berbew | 01455b79cc277c2e2ff84ff99f3f6a91ede004e601ed6e41cc341d5e358b97b2

Analysis

max time kernel
97s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01455b79cc277c2e2ff84ff99f3f6a91ede004e601ed6e41cc341d5e358b97b2.exe
Size

1.4MB
MD5

8a354c85fc0a7b2737dfa9f14f4697ed
SHA1

a3988a0a663049ca015aa60a380ba0dcee0570d8
SHA256

01455b79cc277c2e2ff84ff99f3f6a91ede004e601ed6e41cc341d5e358b97b2
SHA512

ef7401a1570dc533eeb57d798cde9866afc21d333d9ac7dbdfc470ba412f360c090a74cd593d3f5e600febbd09b963c7c36025ab551520c3ca34ae152a2e5541
SSDEEP

24576:0SDgu5YyCtCCm0BmmvFimm0wh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsKv2Ej:02gu5RCtCmi7bazR0vKLXZt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogjdmbil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnfkdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgkmgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcidmkpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaldccip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqhdbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lfeljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aknbkjfh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adkqoohc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lncjlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokmdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lncjlq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahofoogd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnmaea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	01455b79cc277c2e2ff84ff99f3f6a91ede004e601ed6e41cc341d5e358b97b2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnplfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmeigg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhbebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onapdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ahofoogd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjkic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioolkncg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpbjkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmfplibd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmdfonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nadleilm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phajna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hipmfjee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boenhgdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqpcjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aggpfkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjkfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmqnobn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npepkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnjqmpgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnmopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4112	Gmfplibd.exe
4160	Hipmfjee.exe
2812	Hlnjbedi.exe
1460	Holfoqcm.exe
4268	Hibjli32.exe
1164	Iohejo32.exe
908	Ioolkncg.exe
3256	Jgkmgk32.exe
3252	Jcdjbk32.exe
5112	Kcidmkpq.exe
224	Kpmdfonj.exe
372	Kcbfcigf.exe
3968	Lqhdbm32.exe
2028	Lfeljd32.exe
4952	Lncjlq32.exe
972	Moipoh32.exe
1696	Mnjqmpgg.exe
3128	Mokmdh32.exe
5080	Nnojho32.exe
4368	Nclbpf32.exe
4056	Nfjola32.exe
4560	Nnafno32.exe
5088	Nqpcjj32.exe
4128	Ngjkfd32.exe
4592	Njhgbp32.exe
3876	Nmfcok32.exe
4816	Npepkf32.exe
3592	Nglhld32.exe
4336	Njjdho32.exe
1040	Nadleilm.exe
3744	Ngndaccj.exe
2604	Njmqnobn.exe
3576	Nmkmjjaa.exe
2312	Npiiffqe.exe
3856	Ngqagcag.exe
5052	Ojomcopk.exe
2584	Oaifpi32.exe
892	Ocgbld32.exe
1812	Ojajin32.exe
3036	Opnbae32.exe
2064	Ogekbb32.exe
5004	Ojdgnn32.exe
2036	Ombcji32.exe
5084	Oclkgccf.exe
2800	Ofkgcobj.exe
1488	Onapdl32.exe
3508	Oaplqh32.exe
4976	Ogjdmbil.exe
3008	Ojhpimhp.exe
3872	Oabhfg32.exe
116	Ocaebc32.exe
2044	Pfoann32.exe
4840	Pmiikh32.exe
3040	Ppgegd32.exe
2520	Phonha32.exe
3932	Pnifekmd.exe
2140	Pagbaglh.exe
5124	Phajna32.exe
5164	Pjpfjl32.exe
5204	Pmnbfhal.exe
5244	Pplobcpp.exe
5284	Pffgom32.exe
5324	Pnmopk32.exe
5364	Palklf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nmfcok32.exe	Njhgbp32.exe
File opened for modification	C:\Windows\SysWOW64\Oaplqh32.exe	Onapdl32.exe
File opened for modification	C:\Windows\SysWOW64\Pmnbfhal.exe	Pjpfjl32.exe
File created	C:\Windows\SysWOW64\Aogbfi32.exe	Afpjel32.exe
File created	C:\Windows\SysWOW64\Opcefi32.dll	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Ahofoogd.exe	Aphnnafb.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Agimkk32.exe
File created	C:\Windows\SysWOW64\Bphgeo32.exe	Bmjkic32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Chfegk32.exe
File opened for modification	C:\Windows\SysWOW64\Cacckp32.exe	Ckjknfnh.exe
File created	C:\Windows\SysWOW64\Gdglhf32.dll	Njmqnobn.exe
File created	C:\Windows\SysWOW64\Aggpfkjj.exe	Adhdjpjf.exe
File created	C:\Windows\SysWOW64\Bajqda32.exe	Boldhf32.exe
File created	C:\Windows\SysWOW64\Ngjkfd32.exe	Nqpcjj32.exe
File created	C:\Windows\SysWOW64\Cjceejee.dll	Pmnbfhal.exe
File opened for modification	C:\Windows\SysWOW64\Qodeajbg.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bdfpkm32.exe	Bahdob32.exe
File created	C:\Windows\SysWOW64\Hipmfjee.exe	Gmfplibd.exe
File opened for modification	C:\Windows\SysWOW64\Jcdjbk32.exe	Jgkmgk32.exe
File created	C:\Windows\SysWOW64\Nbgqin32.dll	Nnafno32.exe
File created	C:\Windows\SysWOW64\Nadleilm.exe	Njjdho32.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Pplobcpp.exe
File opened for modification	C:\Windows\SysWOW64\Boihcf32.exe	Bgbpaipl.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Dafppp32.exe
File opened for modification	C:\Windows\SysWOW64\Mnjqmpgg.exe	Moipoh32.exe
File created	C:\Windows\SysWOW64\Nglhld32.exe	Npepkf32.exe
File created	C:\Windows\SysWOW64\Qmeigg32.exe	Qjfmkk32.exe
File opened for modification	C:\Windows\SysWOW64\Aaldccip.exe	Aonhghjl.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Bdmmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Cncnob32.exe	Ckebcg32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cpbjkn32.exe
File created	C:\Windows\SysWOW64\Qkicbhla.dll	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Hipmfjee.exe	Gmfplibd.exe
File created	C:\Windows\SysWOW64\Jcleff32.dll	Ngjkfd32.exe
File opened for modification	C:\Windows\SysWOW64\Aajhndkb.exe	Aokkahlo.exe
File created	C:\Windows\SysWOW64\Kbqceofn.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Bljlpjaf.dll	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Jgddkelm.dll	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Jgkmgk32.exe	Ioolkncg.exe
File created	C:\Windows\SysWOW64\Bfnikd32.dll	Lqhdbm32.exe
File created	C:\Windows\SysWOW64\Pmcckk32.dll	Ioolkncg.exe
File opened for modification	C:\Windows\SysWOW64\Nglhld32.exe	Npepkf32.exe
File opened for modification	C:\Windows\SysWOW64\Ahofoogd.exe	Aphnnafb.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Boenhgdd.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Moipoh32.exe	Lncjlq32.exe
File opened for modification	C:\Windows\SysWOW64\Njmqnobn.exe	Ngndaccj.exe
File created	C:\Windows\SysWOW64\Ofkgcobj.exe	Oclkgccf.exe
File created	C:\Windows\SysWOW64\Ppgegd32.exe	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Fidhnlin.dll	Phonha32.exe
File created	C:\Windows\SysWOW64\Egilaj32.dll	Qdaniq32.exe
File opened for modification	C:\Windows\SysWOW64\Bhmbqm32.exe	Bacjdbch.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Ehmjob32.dll	Lfeljd32.exe
File opened for modification	C:\Windows\SysWOW64\Ojhpimhp.exe	Ogjdmbil.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Ppahmb32.exe
File created	C:\Windows\SysWOW64\Qacameaj.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Bgelgi32.exe	Bdfpkm32.exe
File created	C:\Windows\SysWOW64\Ekppjn32.dll	Dafppp32.exe
File opened for modification	C:\Windows\SysWOW64\Kcbfcigf.exe	Kpmdfonj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6932	6832	WerFault.exe	224

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aogbfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amlogfel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjkic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofkgcobj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplobcpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnmopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckebcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgqlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhhpop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aknbkjfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adkqoohc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaifpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmfcok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hibjli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjdho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpfjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaldccip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjknfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgbld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aajhndkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apjkcadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcidmkpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcbfcigf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iohejo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdgnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjfmkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aggpfkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaplqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppahmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhbebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqpcjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglhld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadleilm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngndaccj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojajin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfeljd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lncjlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Conanfli.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkgohbq.dll"	Aphnnafb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmdfonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmkmjjaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gadiippo.dll"	Oabhfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll"	Pmiikh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Holfoqcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mokmdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afpjel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifaohg32.dll"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqceofn.dll"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hipmfjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opnbae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfoeejd.dll"	Ogjdmbil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aajhndkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bobabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll"	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oaplqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielhgaa.dll"	Aaldccip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkhqmjb.dll"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfeljd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmfcok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgegjnih.dll"	Oclkgccf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll"	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgkmgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Conanfli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldldehjm.dll"	Hipmfjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll"	Lfeljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidhnlin.dll"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aogbfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cammjakm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Cnfkdb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 4112	3676	01455b79cc277c2e2ff84ff99f3f6a91ede004e601ed6e41cc341d5e358b97b2.exe	87
PID 3676 wrote to memory of 4112	3676	01455b79cc277c2e2ff84ff99f3f6a91ede004e601ed6e41cc341d5e358b97b2.exe	87
PID 3676 wrote to memory of 4112	3676	01455b79cc277c2e2ff84ff99f3f6a91ede004e601ed6e41cc341d5e358b97b2.exe	87
PID 4112 wrote to memory of 4160	4112	Gmfplibd.exe	88
PID 4112 wrote to memory of 4160	4112	Gmfplibd.exe	88
PID 4112 wrote to memory of 4160	4112	Gmfplibd.exe	88
PID 4160 wrote to memory of 2812	4160	Hipmfjee.exe	89
PID 4160 wrote to memory of 2812	4160	Hipmfjee.exe	89
PID 4160 wrote to memory of 2812	4160	Hipmfjee.exe	89
PID 2812 wrote to memory of 1460	2812	Hlnjbedi.exe	90
PID 2812 wrote to memory of 1460	2812	Hlnjbedi.exe	90
PID 2812 wrote to memory of 1460	2812	Hlnjbedi.exe	90
PID 1460 wrote to memory of 4268	1460	Holfoqcm.exe	91
PID 1460 wrote to memory of 4268	1460	Holfoqcm.exe	91
PID 1460 wrote to memory of 4268	1460	Holfoqcm.exe	91
PID 4268 wrote to memory of 1164	4268	Hibjli32.exe	92
PID 4268 wrote to memory of 1164	4268	Hibjli32.exe	92
PID 4268 wrote to memory of 1164	4268	Hibjli32.exe	92
PID 1164 wrote to memory of 908	1164	Iohejo32.exe	93
PID 1164 wrote to memory of 908	1164	Iohejo32.exe	93
PID 1164 wrote to memory of 908	1164	Iohejo32.exe	93
PID 908 wrote to memory of 3256	908	Ioolkncg.exe	94
PID 908 wrote to memory of 3256	908	Ioolkncg.exe	94
PID 908 wrote to memory of 3256	908	Ioolkncg.exe	94
PID 3256 wrote to memory of 3252	3256	Jgkmgk32.exe	95
PID 3256 wrote to memory of 3252	3256	Jgkmgk32.exe	95
PID 3256 wrote to memory of 3252	3256	Jgkmgk32.exe	95
PID 3252 wrote to memory of 5112	3252	Jcdjbk32.exe	96
PID 3252 wrote to memory of 5112	3252	Jcdjbk32.exe	96
PID 3252 wrote to memory of 5112	3252	Jcdjbk32.exe	96
PID 5112 wrote to memory of 224	5112	Kcidmkpq.exe	97
PID 5112 wrote to memory of 224	5112	Kcidmkpq.exe	97
PID 5112 wrote to memory of 224	5112	Kcidmkpq.exe	97
PID 224 wrote to memory of 372	224	Kpmdfonj.exe	98
PID 224 wrote to memory of 372	224	Kpmdfonj.exe	98
PID 224 wrote to memory of 372	224	Kpmdfonj.exe	98
PID 372 wrote to memory of 3968	372	Kcbfcigf.exe	99
PID 372 wrote to memory of 3968	372	Kcbfcigf.exe	99
PID 372 wrote to memory of 3968	372	Kcbfcigf.exe	99
PID 3968 wrote to memory of 2028	3968	Lqhdbm32.exe	100
PID 3968 wrote to memory of 2028	3968	Lqhdbm32.exe	100
PID 3968 wrote to memory of 2028	3968	Lqhdbm32.exe	100
PID 2028 wrote to memory of 4952	2028	Lfeljd32.exe	101
PID 2028 wrote to memory of 4952	2028	Lfeljd32.exe	101
PID 2028 wrote to memory of 4952	2028	Lfeljd32.exe	101
PID 4952 wrote to memory of 972	4952	Lncjlq32.exe	102
PID 4952 wrote to memory of 972	4952	Lncjlq32.exe	102
PID 4952 wrote to memory of 972	4952	Lncjlq32.exe	102
PID 972 wrote to memory of 1696	972	Moipoh32.exe	103
PID 972 wrote to memory of 1696	972	Moipoh32.exe	103
PID 972 wrote to memory of 1696	972	Moipoh32.exe	103
PID 1696 wrote to memory of 3128	1696	Mnjqmpgg.exe	104
PID 1696 wrote to memory of 3128	1696	Mnjqmpgg.exe	104
PID 1696 wrote to memory of 3128	1696	Mnjqmpgg.exe	104
PID 3128 wrote to memory of 5080	3128	Mokmdh32.exe	105
PID 3128 wrote to memory of 5080	3128	Mokmdh32.exe	105
PID 3128 wrote to memory of 5080	3128	Mokmdh32.exe	105
PID 5080 wrote to memory of 4368	5080	Nnojho32.exe	106
PID 5080 wrote to memory of 4368	5080	Nnojho32.exe	106
PID 5080 wrote to memory of 4368	5080	Nnojho32.exe	106
PID 4368 wrote to memory of 4056	4368	Nclbpf32.exe	107
PID 4368 wrote to memory of 4056	4368	Nclbpf32.exe	107
PID 4368 wrote to memory of 4056	4368	Nclbpf32.exe	107
PID 4056 wrote to memory of 4560	4056	Nfjola32.exe	108

C:\Users\Admin\AppData\Local\Temp\01455b79cc277c2e2ff84ff99f3f6a91ede004e601ed6e41cc341d5e358b97b2.exe
"C:\Users\Admin\AppData\Local\Temp\01455b79cc277c2e2ff84ff99f3f6a91ede004e601ed6e41cc341d5e358b97b2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\Gmfplibd.exe
  C:\Windows\system32\Gmfplibd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\Hipmfjee.exe
    C:\Windows\system32\Hipmfjee.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\Hlnjbedi.exe
      C:\Windows\system32\Hlnjbedi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\Holfoqcm.exe
        
        C:\Windows\system32\Holfoqcm.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Iohejo32.exe
        
        C:\Windows\system32\Iohejo32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Jcdjbk32.exe
        
        C:\Windows\system32\Jcdjbk32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Kcbfcigf.exe
        
        C:\Windows\system32\Kcbfcigf.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Lqhdbm32.exe
        
        C:\Windows\system32\Lqhdbm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Lfeljd32.exe
        
        C:\Windows\system32\Lfeljd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Lncjlq32.exe
        
        C:\Windows\system32\Lncjlq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Mokmdh32.exe
        
        C:\Windows\system32\Mokmdh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Nnojho32.exe
        
        C:\Windows\system32\Nnojho32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Nclbpf32.exe
        
        C:\Windows\system32\Nclbpf32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Nfjola32.exe
        
        C:\Windows\system32\Nfjola32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Nqpcjj32.exe
        
        C:\Windows\system32\Nqpcjj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Njhgbp32.exe
        
        C:\Windows\system32\Njhgbp32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Npepkf32.exe
        
        C:\Windows\system32\Npepkf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Nglhld32.exe
        
        C:\Windows\system32\Nglhld32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\Njjdho32.exe
        
        C:\Windows\system32\Njjdho32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Nadleilm.exe
        
        C:\Windows\system32\Nadleilm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Ngndaccj.exe
        
        C:\Windows\system32\Ngndaccj.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Njmqnobn.exe
        
        C:\Windows\system32\Njmqnobn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Npiiffqe.exe
        
        C:\Windows\system32\Npiiffqe.exe
        35⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\Ngqagcag.exe
        
        C:\Windows\system32\Ngqagcag.exe
        36⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        37⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\Oaifpi32.exe
        
        C:\Windows\system32\Oaifpi32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Oaplqh32.exe
        
        C:\Windows\system32\Oaplqh32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Ojhpimhp.exe
        
        C:\Windows\system32\Ojhpimhp.exe
        50⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        52⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        53⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        55⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        57⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5124
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Pnmopk32.exe
        
        C:\Windows\system32\Pnmopk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5484
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        75⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5804
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        87⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        88⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Adkqoohc.exe
        
        C:\Windows\system32\Adkqoohc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        98⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        99⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        103⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Bmjkic32.exe
        
        C:\Windows\system32\Bmjkic32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        107⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        108⤵
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        110⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        112⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        114⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        118⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        119⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        120⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Cpbjkn32.exe
        
        C:\Windows\system32\Cpbjkn32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        123⤵
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:6312
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        127⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6352
        
        C:\Windows\SysWOW64\Ckjknfnh.exe
        
        C:\Windows\system32\Ckjknfnh.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6392
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Cgqlcg32.exe
        
        C:\Windows\system32\Cgqlcg32.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:6512
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6672
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        137⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6792
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        139⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6832 -s 412
        140⤵
        Program crash
        
        PID:6932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6832 -ip 6832
1⤵
PID:6900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gmfplibd.exe

Filesize
1.4MB

MD5
e81594211bcb18c83c475b55dc3d65c5

SHA1
266fd66a222f3b85e97e1a68c5f119bfcc220806

SHA256
05c9fd9102ec635c3be94bab0d9be3d67de78d63bdc624b1cf0ba80fba6a1472

SHA512
586dd9e39f56a66310c4cb07b2a924b30dde8de2e95d28283618627a217275dea1f47097b05579aa9e62b9e34ee09f5e84b5e8d1a60f6717571b17dc69c88c50

Download Submit
C:\Windows\SysWOW64\Hibjli32.exe

Filesize
1.4MB

MD5
aa422f7cdd8c7ac6b6af9abe349e31a6

SHA1
196e1707a5167508c5e1136b79f549df3010f353

SHA256
1804be534cdc5799225d0f190a0aa9aa12f8887a73bf5666f972fb8d7de1b91e

SHA512
35937d2ba6b592b49292bf9b3d9b4c92cfbdbb09ff847afa81306b4b4995995a5240dc3de7aeb81df4b6dd1fa8abd6dbe348bb21e687ace1b357667f942f6f2a

Download Submit
C:\Windows\SysWOW64\Hipmfjee.exe

Filesize
1.4MB

MD5
b3822b53971485018afb20c99c672d49

SHA1
a4d882545a2f85ac8dfb5002237921310fe4b80a

SHA256
41cf4c8c238e2f637d5c4c836a97408098b9c784c45d489c400a0dd0652f8fb6

SHA512
3b3f435fd4f29d27278bdbe87c87bba3700d513db207f445c03015919261704b55637981e4da1a75c19850f682b509daa9e54d3b0dcfcd0bb84983f382896826

Download Submit
C:\Windows\SysWOW64\Hlnjbedi.exe

Filesize
1.4MB

MD5
5163479f7b102f991defb6def19dcd30

SHA1
26018fb89708881ca7286c6c028810f21fac9a0f

SHA256
e5f2dcbd5dc845e1fc011ed8f5ae6a52bd0bde128e42896c4b64d2aeb63fdd0f

SHA512
6ee0665cdd02a39e6dbf975b760a6445edbd593ae89f3bd661c68b7fda84877c2f19eb143565bb5661d6b45f642d79e57caf9bace08fd8582acf3f5d2f9e4d96

Download Submit
C:\Windows\SysWOW64\Holfoqcm.exe

Filesize
1.4MB

MD5
2f8c66147b1e0d50e205d22c7d84e9bd

SHA1
041ca512d12f38561c9f3fbffc49ca0b11041412

SHA256
bbf0088fed6edfcea5425255950e99c21e2798055ef4e1aaaede9807ab41cb0d

SHA512
0af972c2ecaf9e67062bfaeb3648777f6cbcc088189b54ccd9c6c3813c3451ba80e0aa9e68c5a92d4acb528dfa7aa699c4429e102607c5dc73b8f82c70f56977

Download Submit
C:\Windows\SysWOW64\Iohejo32.exe

Filesize
1.4MB

MD5
237de673e28156cb2db3cc2311827593

SHA1
023100798a8a7b88c176ecb295b7df4fd7934961

SHA256
dee95ee5fe33ba2d69a6b7080ca418526366db55531ce16419589d1600f1c589

SHA512
f277b01151f2b612f04fc6fcfde4c15222d58da26db71f70877c6daeb62f2463cda6bc7032505b96106b53ec606aee46ae155a9967465595736ac9a8abbd212a

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
1.4MB

MD5
7a526dace13f5ce6cf7bbdffb17de870

SHA1
5ccdaa26a38d75b2201f1d69da8558466d18e852

SHA256
3fe0054818af82d9297e4a4ca643d717bbc6a12f5796a52d2641543a117410d4

SHA512
5b05f8d338f0c9c6835daa8d3377f684334e9d35d4750002b52fc7a6d62af95e74581843a4fc133802ea9272f8d4c89fe659ae54e23efb4c2e8e86b6a8f231c7

Download Submit
C:\Windows\SysWOW64\Jcdjbk32.exe

Filesize
1.4MB

MD5
6267993cfecb630f1d31930367bec921

SHA1
34c56d3722fe96bda00bd9922a0d51e28c0f12a5

SHA256
3bc862ac6c8595549064e70ac51e3c5d03396d269c82ed9a9c5b6b2ca01dc60b

SHA512
1ab7bd47e2da9c8bfdc1e55ee61ee114d77a01abd2df26d158053c8b13063620c5f0373406bccc641b77d5975bf9dbf20628b3b691e3250dac2f98f460853a21

Download Submit
C:\Windows\SysWOW64\Jgkmgk32.exe

Filesize
1.4MB

MD5
410227e6218490bff69a0c8619f8bc21

SHA1
6f3c9fa13be386318f5792fb10ab27bbfbe24a57

SHA256
7c12a159d8e3c6fa6e843d58bd42baf81596a8311f50f1145a3a78ece7491087

SHA512
5f31e232bcca5de0ee6c38310335db8777ef06b8b016e2f94182c8616c9379b966b555d6f8c29482d4719fc42211706f2c5a716e707f744bd766b6e7ab9dc06f

Download Submit
C:\Windows\SysWOW64\Kcbfcigf.exe

Filesize
1.4MB

MD5
91bdbcf052335389e8707a267657a30e

SHA1
d405828f749b657f46ff83903c700de828ac6335

SHA256
d686993022613b81aaef75c69e3385cd726d0619a7bac53f3b8cea0e03b80823

SHA512
be8b49b627b6d7460952a00b4d72ebe3e3652d35d730807dc7a16c3b0e744516df84f0894c04754d77bcb8e9d0a3210c0363f7d5786ba27b32ded8ff08858005

Download Submit
C:\Windows\SysWOW64\Kcidmkpq.exe

Filesize
1.4MB

MD5
97d6600225ae340981718d64915bc4bb

SHA1
c51505240826f8faff14aaae430d66a79748243a

SHA256
5e3c330c65125f01b27af6b88ec35ac26f0206bb8cc492888749d43ec8669d15

SHA512
dbf3c72980d99257f943ae7407aa127b2a6e98521c19a4fb02cbfe01b181b4f2a9490bc9a63f7c223afcb1567d22d6e00e4e37394249974f187c37991e203123

Download Submit
C:\Windows\SysWOW64\Kpmdfonj.exe

Filesize
1.4MB

MD5
363a4bf1aee8d4a1ab35dbbd4c137fee

SHA1
f2c8cde9419c156e7350f2b4028856a82f166877

SHA256
6e21f6456e6759173be72c156bc3c89be38f88d48064aba79b0e674eaca09cc0

SHA512
28147814063d6ed28221e61543d88786f714267acb464978a344bc4db9386d4a59a6eb21a4814316b70feefe1b6710b874b1e4abc69f764d2934edcb155fa133

Download Submit
C:\Windows\SysWOW64\Lfeljd32.exe

Filesize
1.4MB

MD5
49d612931eddeba05e77588e3ab23603

SHA1
e2968fd0fcec6d58d8826ed49b0afcc8efaf9dac

SHA256
81d3ff0211426d0cf34dcd6a7d828ae5cd68bc9960aadc767eca0550e66c9327

SHA512
6cccdcd5b2ea7bfcab5614147f6c98b666d991bd3d67e46480f18a3cf0f43070c174d46d03ae501b971bdf54151360fd877497e798db54f7fd8f6049207080c1

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
1.4MB

MD5
359355a8e44427e705f61afa6e430f6a

SHA1
4a769e1436da1ac74fd36b06bbfa861f25c08bbe

SHA256
54abecbf3a750a2af397d48bb1a02b60c456788de54a6e282ff52e21ed9f26a6

SHA512
b9bb04d609a7a314b15e7fa6a2e6c06c6def504a1b02fce99399b9be10b679166f6190d2a9600eaec6f58f4a56b97ab85733225466cd26aa49fe4cfcc4c032dd

Download Submit
C:\Windows\SysWOW64\Lncjlq32.exe

Filesize
1.4MB

MD5
5fdb6b2e3fa9c0fbe163719aacead65f

SHA1
869f94338bc8e44f30b466aab0e7db980cde8641

SHA256
9ef4c9b84e97c3200cf7d2d1464ae1112fed409c165337d4cd126ba252e32f5f

SHA512
7ee410672bffe72bd53335cd4aa645597bfdd0bd27287b3bb8f92e26263871f3aa63a884fa382ce74e9afa2637093e4804fc5482554fe08e3fe100f985e10ae8

Download Submit
C:\Windows\SysWOW64\Lqhdbm32.exe

Filesize
1.4MB

MD5
09c93ff1fa5fc04acc536c0c2716c7be

SHA1
9ff568b73d563c71002bd5ea0b231fb86ca3d7b5

SHA256
3457e52b28aa7cc887bff5f21cfd0daea624a8f6c9eccee6e9186273e53bd55c

SHA512
51650d2986ba4488a01371f8745cfb8da14fde83d872df4006e20afc5a914ffe95d0ab2655b3101cb49e34558ad18c08a19712319d9828c92b5d8d37a15dd9eb

Download Submit
C:\Windows\SysWOW64\Mnjqmpgg.exe

Filesize
1.4MB

MD5
89088e8e10c270b9387a37be31e2d8cb

SHA1
4fbbb2b2623122642bb45840bc383329c9bacb11

SHA256
fd3bb27d539607b6c9c6b40e98290aa84f54501b7939b76367d2d03c0614e813

SHA512
ab368cb9f92802a50da67ad04da8f8c8a8388dc84be1df136685ba296a6fd0b3c486c37516af1f3cdbc2813cc93178096a899bb4e464f6b2c4dcb57107dbe752

Download Submit
C:\Windows\SysWOW64\Moipoh32.exe

Filesize
1.4MB

MD5
30f3cb275c65b425596e026dcce12c85

SHA1
d7a669152bb2f2deb56045af9e8fd41cbf54ecbe

SHA256
d7887de7df927099b70853025e1fb201d404b11cb033c03bec60dc8d7abe5aab

SHA512
c138cd6467aabbf507cc40b517567d8db8576a5c48d9b4ad9df6d6371c046959ac4b9754802e2572dbe11489a06b1003712a148b22e387712ad02d4d4b4c5483

Download Submit
C:\Windows\SysWOW64\Mokmdh32.exe

Filesize
1.4MB

MD5
dca6681ccb01a91920db941b3181f90d

SHA1
9531be3b4420ef00dadc355625cdb63bec068883

SHA256
d8abe3ae71e058a717c0e951e7423d18d0adfeae1f83a0b36ba5ee13043ef1c8

SHA512
2bb62719ed58f1ff8c60c0122a3b39da8b62eeda617dab178a547979f3f3079f4ece7258f5b211e2c18f9ad6363a7a3ad91dc4d2890930ee992e1c6f2635500a

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
1.4MB

MD5
e75052961fe0f3cf02b9788b9ae874ff

SHA1
3a2af9f587861cbe67156cc6256f604dfaa2bd1a

SHA256
8f5b3b2f2de26beb4381914d82025af7b7692dcd5ff8d276aefb2dbb1491bbd8

SHA512
197e71c114b4794afe24b3d7de9bfad8941915c76a1c48c2b5dd69519a07ca9652592c2965c6be5de01f326c172bca35cca4ec412105e3085533713b4d2f4024

Download Submit
C:\Windows\SysWOW64\Nclbpf32.exe

Filesize
1.4MB

MD5
d3c801ecf0285c3dfb3f87feb8189989

SHA1
60475a2d9a4999d0102b362fb1bb27ec7f604f78

SHA256
63339a4cec339e4aafa067131dff3a76159c1c5dc0806c97e38747919fd63f11

SHA512
a8653bd4fcc0803255abed1b298144f1fe177447777877c19d16d4096a0951d1f83d2b104952f1219e3dc352546016ca3ecef4d8fe7d9248670cf4fa12f4b2b1

Download Submit
C:\Windows\SysWOW64\Nfjola32.exe

Filesize
1.4MB

MD5
fff1caf9efa4d1be73bcea0ef9fed904

SHA1
95da5bbdbec4a9645f42e8e9da070ae6c6bf36b1

SHA256
65cdbd4d2a90a9be88e5877bfaf60c97d8caea3d9451323d64150859796e7bc5

SHA512
817a6c18c1a5c33c31f3551e17fd5a1e966de22cbe4113d5d3abce2e1d70cb480e6c829e52b573e570b91f5e20c8cb6febf634a6ba46a6fd97427cac11a132ce

Download Submit
C:\Windows\SysWOW64\Ngjkfd32.exe

Filesize
1.4MB

MD5
b4e26949901c5258473ff617a2323d7a

SHA1
d17032cffe9b0c4c7fd041a0e32035efacdfce89

SHA256
bf29bd4ba9ec5e68f9f7494bd9becce64c69032cc1f3937104fd46ef844cd024

SHA512
c3164666db44f8bdcd864266df8e62ad9c5f2f6618cdd04775388232b4a4c9ec89dae13cec1c64261b37c9319ed06e5bbe4e7df58eb82a4f7fe8c0f36427bf6d

Download Submit
C:\Windows\SysWOW64\Nglhld32.exe

Filesize
1.4MB

MD5
e5ce6154ef57b711dfd1878cfd96c7b0

SHA1
7364809280fd77e9e1a93329e9bff9ccec052411

SHA256
c92f0e4b5e27ae7b194e478c2b3d0ff8cac71becca88cd58c810f44f510487f1

SHA512
b4e771fc3112e7798c1a1e105454f17256b7a39ea68f9482c85b5765de11837470e33692a33677bb2beb249967976ba071c61984462b8c8240f4f27cbf514799

Download Submit
C:\Windows\SysWOW64\Ngndaccj.exe

Filesize
1.4MB

MD5
0223e5e334026caddfe1ccce8fbc9b3c

SHA1
6a872c6f6220b5959b4ea89d6082abbd04723545

SHA256
1db0b67304682f777dd1f85aabbafd831ebeece39d7f0e442f41218bc2a59b1a

SHA512
311a50ab69dbc49f269a47c7052a4d718ae06383d4d0d2227827fe9e365c708307b42bc0194ce915bda06621c6037d201bda8ebb82bbc092f52f60927b52c6d8

Download Submit
C:\Windows\SysWOW64\Njhgbp32.exe

Filesize
1.4MB

MD5
47d42ba770a3a46120ca0dcd55ca532b

SHA1
87f878cc6fcd8972b974ff8468d3dce996a53f97

SHA256
19dc79d25f7238a347c5e771e4512235bdec654a2925b6c0f65424d747644189

SHA512
7d596643fcffd0c34a06476261dec403f66c8b7fc7de164bbf15bd18a9ba8e534d230cf89408a7dbceb33aa2029b694782abf1128cdf3e82233a527a08540562

Download Submit
C:\Windows\SysWOW64\Njjdho32.exe

Filesize
1.4MB

MD5
d531e782f741e648b774bdfae31315d1

SHA1
0a429e644b42b38015fec0aa35cdb5bf63f48df5

SHA256
4a1ed2829dc0121fbfc789823dc01d2eed6199e412431d5f6153aadbb7beb87a

SHA512
7c1a58699675aaa3d5c49ef70673b026624224a724d94192efb9f7e52f032480ca97ae5c5ad73a1470c5e2545f76b0070e1fdbb402dd1dba330d17ee6e4c11fd

Download Submit
C:\Windows\SysWOW64\Njmqnobn.exe

Filesize
1.4MB

MD5
fae712c785751821feda8a74ff6f08f5

SHA1
6695066032e4adace565cd837b5e3225e68df52f

SHA256
a3d1360db87b76ed98db52006555986bbdea1b29d1a1b98aa0fe21af965a3a4b

SHA512
9d20ecd262db089200be3ba7f46b61efb1dcf1d6f3a3e3cd52a6bc6c4b7a9ebcc2b7138407cf2ec1a79e03d077194dfdf836f811a16b5f69f5e6ba2d0e080bd8

Download Submit
C:\Windows\SysWOW64\Nmfcok32.exe

Filesize
1.4MB

MD5
46b88ff7c978e89649fb0adec27b6309

SHA1
0bb5e85e2681be03850bc729b73db6746aa47d83

SHA256
525b6acf79dda7b08ec860d1651e8f9c6c413df4eb6905f453b6727663493392

SHA512
403fe1e0db14074d0197078bca3ca67aed119ec8e3bdf91ee202509fe495e843c130d45aac655b018a977ad4e3937e39df9b12ea1f60631ed6605664eddcfe55

Download Submit
C:\Windows\SysWOW64\Nnafno32.exe

Filesize
1.4MB

MD5
c166f96fbc8ca4845541e58eb40d55d3

SHA1
ee1c4caa9c6b9a16bc4d4615f13bf024c740cab0

SHA256
d6ca483a9c7befa47e2e96850419762a541337b6c8b8bc613af83df0689a21e8

SHA512
4aca4ecc5cf4492136897a84aa840ea3f4a990f7dc272f11e4779af3a1083f62722fe2863e87daa3d4dbcb4e07bf976793c0e14c4f31f0a4c42cd18e9380d99c

Download Submit
C:\Windows\SysWOW64\Nnojho32.exe

Filesize
1.4MB

MD5
8b4eec76c6e5feb7056aa010db4cb3c8

SHA1
54a442e7fc285b0991d0d449e840f50cb6cac5f9

SHA256
eed0fa02ed4c0dc83edc6f7eee8f2e1de1de30b1d8b0377783739f5138eaff01

SHA512
b238dad36bba3fb3708fdc04ff87236d6058d30f658b43fcdbdf2b25cbe0126ada39f58ded4cbaf141e9b381a738022bf73eccc50150074ab90d890c5e935a9d

Download Submit
C:\Windows\SysWOW64\Npepkf32.exe

Filesize
1.4MB

MD5
8d84bd321a6289d8df21ee4d6c14ad1e

SHA1
5c947bfbd024e714caf50df487df33ea55ad479e

SHA256
8d6ffacd5e73f7c8b7f74ddb0dd26ffeda15ff5ce7d2df036e1a7f29e60eed73

SHA512
57c4cf9959f4e3bec2547e8cb077b5a8cadb63e67a390abca5115951543057ba9c1273fa705132aa0b72501fbd9e76f9e3094bdfc037de4a92e71edcfbd7ccb2

Download Submit
C:\Windows\SysWOW64\Nqpcjj32.exe

Filesize
1.4MB

MD5
da12cb1ed0177a5043717d889a3b7467

SHA1
50d79d2e218ee975e09fc22483b511739efd8681

SHA256
46751b2d63bfdaab1f62dd273967e2309a36a757a45f63ccb351a40485a3f513

SHA512
a8d13f864a160566da2839a91146cfe080cf9cb0252b9a1c7137b15c11a4a603a14fe86f8a901db1270ad82c292dadb34b220bed511643f44b38b6e5a8943623

Download Submit
C:\Windows\SysWOW64\Pqknpl32.dll

Filesize
7KB

MD5
4dde2b8d92269f23782644aaab994e61

SHA1
995d5dab2f686b7c4103f976f08888945f79e587

SHA256
eb25928b09e57da58a002284284beb4b3f856d965a5c4caa7d9a4a7cf3f8726f

SHA512
58d998b9a313a6e20b61d6f0e29193c5d46f6c70f8e8112b8eac0d9faafc2e49432e3c34673eaec199c3c9a701a197e66b600385181ac902a6e2e4f1daf1d2bb

Download Submit
memory/116-390-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/224-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/224-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/372-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/372-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/892-312-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/908-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/908-145-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/972-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/972-226-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1164-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1164-132-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1460-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1488-360-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1696-146-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1812-318-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2028-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2028-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2036-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2044-396-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2064-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2140-426-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2312-288-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2520-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-306-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2604-276-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2812-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-324-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-408-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3128-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3128-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3252-71-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3252-163-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3256-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3256-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3508-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3576-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3592-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3676-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3676-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3744-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3856-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3872-384-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3876-227-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3932-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3968-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3968-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4056-182-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4112-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4112-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4128-209-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4268-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4268-122-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4336-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4368-173-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4592-218-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4816-235-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4840-402-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-123-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4952-217-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4976-372-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5052-300-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5080-164-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5084-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5112-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5124-432-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5164-438-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5204-444-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5244-450-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5284-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5324-462-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5364-468-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5404-474-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5444-480-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5484-486-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5524-492-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5564-498-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5604-504-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5644-510-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5684-516-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5724-522-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5764-528-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5804-534-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5844-540-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5884-546-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5924-552-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5964-558-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads