berbew | 0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34e

Analysis

max time kernel
106s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 21:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe
Size

352KB
MD5

e1e565d7631aba0ab7b543b4e8686560
SHA1

2116acee81a1cda634216c9aa3efb8d4d537032c
SHA256

0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34e
SHA512

a8d33df6816e66a8f51b04efb7935f21f1571ac9f35440733581edd4bab570a8198861ead586b4e2eac4b6470ce308c62c0e12c7ffe79d2ccb4bda1889b08dd1
SSDEEP

6144:p9kLpr1ItvLUErOU7amYBAYpd0ucyEWJrj1mKZHPSv/rpwMBhpNFdFf52SCaH:pYrCZYE6YYBHpd0uD319ZvSntnhp3520

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdcpkll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmgelf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apaadpng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckebcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opeiadfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfiplog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfdjinjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmpolgoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dojqjdbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qpeahb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfkpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cponen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojdgnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmdnadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aogbfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Conanfli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pplobcpp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojfcdnjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhbebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdojjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Conanfli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paiogf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjfmkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocaebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhhpop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkobkod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2892	Nadleilm.exe
3884	Nnhmnn32.exe
3200	Nceefd32.exe
464	Ojomcopk.exe
916	Ocgbld32.exe
5028	Onmfimga.exe
5008	Opnbae32.exe
2992	Ogekbb32.exe
3136	Ojdgnn32.exe
1048	Ombcji32.exe
2772	Oanokhdb.exe
1020	Opqofe32.exe
4320	Oclkgccf.exe
4796	Oghghb32.exe
4956	Ojfcdnjc.exe
1688	Onapdl32.exe
4504	Omdppiif.exe
3108	Opclldhj.exe
212	Ocohmc32.exe
4296	Ogjdmbil.exe
3660	Ofmdio32.exe
2068	Ondljl32.exe
996	Oabhfg32.exe
1344	Opeiadfg.exe
2232	Ocaebc32.exe
3824	Ohlqcagj.exe
3992	Pjkmomfn.exe
2692	Pnfiplog.exe
2236	Pmiikh32.exe
1840	Paeelgnj.exe
4528	Ppgegd32.exe
4912	Phonha32.exe
3508	Pfandnla.exe
2884	Pjmjdm32.exe
4292	Pnifekmd.exe
2316	Pagbaglh.exe
4480	Ppjbmc32.exe
764	Pdenmbkk.exe
4848	Pfdjinjo.exe
2996	Pjpfjl32.exe
4384	Pmnbfhal.exe
3548	Paiogf32.exe
452	Pplobcpp.exe
1884	Phcgcqab.exe
64	Pffgom32.exe
2172	Pjbcplpe.exe
4976	Pmpolgoi.exe
2260	Palklf32.exe
3412	Pdjgha32.exe
1804	Phfcipoo.exe
1872	Pfiddm32.exe
4628	Pnplfj32.exe
1700	Pmblagmf.exe
1348	Panhbfep.exe
2624	Pdmdnadc.exe
1284	Qhhpop32.exe
2968	Qjfmkk32.exe
4572	Qobhkjdi.exe
3788	Qaqegecm.exe
3116	Qpcecb32.exe
1208	Qdoacabq.exe
5084	Qfmmplad.exe
2252	Qodeajbg.exe
3880	Qmgelf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pnpkdp32.dll	Ocaebc32.exe
File opened for modification	C:\Windows\SysWOW64\Pjkmomfn.exe	Ohlqcagj.exe
File created	C:\Windows\SysWOW64\Fidhnlin.dll	Pjmjdm32.exe
File created	C:\Windows\SysWOW64\Oabhfg32.exe	Ondljl32.exe
File created	C:\Windows\SysWOW64\Pfdjinjo.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Bpfkpp32.exe	Bmhocd32.exe
File created	C:\Windows\SysWOW64\Ennamn32.dll	Cklhcfle.exe
File created	C:\Windows\SysWOW64\Dgihjf32.dll	Dpkmal32.exe
File created	C:\Windows\SysWOW64\Qgaeof32.dll	Aknbkjfh.exe
File created	C:\Windows\SysWOW64\Opcefi32.dll	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Ocaebc32.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Hiebgmkm.dll	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Biafno32.dll	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	Opnbae32.exe
File created	C:\Windows\SysWOW64\Lpmkebjc.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Ggpenegb.dll	Pfdjinjo.exe
File opened for modification	C:\Windows\SysWOW64\Pdenmbkk.exe	Ppjbmc32.exe
File created	C:\Windows\SysWOW64\Aokkahlo.exe	Agdcpkll.exe
File created	C:\Windows\SysWOW64\Nadleilm.exe	0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe
File created	C:\Windows\SysWOW64\Jnfpnk32.dll	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Bdlgcp32.dll	Ohlqcagj.exe
File opened for modification	C:\Windows\SysWOW64\Paeelgnj.exe	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Dbmdml32.dll	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Aagkhd32.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Bhmbqm32.exe
File opened for modification	C:\Windows\SysWOW64\Ohlqcagj.exe	Ocaebc32.exe
File created	C:\Windows\SysWOW64\Nmocfo32.dll	Qhhpop32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmdnadc.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Cggimh32.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Opqofe32.exe	Oanokhdb.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Apaadpng.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Qdoacabq.exe
File opened for modification	C:\Windows\SysWOW64\Ahaceo32.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Pdjgha32.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Pjehnm32.dll	Phcgcqab.exe
File created	C:\Windows\SysWOW64\Aaldccip.exe	Aonhghjl.exe
File opened for modification	C:\Windows\SysWOW64\Onmfimga.exe	Ocgbld32.exe
File created	C:\Windows\SysWOW64\Gdmpga32.dll	Omdppiif.exe
File created	C:\Windows\SysWOW64\Okddnh32.dll	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Ifaohg32.dll	Apaadpng.exe
File created	C:\Windows\SysWOW64\Aepjgm32.dll	Nceefd32.exe
File created	C:\Windows\SysWOW64\Dgeaknci.dll	Amnlme32.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Bdojjo32.exe
File created	C:\Windows\SysWOW64\Oclkgccf.exe	Opqofe32.exe
File opened for modification	C:\Windows\SysWOW64\Qmgelf32.exe	Qodeajbg.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bogkmgba.exe
File created	C:\Windows\SysWOW64\Bghgmioe.dll	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Ombcji32.exe	Ojdgnn32.exe
File created	C:\Windows\SysWOW64\Caageq32.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Pjmjdm32.exe	Pfandnla.exe
File opened for modification	C:\Windows\SysWOW64\Omdppiif.exe	Onapdl32.exe
File created	C:\Windows\SysWOW64\Pmiikh32.exe	Pnfiplog.exe
File created	C:\Windows\SysWOW64\Nnhmnn32.exe	Nadleilm.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Opclldhj.exe
File created	C:\Windows\SysWOW64\Ondljl32.exe	Ofmdio32.exe
File created	C:\Windows\SysWOW64\Cedckdaj.dll	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Qpeahb32.exe	Qmgelf32.exe
File created	C:\Windows\SysWOW64\Qedegh32.dll	Onapdl32.exe
File created	C:\Windows\SysWOW64\Aijjhbli.dll	Cgifbhid.exe
File created	C:\Windows\SysWOW64\Ojfcdnjc.exe	Oghghb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocaebc32.exe	Opeiadfg.exe
File created	C:\Windows\SysWOW64\Ijikdfig.dll	Agdcpkll.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4104	5988	WerFault.exe	232

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdgnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclkgccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfiplog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmdnadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boenhgdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onmfimga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdagpnbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmmplad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohlqcagj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahmjjoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dojqjdbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhmnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpcecb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adhdjpjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baannc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oanokhdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfandnla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cponen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opclldhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdjgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dafppp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdjinjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphnnafb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdcpkll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phonha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boihcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caojpaij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjkmomfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bogkmgba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkobkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdojjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocjiehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaenbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocaebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pagbaglh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppjbmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pffgom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodeajbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombcji32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfmcjlk.dll"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfdjinjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhefcoo.dll"	Phonha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plikcm32.dll"	Baannc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampillfk.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbgla32.dll"	Aaenbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgbld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjkmomfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qdoacabq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giidol32.dll"	Ppjbmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjceejee.dll"	Paiogf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppcbba32.dll"	Pffgom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	Caageq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgeag32.dll"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichqihli.dll"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll"	Ocgbld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll"	Oghghb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opeiadfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojdgnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jponoqjl.dll"	Pagbaglh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aphnnafb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejain32.dll"	Ojomcopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdojjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boihcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmkebjc.dll"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ppjbmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apmhiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfpph32.dll"	Bhkfkmmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhmnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocohmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohlqcagj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epopbo32.dll"	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgifbhid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgelgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll"	Pdjgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okddnh32.dll"	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll"	Qpeahb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmhocd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Cklhcfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll"	Palklf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keiifian.dll"	Qjfmkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Boihcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmjdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baegibae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2892	1808	0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe	84
PID 1808 wrote to memory of 2892	1808	0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe	84
PID 1808 wrote to memory of 2892	1808	0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe	84
PID 2892 wrote to memory of 3884	2892	Nadleilm.exe	85
PID 2892 wrote to memory of 3884	2892	Nadleilm.exe	85
PID 2892 wrote to memory of 3884	2892	Nadleilm.exe	85
PID 3884 wrote to memory of 3200	3884	Nnhmnn32.exe	86
PID 3884 wrote to memory of 3200	3884	Nnhmnn32.exe	86
PID 3884 wrote to memory of 3200	3884	Nnhmnn32.exe	86
PID 3200 wrote to memory of 464	3200	Nceefd32.exe	87
PID 3200 wrote to memory of 464	3200	Nceefd32.exe	87
PID 3200 wrote to memory of 464	3200	Nceefd32.exe	87
PID 464 wrote to memory of 916	464	Ojomcopk.exe	88
PID 464 wrote to memory of 916	464	Ojomcopk.exe	88
PID 464 wrote to memory of 916	464	Ojomcopk.exe	88
PID 916 wrote to memory of 5028	916	Ocgbld32.exe	89
PID 916 wrote to memory of 5028	916	Ocgbld32.exe	89
PID 916 wrote to memory of 5028	916	Ocgbld32.exe	89
PID 5028 wrote to memory of 5008	5028	Onmfimga.exe	91
PID 5028 wrote to memory of 5008	5028	Onmfimga.exe	91
PID 5028 wrote to memory of 5008	5028	Onmfimga.exe	91
PID 5008 wrote to memory of 2992	5008	Opnbae32.exe	92
PID 5008 wrote to memory of 2992	5008	Opnbae32.exe	92
PID 5008 wrote to memory of 2992	5008	Opnbae32.exe	92
PID 2992 wrote to memory of 3136	2992	Ogekbb32.exe	93
PID 2992 wrote to memory of 3136	2992	Ogekbb32.exe	93
PID 2992 wrote to memory of 3136	2992	Ogekbb32.exe	93
PID 3136 wrote to memory of 1048	3136	Ojdgnn32.exe	94
PID 3136 wrote to memory of 1048	3136	Ojdgnn32.exe	94
PID 3136 wrote to memory of 1048	3136	Ojdgnn32.exe	94
PID 1048 wrote to memory of 2772	1048	Ombcji32.exe	95
PID 1048 wrote to memory of 2772	1048	Ombcji32.exe	95
PID 1048 wrote to memory of 2772	1048	Ombcji32.exe	95
PID 2772 wrote to memory of 1020	2772	Oanokhdb.exe	96
PID 2772 wrote to memory of 1020	2772	Oanokhdb.exe	96
PID 2772 wrote to memory of 1020	2772	Oanokhdb.exe	96
PID 1020 wrote to memory of 4320	1020	Opqofe32.exe	97
PID 1020 wrote to memory of 4320	1020	Opqofe32.exe	97
PID 1020 wrote to memory of 4320	1020	Opqofe32.exe	97
PID 4320 wrote to memory of 4796	4320	Oclkgccf.exe	98
PID 4320 wrote to memory of 4796	4320	Oclkgccf.exe	98
PID 4320 wrote to memory of 4796	4320	Oclkgccf.exe	98
PID 4796 wrote to memory of 4956	4796	Oghghb32.exe	99
PID 4796 wrote to memory of 4956	4796	Oghghb32.exe	99
PID 4796 wrote to memory of 4956	4796	Oghghb32.exe	99
PID 4956 wrote to memory of 1688	4956	Ojfcdnjc.exe	100
PID 4956 wrote to memory of 1688	4956	Ojfcdnjc.exe	100
PID 4956 wrote to memory of 1688	4956	Ojfcdnjc.exe	100
PID 1688 wrote to memory of 4504	1688	Onapdl32.exe	101
PID 1688 wrote to memory of 4504	1688	Onapdl32.exe	101
PID 1688 wrote to memory of 4504	1688	Onapdl32.exe	101
PID 4504 wrote to memory of 3108	4504	Omdppiif.exe	102
PID 4504 wrote to memory of 3108	4504	Omdppiif.exe	102
PID 4504 wrote to memory of 3108	4504	Omdppiif.exe	102
PID 3108 wrote to memory of 212	3108	Opclldhj.exe	103
PID 3108 wrote to memory of 212	3108	Opclldhj.exe	103
PID 3108 wrote to memory of 212	3108	Opclldhj.exe	103
PID 212 wrote to memory of 4296	212	Ocohmc32.exe	104
PID 212 wrote to memory of 4296	212	Ocohmc32.exe	104
PID 212 wrote to memory of 4296	212	Ocohmc32.exe	104
PID 4296 wrote to memory of 3660	4296	Ogjdmbil.exe	105
PID 4296 wrote to memory of 3660	4296	Ogjdmbil.exe	105
PID 4296 wrote to memory of 3660	4296	Ogjdmbil.exe	105
PID 3660 wrote to memory of 2068	3660	Ofmdio32.exe	106

C:\Users\Admin\AppData\Local\Temp\0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe
"C:\Users\Admin\AppData\Local\Temp\0dcbaaf42e6bec062e4ef394293c3add49f52fe520b9f0a7f8c7a218a06fb34eN.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\Nadleilm.exe
  C:\Windows\system32\Nadleilm.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\Nnhmnn32.exe
    C:\Windows\system32\Nnhmnn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\SysWOW64\Nceefd32.exe
      C:\Windows\system32\Nceefd32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Windows\SysWOW64\Ojomcopk.exe
        
        C:\Windows\system32\Ojomcopk.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Windows\SysWOW64\Ocgbld32.exe
        
        C:\Windows\system32\Ocgbld32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ojdgnn32.exe
        
        C:\Windows\system32\Ojdgnn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Oanokhdb.exe
        
        C:\Windows\system32\Oanokhdb.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Oclkgccf.exe
        
        C:\Windows\system32\Oclkgccf.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Oghghb32.exe
        
        C:\Windows\system32\Oghghb32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Ogjdmbil.exe
        
        C:\Windows\system32\Ogjdmbil.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Ondljl32.exe
        
        C:\Windows\system32\Ondljl32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Opeiadfg.exe
        
        C:\Windows\system32\Opeiadfg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Ocaebc32.exe
        
        C:\Windows\system32\Ocaebc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Ohlqcagj.exe
        
        C:\Windows\system32\Ohlqcagj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\Pjkmomfn.exe
        
        C:\Windows\system32\Pjkmomfn.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Paeelgnj.exe
        
        C:\Windows\system32\Paeelgnj.exe
        31⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Pjmjdm32.exe
        
        C:\Windows\system32\Pjmjdm32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Pagbaglh.exe
        
        C:\Windows\system32\Pagbaglh.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Pfdjinjo.exe
        
        C:\Windows\system32\Pfdjinjo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        42⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Pplobcpp.exe
        
        C:\Windows\system32\Pplobcpp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Phcgcqab.exe
        
        C:\Windows\system32\Phcgcqab.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        47⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Pdjgha32.exe
        
        C:\Windows\system32\Pdjgha32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\Phfcipoo.exe
        
        C:\Windows\system32\Phfcipoo.exe
        51⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        52⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Pnplfj32.exe
        
        C:\Windows\system32\Pnplfj32.exe
        53⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Panhbfep.exe
        
        C:\Windows\system32\Panhbfep.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Pdmdnadc.exe
        
        C:\Windows\system32\Pdmdnadc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        59⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Qaqegecm.exe
        
        C:\Windows\system32\Qaqegecm.exe
        60⤵
        Executes dropped EXE
        
        PID:3788
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Qdoacabq.exe
        
        C:\Windows\system32\Qdoacabq.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Qfmmplad.exe
        
        C:\Windows\system32\Qfmmplad.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Qodeajbg.exe
        
        C:\Windows\system32\Qodeajbg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Qmgelf32.exe
        
        C:\Windows\system32\Qmgelf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\SysWOW64\Qpeahb32.exe
        
        C:\Windows\system32\Qpeahb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        67⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Aogbfi32.exe
        
        C:\Windows\system32\Aogbfi32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ahofoogd.exe
        
        C:\Windows\system32\Ahofoogd.exe
        73⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Afbgkl32.exe
        
        C:\Windows\system32\Afbgkl32.exe
        74⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        75⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        76⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Aagkhd32.exe
        
        C:\Windows\system32\Aagkhd32.exe
        77⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        79⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        81⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Adhdjpjf.exe
        
        C:\Windows\system32\Adhdjpjf.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        85⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        86⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Aaldccip.exe
        
        C:\Windows\system32\Aaldccip.exe
        88⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        89⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        91⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Amcehdod.exe
        
        C:\Windows\system32\Amcehdod.exe
        93⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        97⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        98⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\Baannc32.exe
        
        C:\Windows\system32\Baannc32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        102⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Bpfkpp32.exe
        
        C:\Windows\system32\Bpfkpp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        108⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Bogkmgba.exe
        
        C:\Windows\system32\Bogkmgba.exe
        109⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        110⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        112⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1132
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        117⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        118⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:672
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2732
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        126⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1068
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        131⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        132⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        136⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        137⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Cklhcfle.exe
        
        C:\Windows\system32\Cklhcfle.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        139⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Dojqjdbl.exe
        
        C:\Windows\system32\Dojqjdbl.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\Dnmaea32.exe
        
        C:\Windows\system32\Dnmaea32.exe
        144⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        145⤵
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:732
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        147⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 420
        148⤵
        Program crash
        
        PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5988 -ip 5988
1⤵
PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgelgi32.exe

Filesize
352KB

MD5
492c84d3a58da1ce36d7dc40bbaa3aab

SHA1
f2445d47b3e9e3a9e934331e12226ce0c32ed0d3

SHA256
6597ebc433e7d4103b99cc9243c15c8617fe346d190af46415f44cce07efa24f

SHA512
9844ecee2321f2d4a1c198732dde3db46b03f08eaba88588820336c2cbebd7943b6131a059c3cee3f4ca088e0978f87b1955f688c3c1d4560b84842da3263dca

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
352KB

MD5
a380146e808ed8f49047f8e40bb41b09

SHA1
7737200494e5b5eff4276c1e820d668dd94d7a44

SHA256
d26e6ad1397c3f3c874bb5df3272578f29387592d1352175794773db8876d832

SHA512
ef32a7ebcf690043862d7aa2c3fb3a50e154108118fadc8dac76c6694a32c7c246107ca6a24fecc53c45be00be2290085d91a4f4283a552e37645794ff70c9f6

Download Submit
C:\Windows\SysWOW64\Cocjiehd.exe

Filesize
352KB

MD5
5e66caeffaf20ad8572446d3d50015da

SHA1
09847560ec05097b11d95aaf7fd67e9913b5cbe7

SHA256
b3925b8e1b2aa1580bf61f4c9d759348e1b326ec9c351ed3a2b9de4994cad1a5

SHA512
850f9a7d3d12b077b152458945acfe713df62aa63b2ee915e8aa16ad048b3ccd79509e6922a23e2fdf85a44007beaf28787a4f5405cc8bc4d8ade49d88ff108b

Download Submit
C:\Windows\SysWOW64\Gejain32.dll

Filesize
7KB

MD5
a00fe6e14fc3d11b93e062bcc8f03637

SHA1
dcfe33950dc6d5e21732662f33c6a49f0ad7abe8

SHA256
aea34c7077f9c8f04aad87be3735744fbc15d71411fa62c5021620b44acb5709

SHA512
af841313c8bc0e9b41cf00df603f10c1d594cc1ac7cf32d1fca3fdc89a30b86346bfe2c437edb430203be3aeaef9ef6103fbd833c930745ab40c556cea95194f

Download Submit
C:\Windows\SysWOW64\Nadleilm.exe

Filesize
352KB

MD5
ab8f634f72d7046fe8cb3271e30d749a

SHA1
d21b484919975a40a0e68a8ce86e6c2451135ce8

SHA256
ecc70b6a496e86aa0e4e6d8ae269147e4491f54ced93315b60e4a55275e39d52

SHA512
fb96692d3b6549506feeafeb42675a4c12c1c40da2a9978b090e2aa5d8d225a8975b7ce6cd0536ec5988cc5ce7f2c7be88ca645a417bca59338def54d7c93a17

Download Submit
C:\Windows\SysWOW64\Nceefd32.exe

Filesize
352KB

MD5
03abf2ccbba83661b69530f686b56e75

SHA1
528441249a522d6d75103c6034729e55d10ffa52

SHA256
5c22b638a43180a77a507aff7ee1949c88d8ca61dc6cccf930ce250d8ec848be

SHA512
7817c8df1e7f353737802b1e425c7bfa2d690d728373d039f17bf70229941344f86134cccb51698d2fa28f60b9bd843228b26da713ae93b5fce99d0b0cdf2fa4

Download Submit
C:\Windows\SysWOW64\Nnhmnn32.exe

Filesize
352KB

MD5
c1cb8f7b8f14972a54364508dbd51a94

SHA1
c38ba86f63e9c5ad4719b3b74b9389b81b6cf658

SHA256
90808fb5f297ed584fef386e84a196a0c333e46eacbac31ce9a2846814074d85

SHA512
1f603183160a14209ffb0dacf2a1ae5ab5ee2f25868f47c38e59623cb4d19afe782efffb09a868bd2618999c04e863fe9d4b5d9ab22f378734e2b3c9838d3af5

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
352KB

MD5
50650b76d9ee4371e505f97e5550d7a9

SHA1
22219b505cf2a63b54883a509fa5f0f2027b4964

SHA256
2d0550e2a6ddaa04e30942536f3140b013d08151262e794a7b4c516fb9c3e1af

SHA512
44f83d8480240d56f84152c1f559e293312070d5713bebaa7fe5235431c921d687b4795a58aa022979187d361bdf444de9f1c1d7d6d11a164633865bdd36fe9a

Download Submit
C:\Windows\SysWOW64\Oanokhdb.exe

Filesize
352KB

MD5
f061bd543f654c9cc28bdd80f941e5e7

SHA1
4d0b47c1ed670ba0c5c9fe04a24901102ae77b0a

SHA256
ad25090103eab1c763c5dc76c6888e17b87dce0d0ef33861c7f43b286ffb6704

SHA512
ab72620915d9e0fe3083469f93b8847354c5481b63acec00439a385d5f823952a0260da6514a9e9e30f6715ce1b805161adb1d0922f2a6de4743377af4384aa9

Download Submit
C:\Windows\SysWOW64\Ocaebc32.exe

Filesize
352KB

MD5
6f66fe2d92a33859d89dd4cadcbe8b7f

SHA1
36844ee71ce55a3f33b05f70fcdc817213339bfe

SHA256
35b08b3272f06e9e92b99d9ffd2a222f91ee7d618fcaf2804af024add230b328

SHA512
193f850e8a9da193bbdab0a982fbc452d1db98d144236d3ed0560484536445da0b970cdb7c4302f89433838b3b4dc1d36c42d0c25f77c8fc7e9cacaed53ac5c8

Download Submit
C:\Windows\SysWOW64\Ocgbld32.exe

Filesize
352KB

MD5
ef9aea284971a135bd119dd7df181e04

SHA1
49c8bef9e47ed13bf5d15450a1b37d79a5f3fc0f

SHA256
06f9bf91d065b929f0203fb7de3838e992f5832717d7873935492766843a8996

SHA512
f3d8a62d80d3212e007fcf158c8b1bc4be1da66380f788c6f826436808557e6165feffc93932d693365223a50b0cd619cc4a186a2a544c7eed7ac2b434cb2b4e

Download Submit
C:\Windows\SysWOW64\Oclkgccf.exe

Filesize
352KB

MD5
9a8171a24aa6a9b698810ed52e577e8d

SHA1
698613b921b8142206e709851c3cce53d02be570

SHA256
c0d0a88e47dcd4020b1705635dfeee56664595c4cb6987347e6697812ea346a2

SHA512
d1931c09a415295af0d1f4a9043f10b1820c5659dcc47872e196dcd70e37b67896f53de4aa74ebae70d4e7f449d0c2e7b5a087062bb6ed857050ae7e4fe45551

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
352KB

MD5
c0c8b1d067fb0c19164a03f04c63cab1

SHA1
ab76645fe029c2d96e81c0833dc6add92c7bed7b

SHA256
7268a2acf4240c3482b2b0e2ec9b03c4e984af16a7d394d5f3f0c7da6f88c62d

SHA512
6d9359391e90e5c070d0ae881be32d5d0d259c8b5979662a21b3d3917a97b8d54e5add6d528dab0259be3508f0d7aaa583e63c99cfcce1496a98877b5103688d

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
352KB

MD5
4ca08323d7fbbf0b3508579c16274a51

SHA1
07f0bcb4fdd4ab52e35040c656adc9a480b03a28

SHA256
0af3ad0c5216a904ae03a816021c2bfd6c68cdc34a74c1d8e768fcd45d94f697

SHA512
0dda65202b840cd024fc0273b8aa1f5226b2748c684eeeae5ce160aefc1f9ed3fecfb727e0aa07d515a9e195fc53e197df0dfa15a55fcb81b422859fa6ff2f97

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
352KB

MD5
f048b51d9312299fb4fedda32ffe8651

SHA1
1df09dc2ea444afcb1832e284968748b604d8328

SHA256
6a4a724b4695da370caeaf4c27172a89ca73cd5bb8ab2cb5e9bf44ae30da3ee9

SHA512
e8d1197feae7befcd65e3d79953df6ee1f5b22d860d46e45b558991b7bab07a8b6677d81f0c1ab6a3a4fea6c39956ff3aebb94afd1976693a52a1cfe58893a1e

Download Submit
C:\Windows\SysWOW64\Oghghb32.exe

Filesize
352KB

MD5
87afb7d8a0be7b46120a4a30e6168307

SHA1
268da2dc890f48984d16907ffe71b11a8f227506

SHA256
9c144d2d72232c748064373b93b788e2ad90dd4cd7999016bcdc601656d2e5c4

SHA512
c7fc2898af7d71b63b03029de39fe78d1f4ca4a244acb3998dc0cb5f474571835821a197658f95aa64fa3596fb1bc093f5c85a50111294d22ea14430bade87a7

Download Submit
C:\Windows\SysWOW64\Ogjdmbil.exe

Filesize
352KB

MD5
308de2ab61c8f9f385832e9835003ca4

SHA1
5553cc1da9bdbe18d73b33ce0bbd55067f0eb72a

SHA256
46f3d48ca200a0b11c91d274c5ea6108044ff06fa015db4093eda439f6a0d4f4

SHA512
d6ed8177ea624882758219b473d923da9ba0b0abbd49d2e9ff7b7d031487d2799de1503ffd654ffdb349a51bb816e5506f9d65de81c1ebbe0a3c64868bf3974e

Download Submit
C:\Windows\SysWOW64\Ohlqcagj.exe

Filesize
352KB

MD5
ccad9ce040ebf6d2f598e221a6da982a

SHA1
1dd3a23a3b41916f50369b911f1041ec7c52033b

SHA256
09e2124d207b6c238cdb744a3d6751f0fdf25512d11dc66e2fabc260365967dd

SHA512
0dc7b0ce1583e57ae166f95fc028098460652b28adc664f3623b37c8d9fe8e48929beb878ac00da65e860147cc3cc22068ee37ecb988d2a984bb87b452416d3c

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
352KB

MD5
67e22390c1e686c8babdded4eb5f386c

SHA1
071154788a27fbf31d98d8d301c51098474aad18

SHA256
e5444eb654aeeb75bc63aadfd73916d14e486d1c6e091282df0b5a9b109089d7

SHA512
f046d216c96bbbb67012d8b1df885930e53226a888df19b3cc68449c0453b310063b414d17b97cf5748e4edb371759e25f130eacd8bbd42313ee2e0be342ef3c

Download Submit
C:\Windows\SysWOW64\Ojfcdnjc.exe

Filesize
352KB

MD5
41b9475e220ce03d157ac286d74faaf5

SHA1
81a56f580d8fdb657d0649088d2460fcfe5a8eab

SHA256
21875e460e90422fdfb83f54ea05d1e07639cbf675d3768228380d27a228b8ae

SHA512
dc790230f47661d53fe3e979ebf727e74604d133c1a6a35c7967d6f97970b93e171f1c8692ce23fe5afb6b627bc17736e92e0e824447df2a16d99ea8076e2674

Download Submit
C:\Windows\SysWOW64\Ojomcopk.exe

Filesize
352KB

MD5
ac16072a1dd56fc77bb4a100a4492910

SHA1
6a7d60d28a8afde86490ed13a44c28b7ff534d78

SHA256
ac84b596193c2d67cececd6d1917545fb404ac347935017131db45b31d85992a

SHA512
7b0e7a9df81bb84dea23e09ca0e5094be49a9c1535c248ee28ce1a6ba791fd85082f0cfd835ada58b6569c28f452d85c872c3cc2c1c4f2dfc866cd3282ca8efb

Download Submit
C:\Windows\SysWOW64\Ombcji32.exe

Filesize
352KB

MD5
7dd3d68b8231e7811bb5b58bb23828cc

SHA1
a47497434ccb93be79eca4747f66f014ad931ca4

SHA256
1052e1d02feeaace6f51aadbc6b72fd1920884974ca66fd78fc21b866a3dc503

SHA512
03ae2c320ca08c7ee804d08309b79b332d3506261bd03206597c376aa437bd683a6c8dfdb7ab865c26911872a7c2a55142671b82343da23420b7d0e6275d8de1

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
352KB

MD5
48290373a42f5e39196d9ad6c0b31a1e

SHA1
a9c367949e9f835c380d7adc7ac10ba51addedb9

SHA256
5aba51a452ae1349bf0d231898db96ab829de177d75f2fcc53dfb5a1b38507a4

SHA512
06088336841819928b3c9bdb138fdc52b13054e6bd6c27273d4b2f06c8ad7828ef8db2185b983c8017f90435ed7c4951b26284fe980ac0779e20a9c0170fa71f

Download Submit
C:\Windows\SysWOW64\Onapdl32.exe

Filesize
352KB

MD5
daa8680bf633a3841ddebc9cbfb18dcb

SHA1
77a6eabb10d68f2e89c956a23c54c0662b57812d

SHA256
7a633eb5dd45142a0edfc2c202db9a931d1731391fd89e06c17d742fc3273d26

SHA512
68ced3b73099a4e92da29881f943750612fc8de06d2e780359d6f745c5ba276d8598d0414d66098400f543d5150aa1980424d4f3770c0c7b8642771652ff4223

Download Submit
C:\Windows\SysWOW64\Ondljl32.exe

Filesize
352KB

MD5
ae000dd567ca5cd43de6f9267d8acfa9

SHA1
01618bb39065132252dd19576a7bb82f3491dcf6

SHA256
b4c101dc2f6e3ee0313a1a575e69c5c1bbae0bd13128b8e8466ddfab73451a7e

SHA512
997708eff5f35e08c4ce459a37cd6727dc4fb83c6f6582cd976bf6126fe4cd13896b86fd145695ce64f618b7c19279f0c04cbd30d87047431b1d9aed8a082d9b

Download Submit
C:\Windows\SysWOW64\Onmfimga.exe

Filesize
352KB

MD5
52603bc72a449bbf00011fa8cc64ea27

SHA1
2ef3c38b0bcc677500251d9318bfe09c4edee7dc

SHA256
5ca975e8e84ce8ebd6447e6fac33bd990ded9a8ab1190f3e82091439fb19d8be

SHA512
2622bcafa78cd6546210bf3dc9bef85f870f9f175c45877fbcd74c2c717f0c8afa3602462b80c05bb55513c23114bf1217e7578a6735b35c9f85b11eac39eb2e

Download Submit
C:\Windows\SysWOW64\Opclldhj.exe

Filesize
352KB

MD5
d878b00e54cd45590e4ca064cf4e3998

SHA1
1dedae99322b8796a2add798b911865aae94c2fd

SHA256
e76834c2a1bfe89f59310e72a018a040e1a2d15d5978ffda38f5487968ed2982

SHA512
2f155c4d7bed2e0df834cf8beda139c1fb376346c41039c2ac39d20c979177b2739a140b8bce735039d3dcfcbfeae3a3bbe00c5dae3f9dbbf14f1ef1f418868d

Download Submit
C:\Windows\SysWOW64\Opeiadfg.exe

Filesize
352KB

MD5
b97b57dfdd96e57980650b8f7ec5bc7e

SHA1
8a2f042a361e00c7146271ab9787e8394a8aeaea

SHA256
2da9f8a5497000da01a22292b0f00f08c1c06d2a2d9835b58ec2a1d3467baf87

SHA512
3dde5627fcbf920ca6ac9b2f85397cb2503edb46f6c111283b2231f61d3a036f66d9daeea1cf4e10c114fe94b198ec98a9467aed852595c653f8d73f3edadffb

Download Submit
C:\Windows\SysWOW64\Opnbae32.exe

Filesize
352KB

MD5
cef02377e421bde4513e679b73c70773

SHA1
49c93daf6fdb354e31148e906cff20d7b8bbf491

SHA256
b0f4908ec077cfa28d1a3b237fc19ec73e42912ab248af3c73b1ea8448062119

SHA512
2759a06ba59524fe75cbcd205d43d3f3c68759011c5adee1e9519f400c06b48379f2bba27662b4c3ba48a24497848e6ab54608db7334823a016c15ada305ef3a

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
352KB

MD5
0b73111538db9ace282673db4f017385

SHA1
919a19c27e1fed177a023770774c491079d5e0c2

SHA256
ff1e23f9499dd46955cf96ca163e4769a8388ac537da0bbc58bdcfe14d55efe8

SHA512
29b9fe0b21637bd4a176154e0d3a3a7b7966c686c0fd75f866eee89a466c85e7e400059027a3269e962b729611cf714850a8ad23914fa39da34329af787d1670

Download Submit
C:\Windows\SysWOW64\Paeelgnj.exe

Filesize
352KB

MD5
ebc12bac8f1d0a10d39a3adc99f1c9ca

SHA1
bc275f427da0ea1125c53acde32e32306691d108

SHA256
1ee6509eeb7ffb27fe1545b0006d162e86b7d2b66c0fb1a1299e94341665b91d

SHA512
08349bd97b655463180541c6b0152b082c21ec190e5656e6d2a9b8af55e50a1c37a83e420bdec9ad5616765a3ad7d376fa1547ef0f60dca24858ad687eb95dbf

Download Submit
C:\Windows\SysWOW64\Phonha32.exe

Filesize
352KB

MD5
ae9c7a9a82b2d574f55e5cab8d1f588a

SHA1
e177571fac9c9bb56d0d4f3d052e522938e38d35

SHA256
39fc81d16f487ff360aefe34bc882182d4536d5bc034d7ddc8aab3fd46dea146

SHA512
0d32105e2511331f7fa3cbb0863180b12845ff97fcd7782eafb56965ced9eb258f0fafebd33e0c25204100085f06f1bc29a08c35e7d2f68f9b5e4c723e8fede8

Download Submit
C:\Windows\SysWOW64\Pjkmomfn.exe

Filesize
352KB

MD5
5e7d66ffd7ec63374ecb3f9008a1b980

SHA1
1aace77b3c536f078c6049ac83dfa72b4c7c8f2a

SHA256
f724d5a621457806eb95ba0ee3fafffcc222305f39505d28e7de09c02e9a0506

SHA512
3137c99420eb15e2520ee029b297057dce894b9fecaa28d2f91d53f76b617e379a5060d4ed55cc17119ad73faa5d7e645b57839c4809d7ba79b4f41d291b0547

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
352KB

MD5
66577b63bbc1761eb2478d055247a05e

SHA1
13b4568bd9266abae99cd65413f0d33ed80f7724

SHA256
3f55bc8eee83d4f219a7c213791b7d372b33923fdffbdd3ee6aad5bc4930172a

SHA512
93d5e22dd99d51fc3a1cba11e374d01ce55c6fd9e152ae355c7595329ffea028feb7dd5f141c548fa7948381c1767c4a871b3f9e855205c6df2d23205538c1bb

Download Submit
C:\Windows\SysWOW64\Pnfiplog.exe

Filesize
352KB

MD5
954feac4998b1352a545d1cff1396a82

SHA1
30e4eeab1a12ba1087bd007f2554e6b7e06ca28f

SHA256
bef6d04034ff57553e61d1ae4abaa0756853c4a71c833fc83df004bfe846c514

SHA512
a732d3b703930bd87d1df2df4fe79d6d6b9807abea64278095078a1747b832b541490a391059773b187b2ddf898b81ec739c82d18746a1d6b1dfb285ebaacdd9

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
352KB

MD5
bb2ce340033b812684ba6d735c3023c0

SHA1
6d66977cc359a7791f706140f341c440f392bd06

SHA256
f94addc826400b5a2bab4e0383b5d1043f517945e52508abe974faaaca264a8d

SHA512
9758bcbfc80de880656e3a52e1a9abb13ddb76cde7ee2e8a3560a44be383d0dd6acc6179906f9b36bddf23ed033c2a80f2bfb4c2a7152b2ed3143627bbe25634

Download Submit
memory/64-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/212-156-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/452-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/464-577-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/464-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/764-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/916-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/916-583-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/996-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1020-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1048-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1208-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1284-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1344-196-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1348-392-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1688-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1700-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1804-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-549-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1840-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1872-375-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1884-332-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2068-181-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2172-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2232-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2236-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2252-447-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2260-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2624-399-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2692-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2772-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2884-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2892-555-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2892-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2992-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2996-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3108-149-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3116-428-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3136-77-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3200-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3200-569-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3412-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3508-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3548-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3624-459-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3660-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3788-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3824-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3880-452-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3884-563-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3884-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3992-220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4296-164-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4320-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4384-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4480-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4504-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4528-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4572-416-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-380-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4796-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4848-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4912-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4956-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4976-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5008-597-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5008-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5028-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5028-591-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5084-440-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5128-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5176-471-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5208-476-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5256-483-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5288-488-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5332-494-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5376-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5408-506-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5456-513-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5488-518-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5536-525-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5568-530-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5616-537-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5648-542-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5696-550-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5728-557-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5776-564-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5816-571-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5864-578-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5904-585-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5952-592-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5992-599-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads