09fce72ab7bb94eee5910abf88edb1bfe19fc7ac6cd8c4e36f44dafe91cbaa79c4bfa8537415f92111

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
128KB

MD5
930348021e3a03498ac9e3af9178aee3

SHA1
9b8a9f70991206586e3d947a6fb4afc668b59bfe

SHA256
050ea471548562ed706a8320900c4ee6aaac001c6db8af419689aec700e3360a

SHA512
37d05cde82be00116b212759154d708a6224cbb1dad9dfccf95db852a0b2a0c4204db15cfce409e18275f416bd9ebbfd3467b76e1018abd61e6b7e5387cf40f8

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
128KB

MD5
f2be24122231af1e45b6271be12fdfe4

SHA1
e9cdbe34b9c246e69fa4a5ca08e74d8790231643

SHA256
2ce97f246635e27d7b06a906a1360596f318a7fbb0b8a7fe24d0dba5d47ea0fb

SHA512
9ed281144828fe2f5983c46b6b033036c20f59e198078ebe3890ace3c494ecf992372e0756c79df3792a4381eb436ed789991c0c02c2b9f26874c43678891ee6

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
128KB

MD5
5a3476617fbc73fa47462c081f1ed97f

SHA1
1e2be46d436a5237169ecdf9031eb55f2cc36027

SHA256
b26ee4738350cfbad1eb03bf234da75a47a26e8f81d567d138ed84955e9f320a

SHA512
0a173ccaf84e397891e3eb7091a621c4e0ffda73e790b6b1c42a7089da6f35bf1433d0baea9f8f05bf4ca09789ca59cfdd0d8dcb0b98e528e35a747588f9b63c

Download Submit
memory/456-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/648-586-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/648-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/724-332-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/772-466-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/816-424-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/848-406-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/872-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1064-364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1092-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1216-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1240-151-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1288-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1336-304-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1428-558-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1428-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1436-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1512-514-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1580-400-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1588-388-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1660-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1676-239-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1744-71-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1944-436-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1948-593-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1948-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2104-412-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2152-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2164-322-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2184-418-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2248-442-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2296-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2396-31-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2396-572-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2516-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2600-472-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2676-508-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2768-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2876-316-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-544-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3040-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3108-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3204-255-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3256-340-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3260-207-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3284-191-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3292-454-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3296-478-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3316-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3384-430-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3392-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3480-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3540-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3540-551-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3668-490-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3768-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3808-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3844-520-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4072-460-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4104-274-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4124-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4180-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4216-247-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4316-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4320-394-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4324-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4412-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4444-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4456-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4460-286-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4464-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4604-39-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4604-579-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4632-103-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4656-292-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4676-111-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-496-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4808-565-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4808-24-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4868-526-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5048-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5056-448-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5076-266-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5080-183-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5160-532-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5200-538-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5240-545-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5284-552-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5332-563-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5376-566-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5420-578-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5456-580-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5540-587-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5604-594-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads