berbew | abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807N.exe
Size

55KB
MD5

f4b46d88cd49417353753ab6afd7ab50
SHA1

76931188e92bb4558de4aac061f06c7fb3845f16
SHA256

abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807
SHA512

d948c805a448aae31710a7e4cda648cca3b28e439a8df49b3e21b389035b7fb2ea25512a86e6b45eed214d33a7487cc7ff082f6c16f3fbc175eb5129e9fef179
SSDEEP

1536:XXIWP2yvU6lyuXP0zOT0OorYyu0FtIIG2sEJ3Sd2LCv:TQ6lyuXP0zOT0OornF67EN0

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nloiakho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2860	Nphhmj32.exe
3768	Ncfdie32.exe
1488	Neeqea32.exe
2656	Nloiakho.exe
3268	Ncianepl.exe
3100	Nfgmjqop.exe
3964	Nlaegk32.exe
3364	Nckndeni.exe
3136	Nggjdc32.exe
3548	Njefqo32.exe
4544	Oponmilc.exe
3580	Ocnjidkf.exe
4000	Ojgbfocc.exe
3284	Olfobjbg.exe
644	Odmgcgbi.exe
4932	Ocpgod32.exe
960	Ofnckp32.exe
3160	Oneklm32.exe
4068	Odocigqg.exe
2928	Ognpebpj.exe
1968	Ojllan32.exe
848	Oqfdnhfk.exe
996	Ogpmjb32.exe
760	Onjegled.exe
2260	Oqhacgdh.exe
3124	Ocgmpccl.exe
3132	Ofeilobp.exe
1868	Pnlaml32.exe
4572	Pdfjifjo.exe
5100	Pjcbbmif.exe
4684	Pclgkb32.exe
3376	Pcncpbmd.exe
4428	Pjhlml32.exe
2516	Pdmpje32.exe
4928	Pnfdcjkg.exe
1796	Qmkadgpo.exe
4492	Qfcfml32.exe
3292	Qqijje32.exe
1664	Qffbbldm.exe
1756	Ajanck32.exe
4304	Adgbpc32.exe
3620	Afhohlbj.exe
3744	Ajckij32.exe
1416	Aeiofcji.exe
2848	Afjlnk32.exe
2036	Anadoi32.exe
3736	Aeklkchg.exe
3564	Acnlgp32.exe
4072	Ajhddjfn.exe
4472	Aabmqd32.exe
1224	Aglemn32.exe
1004	Ajkaii32.exe
2972	Agoabn32.exe
1972	Bjmnoi32.exe
1356	Bagflcje.exe
4484	Bganhm32.exe
1080	Bfdodjhm.exe
3212	Baicac32.exe
852	Bgcknmop.exe
632	Bffkij32.exe
4976	Bmpcfdmg.exe
2068	Beglgani.exe
368	Bgehcmmm.exe
4464	Bmbplc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Nloiakho.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	Njefqo32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Nphhmj32.exe	abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807N.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3432	4228	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifndpaoq.dll"	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2860	1008	abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807N.exe	82
PID 1008 wrote to memory of 2860	1008	abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807N.exe	82
PID 1008 wrote to memory of 2860	1008	abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807N.exe	82
PID 2860 wrote to memory of 3768	2860	Nphhmj32.exe	83
PID 2860 wrote to memory of 3768	2860	Nphhmj32.exe	83
PID 2860 wrote to memory of 3768	2860	Nphhmj32.exe	83
PID 3768 wrote to memory of 1488	3768	Ncfdie32.exe	84
PID 3768 wrote to memory of 1488	3768	Ncfdie32.exe	84
PID 3768 wrote to memory of 1488	3768	Ncfdie32.exe	84
PID 1488 wrote to memory of 2656	1488	Neeqea32.exe	85
PID 1488 wrote to memory of 2656	1488	Neeqea32.exe	85
PID 1488 wrote to memory of 2656	1488	Neeqea32.exe	85
PID 2656 wrote to memory of 3268	2656	Nloiakho.exe	86
PID 2656 wrote to memory of 3268	2656	Nloiakho.exe	86
PID 2656 wrote to memory of 3268	2656	Nloiakho.exe	86
PID 3268 wrote to memory of 3100	3268	Ncianepl.exe	87
PID 3268 wrote to memory of 3100	3268	Ncianepl.exe	87
PID 3268 wrote to memory of 3100	3268	Ncianepl.exe	87
PID 3100 wrote to memory of 3964	3100	Nfgmjqop.exe	88
PID 3100 wrote to memory of 3964	3100	Nfgmjqop.exe	88
PID 3100 wrote to memory of 3964	3100	Nfgmjqop.exe	88
PID 3964 wrote to memory of 3364	3964	Nlaegk32.exe	89
PID 3964 wrote to memory of 3364	3964	Nlaegk32.exe	89
PID 3964 wrote to memory of 3364	3964	Nlaegk32.exe	89
PID 3364 wrote to memory of 3136	3364	Nckndeni.exe	90
PID 3364 wrote to memory of 3136	3364	Nckndeni.exe	90
PID 3364 wrote to memory of 3136	3364	Nckndeni.exe	90
PID 3136 wrote to memory of 3548	3136	Nggjdc32.exe	91
PID 3136 wrote to memory of 3548	3136	Nggjdc32.exe	91
PID 3136 wrote to memory of 3548	3136	Nggjdc32.exe	91
PID 3548 wrote to memory of 4544	3548	Njefqo32.exe	92
PID 3548 wrote to memory of 4544	3548	Njefqo32.exe	92
PID 3548 wrote to memory of 4544	3548	Njefqo32.exe	92
PID 4544 wrote to memory of 3580	4544	Oponmilc.exe	93
PID 4544 wrote to memory of 3580	4544	Oponmilc.exe	93
PID 4544 wrote to memory of 3580	4544	Oponmilc.exe	93
PID 3580 wrote to memory of 4000	3580	Ocnjidkf.exe	94
PID 3580 wrote to memory of 4000	3580	Ocnjidkf.exe	94
PID 3580 wrote to memory of 4000	3580	Ocnjidkf.exe	94
PID 4000 wrote to memory of 3284	4000	Ojgbfocc.exe	95
PID 4000 wrote to memory of 3284	4000	Ojgbfocc.exe	95
PID 4000 wrote to memory of 3284	4000	Ojgbfocc.exe	95
PID 3284 wrote to memory of 644	3284	Olfobjbg.exe	96
PID 3284 wrote to memory of 644	3284	Olfobjbg.exe	96
PID 3284 wrote to memory of 644	3284	Olfobjbg.exe	96
PID 644 wrote to memory of 4932	644	Odmgcgbi.exe	97
PID 644 wrote to memory of 4932	644	Odmgcgbi.exe	97
PID 644 wrote to memory of 4932	644	Odmgcgbi.exe	97
PID 4932 wrote to memory of 960	4932	Ocpgod32.exe	98
PID 4932 wrote to memory of 960	4932	Ocpgod32.exe	98
PID 4932 wrote to memory of 960	4932	Ocpgod32.exe	98
PID 960 wrote to memory of 3160	960	Ofnckp32.exe	99
PID 960 wrote to memory of 3160	960	Ofnckp32.exe	99
PID 960 wrote to memory of 3160	960	Ofnckp32.exe	99
PID 3160 wrote to memory of 4068	3160	Oneklm32.exe	100
PID 3160 wrote to memory of 4068	3160	Oneklm32.exe	100
PID 3160 wrote to memory of 4068	3160	Oneklm32.exe	100
PID 4068 wrote to memory of 2928	4068	Odocigqg.exe	101
PID 4068 wrote to memory of 2928	4068	Odocigqg.exe	101
PID 4068 wrote to memory of 2928	4068	Odocigqg.exe	101
PID 2928 wrote to memory of 1968	2928	Ognpebpj.exe	102
PID 2928 wrote to memory of 1968	2928	Ognpebpj.exe	102
PID 2928 wrote to memory of 1968	2928	Ognpebpj.exe	102
PID 1968 wrote to memory of 848	1968	Ojllan32.exe	103

C:\Users\Admin\AppData\Local\Temp\abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807N.exe
"C:\Users\Admin\AppData\Local\Temp\abb544d6c7453002596c45a435d83097fa47d9a71837b4fd602aae7374856807N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\Nphhmj32.exe
  C:\Windows\system32\Nphhmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\Ncfdie32.exe
    C:\Windows\system32\Ncfdie32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\SysWOW64\Neeqea32.exe
      C:\Windows\system32\Neeqea32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3268
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:644
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:996
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        26⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        37⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3736
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1408
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:768
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        90⤵
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        92⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        98⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 212
        99⤵
        Program crash
        
        PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4228 -ip 4228
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
55KB

MD5
0a601b5a251b18935db5e0d77157f9c9

SHA1
febe996ee77d8427f021244df780c089f608cf53

SHA256
7b164f46b992163de4fb966fe48eb09d0e42a60109ac60f97f9b16837669373d

SHA512
cb50e82b06bbf9e0a09ddf8801e9631939fb220090436a80346b2a464b572de560744163a4caef89d06445b832176e0f98a3f0d34c7213c519b16f36bc9bb630

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
55KB

MD5
0496bb37ba1ca76f23f3925d4410f62f

SHA1
30d2ea8f39339c48f44d6e515e51636872ac4630

SHA256
67f5c24239b006e793f0ea2c34b54f0c7f7ea974bfaaac04ec15fee0d6648161

SHA512
6636ce4dd3f0c7efb91256c8c88f72f0f7a537590b808774e5562b2f92407c1ba89b73ae87b88505c831a7728e0ec0645ef0688f978c8852cacbb5557b875bd4

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
55KB

MD5
ec1f5a65cb950f98f747d57056a70255

SHA1
4ec5efd7e623372c7f91508820dbfe421f413e10

SHA256
1a3fe92b0c8a3ebee53c5ff4673937eb69aef50db9c20b10d53e40bb60a27926

SHA512
e826ae0d4e59922ed261b4d19e0b3ea62388d8133ad3c3d9379ea9704d0cbe80aacb7e1a11d2926ab518dc3d314dd4819b1f917298fc20609f012f4ef4b9beeb

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
55KB

MD5
0c1b2c4b363935aca977e2cbc7333808

SHA1
8d26d3c6e2bf25911fc75e1ec67a879e582ee22f

SHA256
0c71fe6a1521f8a12af1cb1c3cbcdc0fdcfd89dcabc13921cc764f5f2bca992f

SHA512
14f1141d63ff6b8ee18fa1417c90d32bfbcf236e4c4836294064031e466cb02acfbceaab1ecdb119cdba5303491f71be6dad3203058abe5ba198cccc12e8abfd

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
55KB

MD5
b89ea4acea4e5e673aa525a4b68343d2

SHA1
1d6e59b907f537c1fb89d45fd21094b85f6c8fd2

SHA256
6e9cab467625bebc81679bfac42b1406016da789680649e3e0ca93965a7bad9a

SHA512
1eb06c9f18244661b6c7022b43ce992bf0b1512c88102c57d7850f9129f78b967802fa798a72d3c46aba5184a8531b195142948bfb76fcd1881de78e21c47853

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
55KB

MD5
8a7304441fd664de2954d32eb6e0f0b7

SHA1
6f28f5ad4e2003e55e7488d86358a5882a736a8a

SHA256
3a1f6ce5a1f13578072729479bd466e61bdf952f5c1fe62be509e89d7eb4d051

SHA512
a2106d112bf0e79f4840f763ec2d8da4300a15e8f50adc2627d0736de8aa7aa27b057c8116dc29ec82514077929f205610d60c6a02f40b231ac7320318af36ac

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
55KB

MD5
7d481ee26a10a1ce0dd49cae7815897a

SHA1
e24a56b37920381aa217ff900cb50d8ba1a9427c

SHA256
dfc6906147e47edec99f76b97b33cb5df6c25b5f8f5fcf4a7891894d013baa0d

SHA512
7106a71a9560d1d39f1b1911ecadd841ca6bb1626185837db85ea3a231e6d8a94ab8242a7b48735ab4525fe436e4f37fe320ac5082f0428f7b5bc2bf829dd454

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
55KB

MD5
d81d347117fc637a91a11ebfda42843d

SHA1
4fb2db0831866b12d3e010aa29f456c0c4a52697

SHA256
472454dd6701d93c6f35a1557f43d4799a59235876f079e498d76a9185e2ab01

SHA512
9c268040f38d96d01fcf8bf627808ca799ee3c6272782c86ad1eb55e0fa6039678cc96729d560420375f989667309a1fb84145258ac5c577022a3ffd021d6a44

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
55KB

MD5
1b741b896fd6f33aada2e6eb61547cd7

SHA1
479d96f8101a7e462bcc4e7c8cb2aa64aac49ef5

SHA256
0a76f75d6ea8375d441f7c37fd4e7472a390d485f1e9ac03e7185864dfd8f6e8

SHA512
627e0bfb5d1dc7f6021b71f871c43034c5028ea3ec907f5e6517eb315a256cb40691249c0e1a25351c6c0e55f1efefab7d062c9864278f11c2fb1fd4f4a2f327

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
55KB

MD5
b1fb5ddacc3a04b6a591e21dab9d3a8e

SHA1
c5c807caad654b2babefe233e14a87d276da578c

SHA256
6c99f1f6bb20a23c3ce5619b4f9e4950e07192c90bba4598796e2f5d2ceb60a3

SHA512
42d5abe2c1f1721c7df6f9c9efcb67a8cf16c00efc8b5e1d52be89cd8f24889951e3a39dc9ac10c521273503b5fd99fb36e4f0b20f38f890edbb1d9d45d10af6

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
55KB

MD5
84824920479b0bbae82a803842e37ccd

SHA1
1d122b2689f925d4e4a57798e44999f2cddfbd5a

SHA256
0b421c357374725e3bed03aa20e52b5c6da0e4a317ee55c94be51c6ca9b75731

SHA512
1ff32131eb83c6c8d7c8c496457f9c4ac2daf6c56ad93eba22bcf70bd62afe316c2db8feafe66386afaa4fd1ab0a1f6e0c224cfb34f877753c588f9661fd74fb

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
55KB

MD5
87680cbef6e5f4f55439467bf1e5cebb

SHA1
2a4d7c50ecd618c66fff8bd1ef45b95ce1b614ce

SHA256
60db7df6bb671d929fa4fddee015d709ce5fd844ef2708bf5ff20c193362260b

SHA512
4291e7df2d92a43265729251548d70f39a5fd25034a0b34dbedd8166cb58ba35e4953a81533b5f5a66622587378b0fc0bf820b2b259d42da8ded80919648969d

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
55KB

MD5
2ad1ed1296d0889480d937484735655c

SHA1
4aab3d167327db5b37a23c875f5b730328f979aa

SHA256
c2040723571d53f50e28f4670ef772f280c744218c3c32b68c024518be299600

SHA512
d3821aba60a146f11dc89441f9e6c30c5ff18a4778010c832321cf72bd14e990be6373066db60ead2fe59099e5ab5f6d1c9bb29e543e9bf5d2398890d0145acf

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
55KB

MD5
9c7306064c26071644bc6be8c28bc1d8

SHA1
333d54e9b7b8a0bfb18035547da8b11eeac707b7

SHA256
e549f062181aae019ea31f41d6e1835f26148d5fa438c1d64faf7ab9f7d50d71

SHA512
45f89642cd731e6480e73c6947e7f40d02f1f7942886fc9bf0a12b32740771412fa3007d9737602c349bb30a1657cfe949634c9c84eca13ba48105575d42cc1f

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
55KB

MD5
eb035910fd8f91178a101bf07082d969

SHA1
a860d20cdd6f11bbe337ded9baf77d80231a2182

SHA256
7741d72031fe7a65dfb3267323a6f80ed183498c1f64ee7e2f2aab68c063e282

SHA512
86b9b1288e4cdec51feee5a92c4e76edcb2bacb613b0405e48b22f708f65d9308ad86b50b94b34ef300e3e9c3d4f6dede7f4ff55ce9194b49ebfe9823713e03e

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
55KB

MD5
039f4b7a5e1b52cb6f694b95e3198eba

SHA1
fd6c4a823f8c72307064e6456029f2ba3cdc4c37

SHA256
2ddcd723ea7b326293030746950f764037aadb4abb68deaeb30d54389a87da6e

SHA512
fb37876ae9ae6d3938166dce5720bc8255c782e685ddc4dd6233facb5ea09a456c89b65b105615d2ce2dbd3f95a3447a9507333a1ab8f82d6d384abfb481c58a

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
55KB

MD5
1abc4e3d5ec90e7c8215885d02afcfa4

SHA1
1ccf0d5cef8c921c4c38a729b25fd79076cc067c

SHA256
b0b2c5ef2a77b3b21ef155b76c9edf34dcaa8e199d9634aa5d7fad68a31e2431

SHA512
b5ac7c481d6f5cfed8200ca783ac236b300416828b4baf28d0441cce0d04d504af6e1220e179ea3fa974eb52a60d2cd1cb6b746d5eb9cd4b16ed357b54637620

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
55KB

MD5
1125029ce558224694841801427ce058

SHA1
f7f96831fdfc7263957753e1119da6fbc97efee0

SHA256
b28c1d47ab9e20d3a59f64e126fcafff9e61ccc88edb8726fda23d9fd6ffa954

SHA512
cf6d5400fa4bec338255884acd870d07e3e37a7cedc99aaaa35647fb59506ffa93edfae28c45d14c420c2a471678925fa33fd4e220fc076207e4a294055005c1

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
55KB

MD5
c1832f90cf45575f9c5c88a12617aff4

SHA1
e3f4922c08790e61f92e23b755f3b1f97b523bd9

SHA256
0f02eb9a7233368a9157d793e2e03aad9744cbeeb395553a34a1b8b993056bda

SHA512
0a058e9576969838ad782a48712c5f0f46c8f260f14b5cd7124e9dd128da53699be76c983fefa6705d544a794fc9ee211d965101c1878e1fbfda8ae8f515bffe

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
55KB

MD5
72fe28aa6f70d374606330b6fd9d3174

SHA1
6aff17726dd186a113f50dedd8d2aa90ff9d0871

SHA256
f959134abf7fe76198858318626fd19a7833e4c050a60a0a165df0b446ee8e9f

SHA512
6b7e5fddb331426d420b49f3885147e800a08f7f28b0790e1616c6fc957d6f64cfceedb2f47514010e8d997d4f68a37dfe23f0e84a3433f872d5e18918ad10c4

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
55KB

MD5
dc572803586cb1e09c683fb213ecdb42

SHA1
8128756c9324d588c9e1246c2389237182b8f775

SHA256
4cb8076d78984f5005329a9823a1fd6935b6591f92a5846f1d54e03d4503b3d7

SHA512
f3cd5d2900fb2d220c993bf5238912e3b6aa369741aa025427293f026f74184e229f358af056e99a42bef792c67d5df4b81c9a686848a6833b2bf8b1a2a44939

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
55KB

MD5
e7089783355f3db4d861a6228183670b

SHA1
4f075b35c517cf85f5e004e8b1ca5ccdfc1ea48f

SHA256
794d063be89c5d69826d524caf161fe632f88b524c49ffcf83e6974b3a657815

SHA512
7889b0524a331383a0dca92ab863212b3eda1f1584ada4eba878d77ca4faa7bdcb3338b7180f2e3ffa7cda30592fa7200498d80621b034f7ccde0b3e5e870941

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
55KB

MD5
89eb3a75d80bc0a136277cfc331dcd1f

SHA1
395931f12c9f6dc8ecd28c911249153ad8e6fd0e

SHA256
db1533f892f94536c347e44100891ab4ed3de04bf21445c047609deca19b6ebd

SHA512
cb382fe5025b7ac13fc0892c255af4261a0578b8051320fc967141554c979fce536a8d80c14e14ed27c39d1e31f79ba43bb9c45608fbe10c7422c8d4f638f5df

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
55KB

MD5
90b88e680f44b03dae0f47b51dbd5bcf

SHA1
d2dee92e574dc11f213a067e89335f1043ab7aa9

SHA256
f05066884ba483def837906c0fd6e90ce1b676287abc3b78e772ce10573a8c2c

SHA512
8cc274bc6165e621817b2e7ca94c15411b733aea5266980b77ddece7b25ba12b174547c2221fc5382e00d429c2f5fda3f4822f1cb54b30a47e4614d6dc0e6779

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
55KB

MD5
f9fbaee69b650a3b6631c7054c839307

SHA1
4614635da323e7e89d4b86cffc7a3c55ff4e1f89

SHA256
993586c264a278ae1db45c647b5163935ae77d7fa8f45eaf11ca1357b23917da

SHA512
0e25dda02248feaa5be49ad5342f1be0fd8a546f6be89bf08182df6c49b95d13900a5a61bb339efeb93d2925502e05abfa162ef26350f5223d5a44812b72653b

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
55KB

MD5
72e3d475199af2894fcab5245e1a8d7b

SHA1
06d3d50067f27d1be2cdbab3c60e371dbf9bab3d

SHA256
495994574ba40b3dbd7afa124e9186b069369d8a80a1d9fe88df059d11dd3865

SHA512
2754a2049ef259b62e9729497195443c4d0c9a1e289974cc76bf0d7a066d319c522c61fce8d7a50437daa55ad1db9a03cad87283902bc6be6eeca67edbf6a344

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
55KB

MD5
4bb1648e5af80a81de2e193b99d52f3d

SHA1
e80e1e209541dbd8479c4473ecf465207802e5ed

SHA256
7e97742069f67530808c7a6a68086dd4a026bb98a97d1835893c69ddbf7e0a7f

SHA512
53ebfaef698b29cfb12cbc97ab7fab198f6ca6413ec71acadb865bfe083f7441be964550646191c69e438032bd73da757d7bb6006e96e2d4f0c10b6e09d58b36

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
55KB

MD5
6a3b65ee73e0e2e4fa19a7b2a89ab918

SHA1
39f55d6c295b7fdc34efb80ac550eaa611a06674

SHA256
c29b078f761c6f791b34621897833e4cc536f2f4f30a7c25ab54e909f9721ea8

SHA512
4265289a6d177a136994f907894de2b1d3c731e42e59a2c1e1056b2f31465baff34062d82f82bef11d53a0197b0a6cf7947fceca6570dba63f4918f7b1f33d5e

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
55KB

MD5
dea54adb4e97ce3a86d188a3fc7df48a

SHA1
0b2957373310d079716acea8ba8a843e9acf3af9

SHA256
7abb85c87fc2beee916cc527e9ae19b574d7b79e2ec6c49ba9938fe186fdb9cd

SHA512
fae272550d3aa9962493a8cdf054052dc311dfcc79ae7130ad87e52625b3766f62df8c971ea55228bc85c580c1a08a420ec5b72c808661a8a65103192f209b4d

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
55KB

MD5
a9dcd2622fd34d25bea44a24f7d39f02

SHA1
6ae01d0dfed022b4dcea65b5acbb7cd39ce6ea4c

SHA256
299b1b56fb777f58699bdc8561403f04e21dab559b87ed63e8e9ac554a03e21b

SHA512
d9ebbd3a4a072925880f982a278ab1fe4e82de091054ade94c2c8b724ad041960800b4a58b018f46c9cb1d4d699e555f354d84eaf813b26346fc17ab2072d570

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
55KB

MD5
590c5424e6a88d6c4324f1f4f0d6d5de

SHA1
1f2fddcf15044299ee428f3aa4976a26bf77c12c

SHA256
29b59425b4ea31b00ef25b1e95fa7fdbd826346bc835b1ec2ca26c390e54c516

SHA512
6274005cd4836e1fdafc49ffaf71a5b39bea7e25a68bed087be49e3a7785b3aacee99ad3ed3cb53dedd2839e67b3314261b61d09d20aa7799a9ad26ec000dd28

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
55KB

MD5
804f81650c8a6d0ef87c0a5c4131a97c

SHA1
85c8f3c8cfae6b3839365caf8a95110a785d6b58

SHA256
7d57eff21566c512bcc9e7b3309186462d8d7c0db49bf8e5cb73fc9b7d658a0e

SHA512
cf5bb26027b8a35d094d74c09b11a5eaead31a2f8743c993f693b8e575a3b627b84b662b381556fcfe7c45d0700f0684ebf893abe27264c49843f4a52bde3f73

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
55KB

MD5
4a26e9f45ba79db5aca610fabf21b9f3

SHA1
07f3678427f53d7c9c65fedb159343bb23c01f0f

SHA256
e414cf772bd1b79e81900c882729f952281e0c220eb3f5f23352ec9aa0ad46fc

SHA512
3d10c2b86f2d55e34a5b8faa3782e44905bff1396133ed08cd0971d3ed9a6e08e711ebc93d7bfba3adb66e03778eea3ca9d43d3dda93c949f801dd0f316de643

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
55KB

MD5
a4b158eae181d22a6264d76ccffd92bb

SHA1
68968b78ed465fb2d815aa569e14602f9f90ce45

SHA256
12332c185542425dc2261adb390fe7cf178bea52fab16217bdb1dd8936bf011a

SHA512
3cbc29128db30f50b166278cb5b28ddcfc1238e65bbe67697a8eec730bc243ed314efe725812b6b33973f8b70de3ca95b90828fb8ded6891a77627be61ca1645

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
55KB

MD5
f97a71f7821ce170538a10f5c7ab5d6a

SHA1
dc5711f391890380456a54561523cda799ea7d3c

SHA256
0d826f54625f746afd0bf14519269056c34909158f5ee52e0dc450e2a40e2249

SHA512
ae7be09d94c2a4145728974f831c828ed04b624d8d63f61f48691e16c51086e2c2c452bd87a50b9bd476a18179257720af0ccf708543c9f3c7f41f0b05a4daf1

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
55KB

MD5
5e6ce28fdd9b9d46404706386aa496f1

SHA1
bd8ac2090679c165d5323852ab28bf7c22bd5b91

SHA256
704ef33218316114ecad5b50f0d3c8d811371a848177669e906fa1a7480e0386

SHA512
4d1d8e7acf1b0821abd6359528e4e40bcb5e25becbe3d7e94d292f2a4e9b82e87f453148818971c11b0959f3deba52f961cedff2030dceed36a4cc3231d3d731

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
55KB

MD5
8742641e57597da5094c556c33808c03

SHA1
1c7134c6c5f77547792ffa826db4c1528f20a2e4

SHA256
872975fd5a648671d40fe14108f657d2464b661b4bd16aa8a8f85827834adba2

SHA512
73f494384430cc1f534684b5e1be170d98213782cfcfde490288572568c91482d94b9e2fd5f4b6c9311533d33d3d2e03f9bab69c1b4384633e84b9439ff56035

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
55KB

MD5
60cfee05c906c486722e608253613702

SHA1
325cdd231914c34e8488abc92725337b6fbe17ae

SHA256
e12aebf9181305ddc66658778c0c5f35e2a6290e6c732c29bb7df1fbbf7577d3

SHA512
574f89a08e8e33f660c1fcbf7e80ec9c9c4847ba5a6b380d82950cff0fef225ac09f2d4c0f5bda3e24021071e34d940f62e8b1dc00d9f0630decdad3b0b629ac

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
55KB

MD5
f4461801248fdaa915a30eeabd0b601d

SHA1
48138da348807c3ff4eca198e485df13ea618ed8

SHA256
59bde5e418f8cdc4ad40a0faddc0d29b61f0dac1a880e8c0f1b630289efb8f81

SHA512
e488c863c9e09dfd8fc46857aa7ed9533cfc2618dcd0f0fd74ff52c5d8e6867e1553228ac621ee32959da8e742d73fd4711179c15ca529260918d99576dff6e3

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
55KB

MD5
6cc13d706a685d1ab23221e554d6e208

SHA1
7cc2e356b699c925fe97b67de38cf9b8741b0bb3

SHA256
079d52bac777e0a8ff434aeec0d10de6150260d04ff867e8329d072261a4c243

SHA512
9e69f860b62f7490517f741f7b1353b0411a29ef04c44745ad454d67cb4decc7a72362a71311f12eefd8521db1372e62543a0440ede1381076038c2901d9340f

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
55KB

MD5
2e1824b8c509d4cafdc99e160563d5a2

SHA1
76e1eceba5d01e3cdc66557174007981457db102

SHA256
65031c49f8deb49f3d8c15037159047a2401aa75594ace678b828a13f8fd607a

SHA512
290144529e6e2ffcd8f98b678ef1d1aeeed6a854d1513ec93c482dca2961009d1e731b5ab3fd708e51486724dfd4af12a6ec5466a6ace457e864f34dc864e0db

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
55KB

MD5
e73f931803c5bdb2a64278c3e38cbb11

SHA1
b24294cb08622ab399e74e1d9bd72bd9b302c66a

SHA256
3a000e4127c5612faaee39e1057d8b4fec012c7c3c24820024272d5afd85f069

SHA512
4106fa727b9b15c35069ff99a7b37c08ba795323a49a9d128734f75c1c81d3046e1673163f68e30e1d72e436f81ed8e976d768a3e6ea5a533d2cd5f8f49034e0

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
55KB

MD5
a476d2b7e441e44799a259b20221cfe7

SHA1
6160e908b0ea7d890225c7463ba79122a74cc53c

SHA256
fea5d337c0413c368920dd4faa373fc22b988f2decce243c3afebb3b46d87141

SHA512
131b1f022a4bd7c04ce301327ecfa80b13467a921b7509e44b021884d779e54613e9850dfe39e3f4fb583eddcaedd41515327f14a3e85661e8b2ea92cab3f605

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
55KB

MD5
2b960fbeecd73960866e73d473ff3d1d

SHA1
3bf851d3d34244936f567d8f78ddf15bd76cc266

SHA256
85437810fa1eca1eb63ad4e7fa467841d5ecfdd69eaa22ee5d70c3896bfd10e6

SHA512
7a5afca01a6a6fb19757bd9545768dd358c837c32a8dbf2c11847891200929ae11ba5cf4bfd8e7bcb2b25adf6559e267492fe864d481dcfa6ab30c2f3d5ff75b

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
55KB

MD5
69a27eb59b50163849b1acc0077f7629

SHA1
22d7fea924612c1b7fbd77e8867c613e8441f6c3

SHA256
7ed640b1a29a4eff2e2e980859d5a887a1c44a6fd03d7e16fde8432a815c9627

SHA512
fe00d3988e9d06c17940d8236b4df2f7b4c74d0b2a4b74f3bdd1ae40eff1972b676f3ec9708b01ae0984fe58504cd9e0037f0b49878274f3c29ded197dc17da7

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
55KB

MD5
c342b1f66f0db40a01bc6a4901235d60

SHA1
ce878e5f3f8b08be6b7361ab29b4fc7a0c850d4a

SHA256
596b7d914e1597865eaabdaa6c4c423484c5e491ac350a40327bd5563206d272

SHA512
94141c970b4a1dbae903bffc2ba130ac769aa3ded7529c7c283740b66ae94990f8a2323e5f590e69c51588bdaca1c5bc8c5af1f8bcb7b54684cf9d4826ca5e33

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
55KB

MD5
0bc94702047d06f6bb2d6bb49560e52a

SHA1
349d37560892523e89faa0d324d2ef11ca5989f4

SHA256
d9140762d0a13f0fcdd3418898e2adfe635cda51f2b7ea05d21dda5c1c995179

SHA512
82cc01a077f58846f9d4c1bbc3b15df3dd02280cd30bef6c57ca888043d84772ad8f3cfb3a4b5e10dedc91578c065f23b4d98e0325a399a7ddea5234e4de5c0a

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
55KB

MD5
02633f9634323a9aadf2fb87e7aca38a

SHA1
f4a6cb7293a38341776d629c5485db4416939dac

SHA256
2b3b1e1ebca00419a7ca26055122939324578bf2f8bf8c65724daa995d5c41ae

SHA512
720d5cb9d92deba411e4047bd55a57250a67b42b2e5fcd7eef60b8c8fded18a8fcad27960e0672784f5b4269d3aff7f6d29b3725ce219ee32b30bd0e5b75ff52

Download Submit
memory/368-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/848-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-739-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1008-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3220-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4228-666-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads