berbew | 5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349N.exe
Size

194KB
MD5

825b5852edf6dcd196257daf076f3e30
SHA1

20e737a64da9bd2919bf4d814dfbf334a346a374
SHA256

5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349
SHA512

a87ab90ec4572716f1d952f6517405b0f5c51b6a9924f7c542eb11c9ad421d44735308f33c05c0f3013dc4e5e8de00cbe745d8e471881335ad4fde8b65a063ef
SSDEEP

3072:MZTZITFTdSfUNRbCeR0pN03xWlJ7mlOD6pN03:oIhTdSfUNRbCeKpNYxWlJ7mkD6pNY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mckemg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
1052	Mckemg32.exe
3780	Mmpijp32.exe
2304	Mdjagjco.exe
376	Melnob32.exe
1636	Mmbfpp32.exe
4500	Mgkjhe32.exe
3876	Mnebeogl.exe
1500	Ndokbi32.exe
4224	Nepgjaeg.exe
728	Npfkgjdn.exe
5008	Ngpccdlj.exe
4004	Ncfdie32.exe
1248	Nnlhfn32.exe
2276	Ncianepl.exe
3880	Nnneknob.exe
4384	Nckndeni.exe
3208	Njefqo32.exe
4360	Oponmilc.exe
5068	Oflgep32.exe
804	Oncofm32.exe
3380	Opakbi32.exe
2932	Ogkcpbam.exe
1984	Odocigqg.exe
3756	Ofqpqo32.exe
3784	Ojllan32.exe
2100	Odapnf32.exe
3164	Ogpmjb32.exe
1676	Oqhacgdh.exe
3560	Pnlaml32.exe
4444	Pgefeajb.exe
2464	Pqmjog32.exe
3536	Pjeoglgc.exe
1988	Pdkcde32.exe
3520	Pgioqq32.exe
4356	Pmfhig32.exe
4584	Pdmpje32.exe
436	Pfolbmje.exe
400	Pmidog32.exe
2904	Anmjcieo.exe
4464	Aqkgpedc.exe
1056	Afhohlbj.exe
4124	Ambgef32.exe
1944	Aeiofcji.exe
2948	Agglboim.exe
2644	Amddjegd.exe
1376	Acnlgp32.exe
4000	Agjhgngj.exe
1432	Amgapeea.exe
5016	Acqimo32.exe
4784	Afoeiklb.exe
1688	Anfmjhmd.exe
788	Agoabn32.exe
4516	Bfabnjjp.exe
3700	Bnhjohkb.exe
4044	Bebblb32.exe
1192	Bganhm32.exe
3824	Baicac32.exe
3516	Bchomn32.exe
1108	Bnmcjg32.exe
2760	Beglgani.exe
532	Bfhhoi32.exe
4712	Bmbplc32.exe
4692	Bclhhnca.exe
4332	Bjfaeh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Mdjagjco.exe	Mmpijp32.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ncianepl.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	Mckemg32.exe
File opened for modification	C:\Windows\SysWOW64\Nepgjaeg.exe	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Mmbfpp32.exe	Melnob32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Nnlhfn32.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349N.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	3592	WerFault.exe	173

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmpijp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghpcp32.dll"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiljkifg.dll"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 1052	232	5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349N.exe	82
PID 232 wrote to memory of 1052	232	5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349N.exe	82
PID 232 wrote to memory of 1052	232	5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349N.exe	82
PID 1052 wrote to memory of 3780	1052	Mckemg32.exe	83
PID 1052 wrote to memory of 3780	1052	Mckemg32.exe	83
PID 1052 wrote to memory of 3780	1052	Mckemg32.exe	83
PID 3780 wrote to memory of 2304	3780	Mmpijp32.exe	84
PID 3780 wrote to memory of 2304	3780	Mmpijp32.exe	84
PID 3780 wrote to memory of 2304	3780	Mmpijp32.exe	84
PID 2304 wrote to memory of 376	2304	Mdjagjco.exe	85
PID 2304 wrote to memory of 376	2304	Mdjagjco.exe	85
PID 2304 wrote to memory of 376	2304	Mdjagjco.exe	85
PID 376 wrote to memory of 1636	376	Melnob32.exe	86
PID 376 wrote to memory of 1636	376	Melnob32.exe	86
PID 376 wrote to memory of 1636	376	Melnob32.exe	86
PID 1636 wrote to memory of 4500	1636	Mmbfpp32.exe	87
PID 1636 wrote to memory of 4500	1636	Mmbfpp32.exe	87
PID 1636 wrote to memory of 4500	1636	Mmbfpp32.exe	87
PID 4500 wrote to memory of 3876	4500	Mgkjhe32.exe	88
PID 4500 wrote to memory of 3876	4500	Mgkjhe32.exe	88
PID 4500 wrote to memory of 3876	4500	Mgkjhe32.exe	88
PID 3876 wrote to memory of 1500	3876	Mnebeogl.exe	89
PID 3876 wrote to memory of 1500	3876	Mnebeogl.exe	89
PID 3876 wrote to memory of 1500	3876	Mnebeogl.exe	89
PID 1500 wrote to memory of 4224	1500	Ndokbi32.exe	90
PID 1500 wrote to memory of 4224	1500	Ndokbi32.exe	90
PID 1500 wrote to memory of 4224	1500	Ndokbi32.exe	90
PID 4224 wrote to memory of 728	4224	Nepgjaeg.exe	91
PID 4224 wrote to memory of 728	4224	Nepgjaeg.exe	91
PID 4224 wrote to memory of 728	4224	Nepgjaeg.exe	91
PID 728 wrote to memory of 5008	728	Npfkgjdn.exe	92
PID 728 wrote to memory of 5008	728	Npfkgjdn.exe	92
PID 728 wrote to memory of 5008	728	Npfkgjdn.exe	92
PID 5008 wrote to memory of 4004	5008	Ngpccdlj.exe	93
PID 5008 wrote to memory of 4004	5008	Ngpccdlj.exe	93
PID 5008 wrote to memory of 4004	5008	Ngpccdlj.exe	93
PID 4004 wrote to memory of 1248	4004	Ncfdie32.exe	94
PID 4004 wrote to memory of 1248	4004	Ncfdie32.exe	94
PID 4004 wrote to memory of 1248	4004	Ncfdie32.exe	94
PID 1248 wrote to memory of 2276	1248	Nnlhfn32.exe	95
PID 1248 wrote to memory of 2276	1248	Nnlhfn32.exe	95
PID 1248 wrote to memory of 2276	1248	Nnlhfn32.exe	95
PID 2276 wrote to memory of 3880	2276	Ncianepl.exe	96
PID 2276 wrote to memory of 3880	2276	Ncianepl.exe	96
PID 2276 wrote to memory of 3880	2276	Ncianepl.exe	96
PID 3880 wrote to memory of 4384	3880	Nnneknob.exe	97
PID 3880 wrote to memory of 4384	3880	Nnneknob.exe	97
PID 3880 wrote to memory of 4384	3880	Nnneknob.exe	97
PID 4384 wrote to memory of 3208	4384	Nckndeni.exe	98
PID 4384 wrote to memory of 3208	4384	Nckndeni.exe	98
PID 4384 wrote to memory of 3208	4384	Nckndeni.exe	98
PID 3208 wrote to memory of 4360	3208	Njefqo32.exe	99
PID 3208 wrote to memory of 4360	3208	Njefqo32.exe	99
PID 3208 wrote to memory of 4360	3208	Njefqo32.exe	99
PID 4360 wrote to memory of 5068	4360	Oponmilc.exe	100
PID 4360 wrote to memory of 5068	4360	Oponmilc.exe	100
PID 4360 wrote to memory of 5068	4360	Oponmilc.exe	100
PID 5068 wrote to memory of 804	5068	Oflgep32.exe	101
PID 5068 wrote to memory of 804	5068	Oflgep32.exe	101
PID 5068 wrote to memory of 804	5068	Oflgep32.exe	101
PID 804 wrote to memory of 3380	804	Oncofm32.exe	102
PID 804 wrote to memory of 3380	804	Oncofm32.exe	102
PID 804 wrote to memory of 3380	804	Oncofm32.exe	102
PID 3380 wrote to memory of 2932	3380	Opakbi32.exe	103

C:\Users\Admin\AppData\Local\Temp\5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349N.exe
"C:\Users\Admin\AppData\Local\Temp\5457d7d13d3cb3acb1b14980660be56778ce91ee057e780fe643f23674a3b349N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SysWOW64\Mckemg32.exe
  C:\Windows\system32\Mckemg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\Mmpijp32.exe
    C:\Windows\system32\Mmpijp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\SysWOW64\Mdjagjco.exe
      C:\Windows\system32\Mdjagjco.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\SysWOW64\Melnob32.exe
        
        C:\Windows\system32\Melnob32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
      - C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4464
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        46⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        58⤵
        Executes dropped EXE
        
        PID:3824
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        66⤵
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        89⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 396
        94⤵
        Program crash
        
        PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3592 -ip 3592
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
194KB

MD5
5b6b1b02c910d07216be13c5f1a0d325

SHA1
3e2598e19a9b87f4cefeda59d121568bd146924e

SHA256
177df6cf423a85a27bd8d708d553f3ef8b606aa3e0c71b7fb52b5195f99cfa86

SHA512
ff9d415838e25983c7617cdabf2c354e907dbb7bf9bee2021268809aed355c4c46c75aeb74c0094ec1c9e8b5b85a3f6a470e7b833012ce567f5c908c2b523d84

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
194KB

MD5
fc26c4c1db8afead0366856caaaedc63

SHA1
61cb0a494f6fda9c76e8d81a8a32a46d339a289b

SHA256
fe5d87d4596e800ef17a8d12b16fe19bdfbbeba49f586fb18ca23249748ff5f1

SHA512
905dc773a6830269011b0a6830afaefd1bb557c3da6ce3b12ef34bbb8860dee92e1a0e9ee9b3a9b1de9373c12eb64ef5db473ba8cdc7d31f017d62cef619ef60

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
194KB

MD5
3f2722454989491a547682a2833f2e64

SHA1
5d8cf6d22d72a0dc3e379a99129ca821c98e4053

SHA256
474a49bb01443cc54f0f748e1308b7013ff093c0d9aa5bb7f7eb1fa4accf4d48

SHA512
d46124f1f973856492b677ff7ea49b086c19b48860dc833ca52632ccfbdd48151fabbd8b874996464d32276b1000683bb59fa5ae8b6b3aed1c2e730ea0fa902c

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
194KB

MD5
b0a516e277d4fcb36e2361b3f6d638a7

SHA1
c1d3a4cf70fe221e6f71f779cf6d1e53025be38e

SHA256
82365fb7152c96477b2d55c4f0960b6e2321ee098d6a0a9caf8a3e79d1fcf8a3

SHA512
4c5be28cf5d43c858a3869250ba74bf523ff0461a5ea11a910fb8807a189d487ad2375e3eeb408518bbaefcd05e7c32aa688b87813b58ddab1c09a59b3e84779

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
194KB

MD5
3d2f20c3be830f0cfc618183f7f62ce1

SHA1
e8ca2cb6f10ec6379cfc06843f2cbfea2161969b

SHA256
8392a8207e1a90dc2d43ef0a9499fd298b5bed9d5b4b3fd03aa95d8607393c2e

SHA512
5a1e2aa99fd80bdbc8aff05e665c6606d20355f42a9fd00564ab4461f4c97d6756a34734f2b5915eb1168f5a74ec52da4187671461c001b0744bf1636ab7b0ef

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
194KB

MD5
96ecd3864190aa47269dd05bdf0933eb

SHA1
faefe924cfe891ee60c02ca5900a17d479113f95

SHA256
895a33cea8e10e2be6c1f27a4b456342086ffb620b535bb9e8650ec8d4d919c8

SHA512
3e3c273aadb2066a990447b7ad4662a4a253cba43d9d47bda0dc3fdfc354b1daf163b0b249109fdb630f67b7eb096e9478aa1f89ddc4651b9f9d2abe933d4e63

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
194KB

MD5
aff628e266fe39e4160c33f720883f54

SHA1
a7c96befe0cb4a14559a9b6fa39afc8a1328609f

SHA256
6eb41c7aad2f087539e16b8784a1e482e9616084844afe1f6449f2bc84cb8897

SHA512
09da4f8778f517be40c3960d18a51843064596c890181bf23a5497e33347e09b142a907608d34a91f2b45d9d346af6a7716d0911854a5bda9ecd920eb99c0f81

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
194KB

MD5
d0e3c57fa5a6cf611dfa8876280aeb66

SHA1
8ea61ecfceb62daf0bd25dc390f6186d13321795

SHA256
20a501b292ea3e0d40f65c4b73c12ccb9754884b07e0b275954f5e082fad5692

SHA512
1f9ae9fba4c52c3451639fc533f2602e431dae6b106e242b87657500808066e62a4354c3b21e113d0d9fe38a6962a14d600b17be3fc88400fb41e27580109d0c

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
194KB

MD5
617b0b269986406e596604f94fb9526d

SHA1
1a7a6a75c62bfc67badb17bfe181fa01b63a9b6a

SHA256
eacdddc1721b7c2018473e0f8e89c571664ab40ddeb2813a0f423cb732ff9639

SHA512
53280b651a701b60d6f85cc6b278341482d2c5c4c7ca6b95046b1bc979c8a639243463db8db445fe7db8216cd1b449f6cb53bd2e4c83487f198f913c48c51956

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
194KB

MD5
93747c95c6d54d8c47542a6bd292be7f

SHA1
b016925b1197e89e88d65e7af43d75d188a732b2

SHA256
a89bedd605ba24e4198a10ffa0294b161baae94d2ee2149fe9dc993c877a2166

SHA512
2b554bb55b2e1c4b9c41baa217574e70556c9d404abaab8df4a742a672933b3ebf5ddb1603475ade2d3db814022f06407284df334f5ea8eb0d9b508d396b3a05

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
194KB

MD5
4abc5252b818de79717f6939437ed47e

SHA1
a74d73aa2d5bca239220fe769344a418f53d898a

SHA256
aaf911658204544b7796266242ca1c93dc69b1eb51f5367834c74b3c03ba0f9b

SHA512
c96edfedb58964eb6882d211eda290fb2d6a2c1cfd909cebfaed794b9dc881539555ddb3732195d4057a82921bb3349c775cfa46da7e9890a7b481ea5138001c

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
194KB

MD5
1430fe1c5e46acef8a4824b52675b9c0

SHA1
6aeacb79191e161615b8fee9440b17c35464c676

SHA256
3a98a5060f8615c1758c940c32bf24e2a8d31072705bdaf0aa39fded216cbfc4

SHA512
df41d6de074887aa8023e9891294d437b733d4dcb42c327dfdbd1aa717b039c206378e13b71379ca13fa87b977289dbc4b4200162a4da35ead93c0bb35f32da0

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
194KB

MD5
09578b99c477084c42d57877ad70c996

SHA1
26e94d2f26a233c45c69b2c62d4565cde82db5eb

SHA256
0e775d5fad91746cf4f36c19bed54ead975832e620bf3b3f222bafd575d1f882

SHA512
add2a466dda3cb7316488648185a2a6dd2a8c6416e3e724970140f90f85a6138d19cda44651578f1fc1913faefcb5240e09a971f3cb56e945d04cf910e5a13d5

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
194KB

MD5
e7fd98c5fb78b4309ec6d499d097a500

SHA1
ea10d5945e8c62282518035198740ff3430d1604

SHA256
5a0e3b49af9a332a1e064d56a2f1a2423edf56ea753e67d98883b3e9804bf7a2

SHA512
a77e2d17efd5271bac18be01636171b8eccc211cc1d6a99c06f178a6dfd7bdb4765d42f93acf9c1fe1e7baff3a39de37f8c04378fb75371d8d976c2120cd993d

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
194KB

MD5
fcd848ba1e4be99ae83a8b3479f9c77b

SHA1
f6293ac6f72c47236d952821b752fcc404a06ca1

SHA256
ddca6040ff35e93eed63898b2052e71ae62db2dbda4e137bf8f728316819531d

SHA512
fe49affb3d0eef25a3873420d47a82cf19392a6a13b8536bff2646c04a345e09bcd600b98129734ab628126c653fb620398bad8e6db4727950945bb8f16f4c53

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
194KB

MD5
4d05f9562956eb1c68f87ee311dac217

SHA1
e5078e86a34f8ea0e9214a13754b48c5b0610d22

SHA256
40b8db88f4a61626fcad281b558a46af2039574174917cac923a5251630e36a3

SHA512
a63898a4d40b40c1dbdc35ba0294fd040a61f0734d844a482f7d4641a8dfdd39b721d73303135c330b6c6206598763428c14c02d0f561b2b038a11fe0b3b4751

Download Submit
C:\Windows\SysWOW64\Melnob32.exe

Filesize
194KB

MD5
8e559625b9559d22e8e8c4dbfad6c651

SHA1
d03c87d574588c9120dce23ea47a484cb9c0e4c2

SHA256
64d9f0f6e26fbf311a92a03da41956fafb88a3b91d3b86736d24bbb9f04d5486

SHA512
e65c537f67a415a30a5c3013a156e8065652af2925dfcf8d13c3b89edab16961303f2088c35af6dfd899d28565eb2ed12682951bb99527451370728e1859a512

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
128KB

MD5
792c15a425c2c16c0d7cb2fe9a35e222

SHA1
ea10d12d90100b28b95b837ab0d2e104e0fee39a

SHA256
26d6f86299cf3cfca201028a22d9ae320c41ccb97ec5250c16a2c4a6faab8c2a

SHA512
13032b4539daa3d2a3b87f1a927023e189d586b1fe9f174b94a20d2656a6a4a5a03a01c2ccbb8d6072e5e01e5c3b12376865ebedfb537b61e587c4a01766b023

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
194KB

MD5
bba6b06f06573fea0591a6b37e8f7ac0

SHA1
00cdb61b1771b8c6633754740218096e8077c6db

SHA256
a85166502faae182437e1c254344df7fccebf7a5fa42eda5fb0618278958e600

SHA512
c618678e4c9656d5163048c9422ae7f08afbe44152137c60bbd4a27f17ef3688e5a6e0aa101b8ed888386cb42bea634087627a9bc1de7a7f4ca241341cda123a

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
194KB

MD5
c65ab7d8614bbe9a72e6791a928b6ffc

SHA1
890175f0620066342bcf570cf142785b51be0012

SHA256
ce820b7893f13b4db5b85a2ddbd973b8a37727c2b2276a7a0ff6f596b9df0aca

SHA512
14407c90884634d7bc88a8006ca0efb360606941e33ab54685f0d682fe54152c15ae0403184f07324524ef00fdd7b8085d95db40a5580e19de9e0561a9ab96cf

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
194KB

MD5
b0a1d567de4ae8f463a6febc6400c390

SHA1
de0af91bba166c6599c237c17e02e6d2108884ed

SHA256
63d517355c63a590a7e80e9ad829c64c073feadefff2b4791720d2200893b581

SHA512
c38e5886953a57cd089a056d89d5a69e3e5844e2941c4b31afd9b198d222698bc5cd08403fa240407dfe1d43dc4f1620de790a1cd88bf61611d8f6659a7dc3d3

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
194KB

MD5
c7067d7704bc28031155627c46376eb7

SHA1
395f10eb73456b3052fd6a4b713a48feb79abd12

SHA256
5cc9089f91797250dd096ad46efedae29743f35ae2635ecd44347609ca1d9718

SHA512
43a058c73572bf8848fd6278471802a7a9ea006691cefa23aff7cb76cc06db37258905836f5144e7a1d7257ef62c9f00d0512c7f46686900c6f8c6fc37ed7577

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
194KB

MD5
39d644147061d9ad5c7d44222a54ac11

SHA1
9502c5376e717aa8009de4d6d7609a64ad66b1f2

SHA256
cdf54bed8cb98064eea674035a0f5d2df2c93ec270bf150fc4de4c69361066dc

SHA512
95fe5df13ea0c25b1c0e6f1bba1c3fdece909c451bb6556b3939b2b6fac93b720164674065121461c04449fec29544e2e16adb9be12046804fb797d4b022ae0d

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
194KB

MD5
a0d524b4ef21477edc6e92674d09af07

SHA1
3c204eb736ef05c02be9fb3c4304f9e03bfe8000

SHA256
6efc14f99ba08f6ce6216abf8c88c1e4d6f4c2daa6a089a7e4880f895973afd9

SHA512
3984b363462c5c9aac19313fe05029faadb43e74a4a2fd1cfb0e20f9a9defb4a027dd4132a71e2625108b5bc939389207ac61ed8f108c6dcfe33ccc7019eab8a

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
194KB

MD5
fbcec46051944775e16ef4778047c2ee

SHA1
9ef74d77b40caa278065dc9aa6698b4c38448173

SHA256
9485e761c228f5c9de77cf97faf469d6a6415fae6ac0580d60198e8ed619d920

SHA512
bb9c50420ffa633374dd6aa8769cf18a0527a95e529c1e19dbf92241e79024d5bc597ae3165cc47a5e56e9b9f6d87b4f98addc34e594910493f321ddc0acc654

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
194KB

MD5
292c3d4181bce376d956ad4085e04d4a

SHA1
00bf27734ebbf5093daf4dc523f38d7fc5e3f0fe

SHA256
1dec871bddc06b66760ece33e724e3be4a367bd87cf60c10a0d78857265df610

SHA512
45b08cc791d48f35b3f66b9cc9fcadc51aca02517fa5a48e8025e010726d0c505f11b635571ea035e1b5b7c359fdf8201ab1dc60eda76c58199b2fc44c8dcdd3

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
194KB

MD5
7daa9f3e7ccf9f2f8ad577976b781f68

SHA1
34f7da9543fd60a9aff0d1ccfae9d45803e14cf7

SHA256
bca468652884956f25d4a8dd4a5c57c58ecbf6e2025b2489eacfade5d7852b4f

SHA512
81faafcebce28aff63bb8e3e99d5a2e34aadd917859b122c98a006648c19dcf56b42d05f95575a8ed7ba6bce4ca24d8ce9ee930583de268d1e18a612a03001b5

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
194KB

MD5
9135e3c5e4174d7ef61248d690a69a20

SHA1
b58031d2fc5dfff52b5caa7da30b6974f423a2c3

SHA256
82d43756afac33624daf1cf4939b698e15ac1d79a3c5716d45489e4f044b016b

SHA512
3e50331c38e675bb9921ee902eb63a25bfb1d732bbb6a852ebdc364e4dc669fb0b1be96b5efbcd1800cc03c2aee5f57ca9807c25f47ba6895a00dec75b464124

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
194KB

MD5
e7370dd4b819afa1bedec5376afe22b4

SHA1
7c2d459e60a30fcda9c04b5e4d67d0926d634607

SHA256
2b0cea22f0cec785a3f0be92fb26acd3fc65ef033a0f5106dcd3fedb3b46c5de

SHA512
f090b496037101514eb06491f7141a99b8725a2c9620855d624c61150acd228a00bd152cba50b0422448bf0a1d125404fdb4187b006866c63572ac99327b012b

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
194KB

MD5
0464b1d8a023f2a449c514a37098ea72

SHA1
d51dd25b10e60ceab333f9dc31c6bfe602a2b918

SHA256
b45ae3d04307e05a34f059c1f6f245a2f697f8fecbbdf564e23a2a5942fbdd43

SHA512
8dbcae36762f7a533ba2f515cf1d5143ac1bf2545e2e998c573bf25f42a8fae9f6960fba0b5f1989b29ee34029e0ccbcc998c4c921fc273ca72d5ee613f3b061

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
194KB

MD5
12e7d4baaecfff3d4d6bd92d71adbbb0

SHA1
ea55fa35d7647f4a04320b546104ad38230af7f1

SHA256
66412011dd0d91b48a89be107bf380c48121a6f4455612c2b14d445741eaf0ca

SHA512
9097fbbbdfb3720db94af0017155dc9c1fed5261d9d849c0c4d346c31ab157950bbf00313cb328c45e8eb91f45c5072e06859cb951670922d11410035bc16220

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
194KB

MD5
7e679b0c875df19a6656e7264df8eeda

SHA1
9817197242b92a885f2dc8adf957153c489c1ae7

SHA256
d03a1ad89f81372888462997a38731e2556d30229da23eaeb515742f9aaabb91

SHA512
4489fe8717f5e1e983b39bee7d319fceeab00f17695c1dae578267016f3fa2e9bcb62d4c176178616b666ec46c40b9298af5f22e924d444a5aaf5960d3bf553c

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
194KB

MD5
121531b6c05f4067f642a40235cca235

SHA1
1a3bdbb810027a95468f013a07d8f0f3fa618044

SHA256
76bc9309779f8b783b9e4238c6b2531725ef047940e829b2f64aa2e5d6971843

SHA512
642ca00ba3a3a81cad0e2e221559487513dc51aa8a98b337986c873b87f0fefe0cec1c09dfcbc045124a8cb74e3708d97de2a108f5fd8d8f55d051ace7f5f81d

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
194KB

MD5
b8641f10f40f1ee5d3ea2a3d378ff0ea

SHA1
2517af3f4492878d5d59c0d83b87099e5e7874ba

SHA256
d7d7f7deda3755601f8db207f95e082419cb6426db46e8ea26db01456fb2f42a

SHA512
cc896d3fba93221bb0fbd3b56ee172abab2481a278597a87c0da2da528cad9b9e657ac44c1e863ebd95b69e32ce550f2e1fa048f82541a6839674d1b39cbd0b7

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
194KB

MD5
4f069f288d8008ac4e01c91b6264a15a

SHA1
ea3cb31e528d35ded5ae146cab3d92672335f4c7

SHA256
844da66d9015d9d14c56e2c1da6756b1e81050b8e79cf3e3696bc4bdea176709

SHA512
81ddbb5646f7cd22871e966fffaecc22c019ddbff2bf80a3511ec6b2b27716f4c949bc95b0f09e598fefd65f043a95e2af850d31bed25c070d0ea4d54370a756

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
194KB

MD5
a22ba870c826a9cc123c68b7ac50a47a

SHA1
79403dd9f203d1261b30f19a6f7a2fb9f440b53f

SHA256
6d822d737b7d2597b92d1d378594a6ddf2aab54bb2315b4926cad6d44b40f2ff

SHA512
0be63436103776ec11e3a43785bab61725d7baaa2a279a76cf31aee34813b823aebbbdc82cbd736045d4c0ac29889c56e544526bcf5d4417011a32bf5e4bbdd8

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
194KB

MD5
de72184b342d9856f3d9121e9b9d4489

SHA1
9f06cffda57f71c463f8af27dacf6b0f13c315ee

SHA256
a63b4d93c60353fb34facd6c8860db7eeb15893d1600add1415687456161f490

SHA512
81e82da9a0573a7531d574b463380dd002eb7795675f0ff44ee5332e3fbc7687c9cd4765a2f7b4c31c5234f66766b7abbac102526293a252a39a20d3671efa2d

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
194KB

MD5
929f49650f1faf3a1ee3f3f3af870cce

SHA1
4a91126354531e2d5435e3429464283cbbdb0fee

SHA256
b1e8feca1516a3c9863b2148fc16dd6db3ce7ed82d766ea710a399c9dca2781a

SHA512
3916be1b6743f9d0a07cc175e37c54cff97b5918387ec11299b88722e18b2602e463c37fccc169505999a5d797c95660625ab4ead5db0a2833b2e3520417781f

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
194KB

MD5
9eef24ad92f5238636bbdad1a8fd8919

SHA1
a926b2986d48a26ab26fc2f116607596edee3a4c

SHA256
b03bdba65bcda7edf67e4e2c0ee53232c48ae446655d4ad91d0790e26bcff9a5

SHA512
363bda65d62abbdfb160795defebba389935730438cb812d0faf7d55f2c0a55db74049a4d595820913efcedf8d77ce7433826b8751f7abe625174c78404dca19

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
194KB

MD5
c9a1d2fab372c962a42c8badc658d5ff

SHA1
92644fcbcf857aad3582c5b56e8aa7ad087688bc

SHA256
2111577add6ed4e522816aac5847b3d05b5319788cb5d19ec359485d8d354787

SHA512
f04c0b63a612f61e79995045bee245227ba259989162ab20d7bbb8bb061394964685ae84881b1f065ab72f62a0fa7eb41e3e0cd253dd2ec6eeb276e3573b89ed

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
194KB

MD5
0744d66eec2ab09e4b6ad5b44ea6f837

SHA1
f579882730280dd1c883ef14cea11c38302fee8f

SHA256
1bfd01a2c484c21ed761217632fc4717fe775fe635d23258a78fef6581f2d3c3

SHA512
49c80757b805e2ce3ac78b53cd74ad168ade57fef3cb4eae21e4d9c2026189100ead4b3e4ad81fd29fed710cc781c73dc273caeb3c2e0a21537c8c5793de6bef

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
194KB

MD5
4f2bd386bd7f9a20ba2a966a07a063df

SHA1
3d72b37b5b2785f1318ef80c9adb134c360a6eec

SHA256
ca5330418a45c0e13b4088a20da6828c404639e049c62da6afa0916b35480a7a

SHA512
59e2f8d4245b49630735a0606a24c64f0aa4530d8faff393e61c3c08ce847d9bdf10a81d6214f094ce517c48b498607ea19434086e8f3271d243263577399fa3

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
194KB

MD5
8b5cd779811d8abb2df62d93852badf2

SHA1
3cdb660a45d6ed0ac8d098474002894cafd6f24e

SHA256
17f87ada3bbf32b4e173bdf95c24fc42175f595f390d6f8283aba8b0812bd626

SHA512
4c752e7cc759e414a1d96f7fc4ab1bbfdeec05f00f5e539a7305126926cda6249d27af5d922ea9318daa95edd5bcb915fc7a4910b241e69500cfd5836bac3559

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
194KB

MD5
c384e28316041207cb1982da836dce07

SHA1
ca301c0e822de58276bacc938d38230b4e68da94

SHA256
4bbd5246f72f9eb5ee4edffe9c0e581847edb0be1b69a72e5060468e6bac186d

SHA512
a65eeb0b3592a2804793c9af0d07485f21405ee41bd14aa3b7e39a21af98bff64bb896e9c40622e9885120be54afc06a2c1553a83c15bda29989d5bffd5fa2ae

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
194KB

MD5
87b3ebd874c00fec84834e204eda92b6

SHA1
c90859cd5af6698e223c02cd263b9121db435112

SHA256
1465de7a1971aab5adacff535b7bebf4e4a32bed61c53a21430d0c09e3bfd441

SHA512
dab64fcccfa178e78c04820e04f6436c0fb7579daaa314ac25411da45456ccda3e952bd30059529f1d44e13cea044bc79d29ac6c8372a5aba3a33b3411a81346

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
194KB

MD5
60957653f2b8851f48732f7f644aafdd

SHA1
fe89049fd7cc1210dc3feb21f3b25a314ed0b837

SHA256
331a7a1a8e8ccca3abbb2c978c8acbbd73efde677e6ba6c5383b4cf6cac89771

SHA512
2b98c5475216c983cdcbda78a3aa04c4a8da72ddffdd5ce6dbd9d760d698004e82edebac67bc580303608ef64f35abcc71c09f930ab294a242670b528df48fa5

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
194KB

MD5
3317e664d0935b9ede4fabd84793eb90

SHA1
f43aa4e33508d4b0932d9d3e768865a7aaa24866

SHA256
c9b7918e114bca34291361fa401d0748a8988e97c4a95914e7e08c9a0fc43f52

SHA512
ad3274da49fbeb71039f8087f9851429d3b6e727f4b786be7b7f9fa5c4f62d8f1753f795c41613de385face970460ddba4864ec3a014646c0e77ba55557828db

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
194KB

MD5
be02ff7110a5cfda5b47a3a0067aa9f1

SHA1
d03359538d73601f0751a20b0cec4146250ad284

SHA256
dfd4746ab7ef4cd08b8c91ff72c94a7aba153b0215c959eb6a1f972ac172290e

SHA512
6b51388e73dd0a94e314d9ca92982abf9fb51c008bdae5abc5f75d329e5bce484e36935f8bd0a7998a7da8ea3bb398e490feaf9946ac589be7f18fc4971e1b1e

Download Submit
memory/232-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/232-544-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/376-572-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/376-32-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/400-292-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/436-286-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/532-430-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/728-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/788-376-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/804-160-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/972-466-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/980-559-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1052-551-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1052-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1056-310-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1108-418-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1192-400-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1248-104-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1252-587-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1376-340-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1432-352-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1500-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1608-594-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1636-579-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1636-39-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1672-454-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1676-223-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1688-370-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1736-464-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1944-322-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1984-184-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1988-262-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2100-208-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2268-496-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2276-111-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2304-565-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2304-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2464-247-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2644-334-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2684-580-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2688-484-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2760-424-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2904-298-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2932-176-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2948-328-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3164-215-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3208-135-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3380-172-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3424-538-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3516-412-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3520-268-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3536-255-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3560-232-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3700-388-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3736-573-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3756-196-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3780-558-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3780-15-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3784-200-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3796-520-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3824-406-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3876-593-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3876-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3880-119-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4000-346-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4004-95-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4008-472-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4044-394-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4124-316-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4224-72-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4244-508-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4332-448-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4348-552-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4356-274-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4360-143-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4384-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4396-566-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4444-239-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4464-304-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4500-586-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4500-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4516-382-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4544-502-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4548-545-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4584-280-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4688-514-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4692-442-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4712-436-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4784-367-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4880-532-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4972-478-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5008-87-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5016-358-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5060-490-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5068-151-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5092-526-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads