berbew | 0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553N.exe
Size

320KB
MD5

b88b653885a1c303717f18ef97f722a0
SHA1

a25040feea2421d89508be331ab276362fd0e7ce
SHA256

0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553
SHA512

70731761e8ca848331c6c260c08851e4e712cdbf32faeeaab519bf4fffcb574bae993bf2a2b883993809b49f0d904e996ed6a2bc084f5f64242b1c7bdb7bb22b
SSDEEP

3072:BNJnJ4npIXhHGwAdvKzGYJpD9r8XxrYnQg4sIgQxzjGG1wsKmOH6ipNik0O:bJnLXZ4vgGyZ6YugQdjGG1wsKm06D4

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2876	Miifeq32.exe
3196	Mlhbal32.exe
2456	Ngmgne32.exe
4600	Npfkgjdn.exe
5056	Ncdgcf32.exe
2036	Njnpppkn.exe
4932	Nlmllkja.exe
4324	Neeqea32.exe
2364	Nloiakho.exe
5096	Ngdmod32.exe
5092	Nnneknob.exe
4472	Nggjdc32.exe
3608	Oponmilc.exe
5048	Oflgep32.exe
2752	Odmgcgbi.exe
2224	Oneklm32.exe
3984	Ocbddc32.exe
2100	Onhhamgg.exe
4244	Ocdqjceo.exe
1588	Ofcmfodb.exe
4164	Olmeci32.exe
1788	Ocgmpccl.exe
3456	Pcijeb32.exe
4996	Pjcbbmif.exe
4516	Pqmjog32.exe
2552	Pmdkch32.exe
2188	Pcncpbmd.exe
3888	Pjhlml32.exe
4528	Pdmpje32.exe
4508	Pnfdcjkg.exe
5104	Pgnilpah.exe
1604	Qqfmde32.exe
4776	Qfcfml32.exe
2632	Qmmnjfnl.exe
4536	Qddfkd32.exe
4020	Ajanck32.exe
4680	Aqkgpedc.exe
1628	Acjclpcf.exe
3344	Ajckij32.exe
3760	Aeiofcji.exe
4860	Aclpap32.exe
2028	Aqppkd32.exe
3664	Agjhgngj.exe
2472	Andqdh32.exe
1564	Aabmqd32.exe
1728	Aglemn32.exe
812	Aminee32.exe
4896	Aepefb32.exe
2864	Accfbokl.exe
2272	Bfabnjjp.exe
3696	Bjmnoi32.exe
1600	Bagflcje.exe
1608	Bjokdipf.exe
1580	Bmngqdpj.exe
1004	Bgcknmop.exe
2600	Bmpcfdmg.exe
5076	Beglgani.exe
3900	Bfhhoi32.exe
2316	Bmbplc32.exe
888	Bclhhnca.exe
1852	Bjfaeh32.exe
4500	Bmemac32.exe
1664	Bcoenmao.exe
3560	Cndikf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oflgep32.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4048	1232	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcjhi32.dll"	0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2876	4000	0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553N.exe	82
PID 4000 wrote to memory of 2876	4000	0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553N.exe	82
PID 4000 wrote to memory of 2876	4000	0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553N.exe	82
PID 2876 wrote to memory of 3196	2876	Miifeq32.exe	83
PID 2876 wrote to memory of 3196	2876	Miifeq32.exe	83
PID 2876 wrote to memory of 3196	2876	Miifeq32.exe	83
PID 3196 wrote to memory of 2456	3196	Mlhbal32.exe	84
PID 3196 wrote to memory of 2456	3196	Mlhbal32.exe	84
PID 3196 wrote to memory of 2456	3196	Mlhbal32.exe	84
PID 2456 wrote to memory of 4600	2456	Ngmgne32.exe	85
PID 2456 wrote to memory of 4600	2456	Ngmgne32.exe	85
PID 2456 wrote to memory of 4600	2456	Ngmgne32.exe	85
PID 4600 wrote to memory of 5056	4600	Npfkgjdn.exe	86
PID 4600 wrote to memory of 5056	4600	Npfkgjdn.exe	86
PID 4600 wrote to memory of 5056	4600	Npfkgjdn.exe	86
PID 5056 wrote to memory of 2036	5056	Ncdgcf32.exe	87
PID 5056 wrote to memory of 2036	5056	Ncdgcf32.exe	87
PID 5056 wrote to memory of 2036	5056	Ncdgcf32.exe	87
PID 2036 wrote to memory of 4932	2036	Njnpppkn.exe	88
PID 2036 wrote to memory of 4932	2036	Njnpppkn.exe	88
PID 2036 wrote to memory of 4932	2036	Njnpppkn.exe	88
PID 4932 wrote to memory of 4324	4932	Nlmllkja.exe	89
PID 4932 wrote to memory of 4324	4932	Nlmllkja.exe	89
PID 4932 wrote to memory of 4324	4932	Nlmllkja.exe	89
PID 4324 wrote to memory of 2364	4324	Neeqea32.exe	90
PID 4324 wrote to memory of 2364	4324	Neeqea32.exe	90
PID 4324 wrote to memory of 2364	4324	Neeqea32.exe	90
PID 2364 wrote to memory of 5096	2364	Nloiakho.exe	91
PID 2364 wrote to memory of 5096	2364	Nloiakho.exe	91
PID 2364 wrote to memory of 5096	2364	Nloiakho.exe	91
PID 5096 wrote to memory of 5092	5096	Ngdmod32.exe	92
PID 5096 wrote to memory of 5092	5096	Ngdmod32.exe	92
PID 5096 wrote to memory of 5092	5096	Ngdmod32.exe	92
PID 5092 wrote to memory of 4472	5092	Nnneknob.exe	93
PID 5092 wrote to memory of 4472	5092	Nnneknob.exe	93
PID 5092 wrote to memory of 4472	5092	Nnneknob.exe	93
PID 4472 wrote to memory of 3608	4472	Nggjdc32.exe	94
PID 4472 wrote to memory of 3608	4472	Nggjdc32.exe	94
PID 4472 wrote to memory of 3608	4472	Nggjdc32.exe	94
PID 3608 wrote to memory of 5048	3608	Oponmilc.exe	95
PID 3608 wrote to memory of 5048	3608	Oponmilc.exe	95
PID 3608 wrote to memory of 5048	3608	Oponmilc.exe	95
PID 5048 wrote to memory of 2752	5048	Oflgep32.exe	96
PID 5048 wrote to memory of 2752	5048	Oflgep32.exe	96
PID 5048 wrote to memory of 2752	5048	Oflgep32.exe	96
PID 2752 wrote to memory of 2224	2752	Odmgcgbi.exe	97
PID 2752 wrote to memory of 2224	2752	Odmgcgbi.exe	97
PID 2752 wrote to memory of 2224	2752	Odmgcgbi.exe	97
PID 2224 wrote to memory of 3984	2224	Oneklm32.exe	98
PID 2224 wrote to memory of 3984	2224	Oneklm32.exe	98
PID 2224 wrote to memory of 3984	2224	Oneklm32.exe	98
PID 3984 wrote to memory of 2100	3984	Ocbddc32.exe	99
PID 3984 wrote to memory of 2100	3984	Ocbddc32.exe	99
PID 3984 wrote to memory of 2100	3984	Ocbddc32.exe	99
PID 2100 wrote to memory of 4244	2100	Onhhamgg.exe	100
PID 2100 wrote to memory of 4244	2100	Onhhamgg.exe	100
PID 2100 wrote to memory of 4244	2100	Onhhamgg.exe	100
PID 4244 wrote to memory of 1588	4244	Ocdqjceo.exe	101
PID 4244 wrote to memory of 1588	4244	Ocdqjceo.exe	101
PID 4244 wrote to memory of 1588	4244	Ocdqjceo.exe	101
PID 1588 wrote to memory of 4164	1588	Ofcmfodb.exe	102
PID 1588 wrote to memory of 4164	1588	Ofcmfodb.exe	102
PID 1588 wrote to memory of 4164	1588	Ofcmfodb.exe	102
PID 4164 wrote to memory of 1788	4164	Olmeci32.exe	103

C:\Users\Admin\AppData\Local\Temp\0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553N.exe
"C:\Users\Admin\AppData\Local\Temp\0b4660b7898e77dd20bdf2071e0d107aa928ab89fb323dab2f5ba92c1d089553N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\Miifeq32.exe
  C:\Windows\system32\Miifeq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\Mlhbal32.exe
    C:\Windows\system32\Mlhbal32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\Ngmgne32.exe
      C:\Windows\system32\Ngmgne32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        23⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        33⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2864
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 408
        96⤵
        Program crash
        
        PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1232 -ip 1232
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajanck32.exe

Filesize
192KB

MD5
fa283ebe89c7c6c2bef18ae3bb09b1e8

SHA1
555907a52a58dc18ba24334ac8da8f038ea97d6d

SHA256
370e9da4aed8cfbaa6e24ebf5f4e517be7fed8c2775bfe258d670074406da984

SHA512
39e3cedead7b8d192c10b43e9dda7b93b9351c437fd20d64352016a3e0c05c964f5e327730ef0ccba52afed2d29f77012a69b6db4645e5ffb583a9c020dd0592

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
320KB

MD5
b11b00c072efc757de84eb909afd8e4e

SHA1
2c59981aa287a9ccc34b894429bafd589bc39123

SHA256
ceb4d0d0bd91ea6c15e34e50132869aba8d3e92201de270a6f662bdea82365b9

SHA512
11c365c3c19076931edf9ab038f1fbad443d0144a40d66030a5336bd1b6ef761bcef123db94a702c44af1a623521902f3aa5cd3dd5ee7fcb69f833bc35cda8ab

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
320KB

MD5
33d47828842ca0e5a25643a63bab0565

SHA1
b5ce474f048d81c1328e4a54c3bcd7b2b1149981

SHA256
f88a74dd836ee37a5efefc422509935ca13cac3f71faf3a862fc625c4f8e4ece

SHA512
20748f167b065905a56b6e91a5d74ac6156e5595662463b11008ad1be05b582f1173e9efb49646aaa3ab3458d629bb681d12c91908b2a03eed72e61e81eb53b9

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
128KB

MD5
f8a104f85e389ee855b54a6753e9f64d

SHA1
b1b05ae320b6136699c0d8e40eeb8a8bedce0130

SHA256
b497f47f8d2526e54b1d71607c4eb1cc4b01a912455948552fa250ba3b430b42

SHA512
697bffda589234614e6886eb02fe935baa6ccf60cb0c988370a2ff2ddf1e327a66e623eec183d94311da9e860206757c5519cc0836ea97b146c68f88be4abdb1

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
320KB

MD5
81b86f176ad77be70ccf66153e2401ae

SHA1
4e59f0ea97769061f71af0605057c5ba124ddd1e

SHA256
0413378837f58b5421fcb43e4dd0abbf0247a301957dbf1289cef5fc1ddfcea3

SHA512
9a5ec388745877cee9259f2b2617974c39f88289d4b87bb126186c18bf70707d521ffef8e6b5ccb737cb9cf32b53264f8739fd8ebe735da4bdce932d2b313f36

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
320KB

MD5
92df1af54fc7ef332128ab29db331fa3

SHA1
ef7ef59e176d26a2ec88c9afcd58ee2525e39487

SHA256
51a1589f46ee92e2f1e1f486ed1918f3421c8e2767d46d325c3bb9e33f75d283

SHA512
7b2fb8d2819285774d0748bd98113b33b32fa41cc505d1153faff16afea986276c5a91f8ee2ac87d35e2393c1fc737c4c1ccc513b398ba478fcc1d56d3458227

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
320KB

MD5
816db9cd5cca06755cad06d8808fd755

SHA1
8975d07844cf60b3b6620691e4ae278da1c06e87

SHA256
5c5290e64981ba0759df2adf689badcdf3e52e116117b66807fa8ceb9c3dbe4e

SHA512
29bf1b6a3705636ec9f84ce737f010613b16359908639b69f8d26af0c2eeaa65e25d31c14b73189eceb10eb8f895f786cb939abb1627f18095b66a4545184265

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
320KB

MD5
e0a48168e57cb24e5855cd93182eeb06

SHA1
cdc69b0855087bdf5dd9bdb16fd9850ffa5ac5f6

SHA256
d3453991d46b8af4ab8896e887ec79591046270a33fee977efb450e8b0a6697d

SHA512
261588b162ab3fa42893bd1243c6914289e1146b2a9cfd0213ae031cc52ef8c3eb1bac8130386ce5f5e246e8090984af0910277852eae6849e335f7c64dc8996

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
320KB

MD5
0d64719a4885d8b46399f9c938037e97

SHA1
ff25a6b29372a35e4b809abd48929750c6aca928

SHA256
57725c1bac3b87a6dbc5b59cc938025f3c075c8703a3623cf2c1fcb45e26ff3a

SHA512
2200b70fdb6fc0d3800d49a2e341f94c934eb9f1dfd546b51fe04728e5f576dbf52beb7201ed1f94c676b576604546f7508a7bfbfb7f545d2f2a5bcf26d2ea48

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
320KB

MD5
e237c9b78c0975ff526304192c074c9e

SHA1
360cf91d2d94c57aecae7a01e41f5d9765497d7c

SHA256
003d51667c53bd4b840578afecaa70a46ff11830b341746e00aefdab1ac33bd3

SHA512
12a144bab294661a8adf935711421d82f8c2cc553a32142e2cf62ccb9796814e37d6a93e96efaa881d8ee48ecd0496edd127bd7308e21bf9502a663ac37fb68d

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
320KB

MD5
4553278cac38ad386bfb77b50a92c068

SHA1
821f6507ab1db215a40c04ea3b05b521ab43541c

SHA256
3aec1fa1919584083d751b06a7d8f5174ca1131888a083b28c3138e6ce865f22

SHA512
a07487cfb6a189ea3d82d97e059b7e13b174963354e5748e2c0cfddf62de8471f8a553e1ac1c3d092ed01a98cfd501389f10e1dcb188297d6b9d874315ab064a

Download Submit
C:\Windows\SysWOW64\Dapgdeib.dll

Filesize
7KB

MD5
b4af628f050fde2ec6f1f97e4d3db862

SHA1
823b61aa159fa8b3b57b48dd002df7661de30f73

SHA256
057bb9a6abc675581951e414a611b21861e8068958272c91eef8f4dccc5a6d93

SHA512
8a3257847aebc59e32f88c2daa56485ad04836c9ca6da9b6088727f0797380f3ea3a4ce5f281cdc18a6ea3b156f17dd3e501a926bf2b6f00b1f7b4e50db6b120

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
320KB

MD5
4da44e863896f551d39ece2f990099d4

SHA1
72dedcf90211501704e0690f8cee74ce01ae489a

SHA256
6d2a8b5027ba3f9042b09a1c3e426034acd130d67bfd4e831ab951cde4c63619

SHA512
f731737ba71600ae249926c554f054c76daabd3570a2125811d932327595f4ddf74b2cdc8fc82d5099035fd900ff91e98aeb73d586607e3e69285b8b5b6ac29b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
320KB

MD5
10fe33c8985597c268f4fe4f3be7753c

SHA1
e3518fa8c2f7263b915fe66753034c47e80997f5

SHA256
2797dd2a356e0da8b5a9adf954929a0655f47676f282dd077688d9c519105594

SHA512
a8fea274abf2cfff2f9bad83cf4e81ea505b64ffdb38509df2aa691170c4e13d33d4ec4fefc160351fd3015ffbfd338f3898f31c4745829a63c7de3925cc6340

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
320KB

MD5
30bdaec9270ad9e84189ed432392270c

SHA1
7bee1c4503b4d94a364b35d8166f37a63ddcbf51

SHA256
2593069a7ece9a73a8ce4f70b277a3e96cace3965d6685d86a1064abf4c9ea00

SHA512
af8f1841dafddebafb765436b9c62a2283ef176816973ee2fb58b139c659ec1186f1c00fee63bf6d74e76f87fdbb0557804c2971ac98e17f5a55c7a2ec404ddd

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
320KB

MD5
4ee740db777748c368d95b00ee6fb28e

SHA1
589354d859c9620801d48ffed3ce67f01d38e236

SHA256
91af9250e8f8d0abc2a4617ab765c6901c7ac34cb70565ecfb583ab26f107c76

SHA512
5e24e1f90a13e9c0b168569ccc46adc9f3f88717a33fd033512a2529b642bf4a8dc345f4c9ca1af09e0294a40d93d7c3984d91d3c7679755c4876a47004d38a6

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
320KB

MD5
66f5228ecf667735289901932ee3d460

SHA1
1486936bb64e60e6bf648f4702d1202e46cf0132

SHA256
ff312fb67f039d7a0eb1bc43840ccc99e961825d1a338f1ca946db566cde0731

SHA512
d7b77da40dc8b3eec291b67a48e8ca875bf73286dc56b644e79723946a58b0caac323acb8ae7a6d338df961dddea579649a4daa64426e22f7e436479aff81804

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
320KB

MD5
90b94571b6931c618c517f2564053b24

SHA1
32f214722c2afd07f7ca46f0a70f19f4c6ee73d3

SHA256
625bd625a80c6dab1321c671792da97d74816eec24ac72210d00a45111307f96

SHA512
f0c11ee4b1f5780a0bca1dd013d0f9b77b166bd3ac71f16e103d46fd50e7c1988c8ba4e94976c0da10ec3633932194e24e0507edbbae01bdc2fba5420ae439c2

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
320KB

MD5
336822a2364fe8dce3e41814e0246cf2

SHA1
b25a072f0be62d7a2b0b32385d5a74070a45a4c3

SHA256
f4867bfb3cd3890364127b327c625536a59681a99f406c5bbddb29a48ace6ba3

SHA512
a603854a6cfd6497abcb2cdac1890b65ebbba62c9e2ed16f28f3c555e8ff431b56d3a1a1f6d42dc0c2883b9345c7317034fc91b0b789cb6aabb7d79ab21d79a9

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
320KB

MD5
3ef1d3c60a5ba488dc3efa9df1e7fe43

SHA1
08b6dd3ba6d728ec8a33c914c8b23e30b24eebae

SHA256
1ae735e7e88d50c0ce5bc069482fc678d4352354e062d7529a87134b32a52ee4

SHA512
54c999c552ddc6964a979d3cb8f367555a4d7bdb23500202cf2d87212ae20b4c14157cd8a8271e0a354489f4cf1c9c62e77a799f18e655df84a19ad8df6ccb70

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
320KB

MD5
ecfd994e67af1ba4606713c6f20fd449

SHA1
ce6b47651fdd7f89e11901295c38f0fb4f9ed370

SHA256
bda226477ba1008cca7bf90061ae7971689e190a7f6e464a2e35f6d41a1c66ef

SHA512
c1cc3bbdfe489c7985de93b26f11ba511d6920ccc7c26671f7e94a5995a028cbdebd5c0a70b365515c8955c47cd7340e4713b88556a8ff62f16ebc731cce1a35

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
320KB

MD5
6616b90d1b8b69b43030f11a3c337006

SHA1
18f78d9465033f63174b7e8a1329ef2c93b57b00

SHA256
caf92419026c92fb60b8181c5f2679c66a36e3923099e4a86726b90d5c2529aa

SHA512
8e0555cf7f7f1c84d7013c56a8e88a52b60595200d7c137ea5ccce9c9bbe31b3a8e7c6500bfc3f196ebbc251952af6ecd04a86b1eb0b21baad166130f12720d1

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
320KB

MD5
efd926a8d68b563d06d6512cbc49fab6

SHA1
95ea66c847c1363cd5c24938d7cc233c2d22ef98

SHA256
e63557edbb38aed6ee33f2c846d1aef9751c170d324733616dde7dcbf34517f6

SHA512
f8e13b4f5ab6b8dcafe8d8e67db392d93a7af68014d637e8040dbbc63d41ee1733344333b7e278aaf83b2aec4aba6995ff06139006b107ecd933bab1159ee054

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
320KB

MD5
025c8b0e4d13e6285d450eb1dc5f8bcd

SHA1
fd3a027c1d5049ef9e613303cb21d58ae656d840

SHA256
a16d0f89a27792c118996fb68e8a736a854614140ca165e0212ce3a87bfc9401

SHA512
66429e2677fb720636f6585da82988fe28c58fd0611291b056d276dcd83c0f1047904f46705d35836085d782d47f94cdde2bd5fa9d573626a02092aa7aab9014

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
320KB

MD5
42387f6563b6fa14e4d2799f8007e8c4

SHA1
638d8461f8e94654cc26e3c81b702661b0967356

SHA256
c56624d17168084294f001605e75156117e66e810d6c28e2de59ed12e94189be

SHA512
263ebf838876e7ad654307b3f018c4cc74518255d72b9e83d7f4a2cc61fcdcb75d9c4a992037f0ecc82f3e27250a87e8ba36e5c3acb49acffd5c153563179a63

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
320KB

MD5
fed24be894ffdd8e2cdba67927124ed1

SHA1
429d8cedc5764936890d2d067ce4cb504acf9424

SHA256
817e041ffa5f16b8026c37de136438d8e5a636dbe50ea8e7b8a04611f2d1ce53

SHA512
d5d418886dc4b20e0772942da9e46446e9ac84e47f07667bbd24d8a0ee206c9ebbc9f7ed131f70b661badbe11f825ee87cfa30d5c6d60dcbf7884bf3139853f4

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
320KB

MD5
6ddba20cd52819af0dfb286c0cde5388

SHA1
6cc2eb3538e2561be5577bca7eb1bd83e7bccd9a

SHA256
b6662b6e52383c7e4ce73737b5550137729d156a860b701f448083a05a7f0175

SHA512
17ae02bd5571de8875a78017ba2549229157cdc8a81f510acbe36b9f218bbeb77998b9688ec8c2c8c5ef9d8588ea376872b680250cec1f8c31261e6d2098cc36

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
320KB

MD5
66fefe401c8d95a7ba1a6250688eda4e

SHA1
1f78d1db96d74e338075120d2f4f2bb810665d61

SHA256
396f3cda4c6079516b87d581002b3add6bc2b68782aad3fed3782c2db793a46b

SHA512
b94de823ea7f2b2a52d02157e11cced75ff9c4bf03d3f324c5e7f1d9410018ce6efc5e8e2c8277086981efef26bdff1147a95cf48ca82674f1f04885598baed3

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
320KB

MD5
0d2c72dd85b8899e1d3c1799597f2bb1

SHA1
7e114c045b4f8e8d008920f2e28084fdb97a3a28

SHA256
8b641d5d077e256c988823c7fdf3dc240d4796aeda324acf3c33ba961a35540f

SHA512
2b6afb058fb5e3b7a1b0e49929ee4a512533d5a7123f6f67acd70c13bae43f38bcc2581f03b4a5eb45d598ce2d1790b4fed28f0e663017ac4957f7da28d9e7bc

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
320KB

MD5
7c11d36b3e78842fa1ecaee51b50d37a

SHA1
f824e605aa7c6a5dd5679c7394a01c924499c0d9

SHA256
a5988cc0b46f32a1d8b74b37541c4f5d02dec83856c5386bd67c9c1c24727d6d

SHA512
6b081ab410721764b0c276f8dce47df352364a1d84e400483382867b3a4eaf391546d648d9c106d96f9caefe13186cc7175a08f01593dcb4e0d98de810cda42c

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
320KB

MD5
49714c13a8f51cf18624a9b6f4f9eed6

SHA1
d17fae65b992a72c1c992c73a24bfa84044b3170

SHA256
23e0392e73aca944f2eb56912ed793b0268c91726d4fd14241efa23b8bebf37d

SHA512
e2abd48938eaeacbe63ce414f7ae7be49030aec6508f3c29b8cdbbdfa31fc86aeaf4c7cde254f3d4ab4bb86f1626c0fa74ec71b8c398fa71337243e805ee76bf

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
320KB

MD5
15f5905b087e48e2b4116ff445e666c3

SHA1
c54521005ac6decffd93dae8f099435163eef8a2

SHA256
15c4d4313a2391b9196b6426aa72e4469b3a7b6a0a18a4fd0acdeb58565d4738

SHA512
1d64135aa12435f9e641a1771ed41426e417aac25f1d384ebf5299cdbb6cd9b2833af36fd705c024fcc57eae1546e9b3411066e123353723102473ffcb86160a

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
320KB

MD5
9aa98e635d92b54f7b39c41953db572a

SHA1
29979bb54546a6039178fa317a20bbbdf2d4bcef

SHA256
caaa13354ce0acec85d4194a29eb313cb1ca9e54372e46c9c109bfe7c70669ee

SHA512
5d0f5171ce120172d2bf09a7a81234564179addc5452a0a8417ca8afbce1dae387108e024e512ab2d463017c62c2c90b299b0028693c45287d9f30d63877b019

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
320KB

MD5
b1c55b1717f9fb0ca55ff8ff2f11774a

SHA1
1f942bc77fadfbbaa0b4d577ce31540af1182bf3

SHA256
ff7a99102a6a06e1e14dd51931a05eff4dacd19920febc30b6da76bb9284f2bd

SHA512
97637d9fd45aef54b552a398069fb5282af2d36e6f657d2887e28e178831362fdba069fdb1fa5aa14368ce5616f50c63a79e99d99ef261e48a01a4fd6b30159d

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
320KB

MD5
076fce814eb4fa926d8f3efd9c4eaa0c

SHA1
06465a6f1164ee9e1a04ee316e0c88cfb02603f2

SHA256
451e9d6c9a108920b8700bd4bc985630022a101e88eff9987cde2b4d41690032

SHA512
37a87736597df75850910746d7767d3217f3f19055c6b803b525fbf5707d8403f7e278a6a391d8521604a14ae82bd7b642f9de53eb9821604f5e82b630225339

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
320KB

MD5
188b65d1935961ff6151c0ca419349b1

SHA1
4a2831b154aa10617a51df9f90e5459864da31a5

SHA256
1a98c6254542ed60db635d8d575ec4ee51616c4e9a8ec16596d79ccf179a8521

SHA512
e79c1267b6714a6b6a2ed11bd6d43625dba64ecc5edc9ef89bcfc52864cc3c11c9cd79b6c79ac97604762f0423b06faa39f493d0406ec4e402a468bfc66aafec

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
320KB

MD5
bea185d976bc8be9cd23b18a8ffae8c9

SHA1
c3819ec49b01c904d37c8c482c66702076bb6557

SHA256
cb8f00ceddaf60325ddf3a92aaed54025ac95e22153016c12a346a4145d34eb6

SHA512
73e9b6954eee8b996a27cad506e54480452453de767bb5c4008a900c4dd6375064ab86d13bf01258b28b3a1ac5b530ef0aaa8d967cae2a00100a3dc4ef4f4a19

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
320KB

MD5
47f7f816d505e0182ded4eb613b6ba02

SHA1
181f806ffe1326cc8c5a32f23f47ba0d1cf768ca

SHA256
0db573476180f6bf0b52dbc514f2a646a532eeb3822f23ec8fa579a44b02c482

SHA512
a72f2b219b3aea611527c3331986372e48de86b3922af3f541de2a18b4efc425bb655427b2c0bd50be8e4cf8e48e47fe4fd959b83d25bea80219864a6bbc0707

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
320KB

MD5
703bcdc6a476e92bb85e1c59643130c6

SHA1
f5e17784ca1769962126e0cea3aa62a9fd9f61e6

SHA256
1d113633664551dd2c9e7bbd77b2207c8e04a8bd15cdbad98d9f77f77d191997

SHA512
2d24bc883077a73df6fc9889f59fdf56519c8e508b9a424b2db6a696f06ee6eba5adc4c7362f12eb8b34dc1ab99486b076c7f38fded6628f4d7d7ccfa21c6903

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
320KB

MD5
b19b2d6d50ebe5b74b6ad871626a32af

SHA1
b0e4e5f674a9435d8d12205d031ac39975d95dca

SHA256
7b2b038af5e39dbc12048d63ff21542e7b604e3595461ace4621b59014ca04fb

SHA512
02ead0c6db846c1281f301888a0fa838e0deb0e8b2365ecbec10095359c1624f9ff22da02b060a6e83c3da6f3eb2d917b9d4d8daeed9489ecc98c0490fa586af

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
320KB

MD5
430d53fbe432f91b261cbc3ed7e3e01c

SHA1
45edd040f19b127eaf17571501e7021a28a5539f

SHA256
5b02854f9a353de2953481411ed2aef30fefe7bfdb3efd7049774b623d70c674

SHA512
597ff9ed5ef7421578162606ebb660ae6614334efcd88ddac5bb61234c07fed096df656adc4289e344f7423b36661078d07a1626c8a500c07babf54d33b64cd7

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
320KB

MD5
a5cd7bdb698ff4ed3e2994402586c384

SHA1
39199d35b579b0e683236ca3bee785ccfdb8b167

SHA256
f7a85fcc2b7b665b195c154e9aabb8eb223804460557f10d0475e735a678ba1f

SHA512
ccb3c01b4d487b11770b9cd2085347f448109ebf178618ed16ec21638b8571b96db9641dbed38f02ff34fa147110a10f0c5dd39a892917c649394bbf230ca472

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
320KB

MD5
37a9761ddc2eafb0d243489a039ccdbf

SHA1
de68a933dbb16331138ef83ae4a31ada3c7ed018

SHA256
5b57ba4bbd76573bdd136d2d2974031fafafc301956a26b7ac7382446d4fa538

SHA512
f1d9a26ad7c949eac2bce22303eb38c2ffd426cfaf45151177b2dd5424ac7912ea3d16a150692efa8be450a3d090736cdcaf578961717b6ae8ca00732f7e9de8

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
320KB

MD5
c7bf300c7034c2276cfacb7417e23027

SHA1
7c1e04606066e44c27005e028d1717ac92dd28e3

SHA256
d728aaf36c2cd7975053ad7151765ff180a3d816d1a7e7750e507243cf0a460e

SHA512
d81f6f3efc71148dbdde9548783c9a8bdcae9ad2f22aff658969a0cbabcece0cd70f031f22c8e0394af5b72ae0ace38eb53a1ab953909f02a4f92ba51b19aa52

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
128KB

MD5
38a0769d1f619e194bda5f88b191fd12

SHA1
2c717434da2e77555b7cfafdca9016b442829856

SHA256
3e39a0fcb96dc865729142f17112970934ed728de4732492384937a69cf67e71

SHA512
77657a7d2f34cd71d965a2d5d6beb3f650c631dc63155abb8f60395b233ed1a3b3f7abbc1ec3595d6bef4a76f4110ef541f82457d9906893d54a74fa01ccd2e4

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
320KB

MD5
cd6a24ab157577a22d6242a7b6f011c3

SHA1
3a207d18e9a1de3533fac165ebf93059a004aa84

SHA256
73dd5227c149debba8547e73af53d3e61006134351d190b5b7d6f746ff98611e

SHA512
f1cad3a57e2dd079b2e47910503e55ccae7e84cd884ea6511839bdf422c87f1198fb9aa6fdbdbfc4d6739a7f3dc4f3d2ed560c5cc24e309a92adf84627ebdeef

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
320KB

MD5
f6b628c6a9550afa4e2a12cb5f48e7b1

SHA1
69b43cc943a8d69570092acd049c3a0a41a67c13

SHA256
367913ab4f90b76c95e72569961b0036612be485bc62ae025b24ec22cd94dff0

SHA512
40584300b4b7198f357547988bb69c0efc62427d5097a09bd2dfe5053059ca3f8412fade131d61e72480a3340be03babd8089c2807819fde6968cdcfba2bd4ba

Download Submit
memory/740-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/784-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/888-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-656-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1564-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1604-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1608-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1852-706-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-655-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3324-654-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-649-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3344-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-741-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3832-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3900-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3984-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4004-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4588-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4664-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads