berbew | bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014

Analysis

max time kernel
93s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe
Size

419KB
MD5

d9a9e36b17bfb272b643e10f85816b80
SHA1

619b40f157602d249e25975c8ec871ebebcd4cb8
SHA256

bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014
SHA512

2586f72a99c826392a717febfa664c8325e70898a264c512a445c1acb7b063a0ce16f00e9c85dbd27638ee7f5dc7f41912e241c6007a487fc759ea5371952d40
SSDEEP

12288:LALO+UByvNv54B9f01ZmHByvNv5fJPGs:LAVvr4B9f01ZmQvrfJP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncbknfed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4896	Mmpijp32.exe
4148	Migjoaaf.exe
2184	Mdmnlj32.exe
732	Mnebeogl.exe
3976	Ncbknfed.exe
896	Nljofl32.exe
2336	Nebdoa32.exe
824	Nphhmj32.exe
2624	Njqmepik.exe
516	Ngdmod32.exe
2272	Npmagine.exe
2696	Nnqbanmo.exe
2228	Ocnjidkf.exe
4112	Ojgbfocc.exe
2812	Odmgcgbi.exe
4132	Ojjolnaq.exe
4060	Odocigqg.exe
4976	Ocbddc32.exe
368	Odapnf32.exe
3956	Ofcmfodb.exe
2248	Onjegled.exe
4196	Ocgmpccl.exe
3364	Pnlaml32.exe
1372	Pfhfan32.exe
3160	Pclgkb32.exe
4992	Pdkcde32.exe
4568	Pncgmkmj.exe
396	Pjjhbl32.exe
4200	Pdpmpdbd.exe
2096	Pjmehkqk.exe
4868	Qdbiedpa.exe
60	Qjoankoi.exe
4756	Qddfkd32.exe
4644	Anmjcieo.exe
2344	Ageolo32.exe
4412	Anogiicl.exe
116	Aqncedbp.exe
3480	Anadoi32.exe
2200	Aeklkchg.exe
3920	Agjhgngj.exe
2436	Ajhddjfn.exe
3656	Aabmqd32.exe
3236	Acqimo32.exe
4504	Afoeiklb.exe
3360	Aminee32.exe
1940	Agoabn32.exe
2224	Bjmnoi32.exe
2172	Bmkjkd32.exe
1864	Bebblb32.exe
3916	Bganhm32.exe
2280	Bnkgeg32.exe
4940	Bchomn32.exe
3396	Bgcknmop.exe
3300	Bnmcjg32.exe
3104	Bmpcfdmg.exe
1984	Bcjlcn32.exe
2784	Bgehcmmm.exe
2612	Bnpppgdj.exe
2232	Beihma32.exe
1752	Bhhdil32.exe
2800	Bjfaeh32.exe
1756	Bmemac32.exe
4344	Chjaol32.exe
1916	Cndikf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Mnebeogl.exe	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Mdmnlj32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Mmpijp32.exe	bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Gaiann32.dll	bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe
File created	C:\Windows\SysWOW64\Jgefkimp.dll	Migjoaaf.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Mmpijp32.exe	bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	3336	WerFault.exe	172

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmpijp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgefkimp.dll"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemfincl.dll"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4896	4828	bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe	82
PID 4828 wrote to memory of 4896	4828	bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe	82
PID 4828 wrote to memory of 4896	4828	bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe	82
PID 4896 wrote to memory of 4148	4896	Mmpijp32.exe	83
PID 4896 wrote to memory of 4148	4896	Mmpijp32.exe	83
PID 4896 wrote to memory of 4148	4896	Mmpijp32.exe	83
PID 4148 wrote to memory of 2184	4148	Migjoaaf.exe	84
PID 4148 wrote to memory of 2184	4148	Migjoaaf.exe	84
PID 4148 wrote to memory of 2184	4148	Migjoaaf.exe	84
PID 2184 wrote to memory of 732	2184	Mdmnlj32.exe	85
PID 2184 wrote to memory of 732	2184	Mdmnlj32.exe	85
PID 2184 wrote to memory of 732	2184	Mdmnlj32.exe	85
PID 732 wrote to memory of 3976	732	Mnebeogl.exe	86
PID 732 wrote to memory of 3976	732	Mnebeogl.exe	86
PID 732 wrote to memory of 3976	732	Mnebeogl.exe	86
PID 3976 wrote to memory of 896	3976	Ncbknfed.exe	87
PID 3976 wrote to memory of 896	3976	Ncbknfed.exe	87
PID 3976 wrote to memory of 896	3976	Ncbknfed.exe	87
PID 896 wrote to memory of 2336	896	Nljofl32.exe	88
PID 896 wrote to memory of 2336	896	Nljofl32.exe	88
PID 896 wrote to memory of 2336	896	Nljofl32.exe	88
PID 2336 wrote to memory of 824	2336	Nebdoa32.exe	89
PID 2336 wrote to memory of 824	2336	Nebdoa32.exe	89
PID 2336 wrote to memory of 824	2336	Nebdoa32.exe	89
PID 824 wrote to memory of 2624	824	Nphhmj32.exe	90
PID 824 wrote to memory of 2624	824	Nphhmj32.exe	90
PID 824 wrote to memory of 2624	824	Nphhmj32.exe	90
PID 2624 wrote to memory of 516	2624	Njqmepik.exe	91
PID 2624 wrote to memory of 516	2624	Njqmepik.exe	91
PID 2624 wrote to memory of 516	2624	Njqmepik.exe	91
PID 516 wrote to memory of 2272	516	Ngdmod32.exe	92
PID 516 wrote to memory of 2272	516	Ngdmod32.exe	92
PID 516 wrote to memory of 2272	516	Ngdmod32.exe	92
PID 2272 wrote to memory of 2696	2272	Npmagine.exe	93
PID 2272 wrote to memory of 2696	2272	Npmagine.exe	93
PID 2272 wrote to memory of 2696	2272	Npmagine.exe	93
PID 2696 wrote to memory of 2228	2696	Nnqbanmo.exe	94
PID 2696 wrote to memory of 2228	2696	Nnqbanmo.exe	94
PID 2696 wrote to memory of 2228	2696	Nnqbanmo.exe	94
PID 2228 wrote to memory of 4112	2228	Ocnjidkf.exe	95
PID 2228 wrote to memory of 4112	2228	Ocnjidkf.exe	95
PID 2228 wrote to memory of 4112	2228	Ocnjidkf.exe	95
PID 4112 wrote to memory of 2812	4112	Ojgbfocc.exe	96
PID 4112 wrote to memory of 2812	4112	Ojgbfocc.exe	96
PID 4112 wrote to memory of 2812	4112	Ojgbfocc.exe	96
PID 2812 wrote to memory of 4132	2812	Odmgcgbi.exe	97
PID 2812 wrote to memory of 4132	2812	Odmgcgbi.exe	97
PID 2812 wrote to memory of 4132	2812	Odmgcgbi.exe	97
PID 4132 wrote to memory of 4060	4132	Ojjolnaq.exe	98
PID 4132 wrote to memory of 4060	4132	Ojjolnaq.exe	98
PID 4132 wrote to memory of 4060	4132	Ojjolnaq.exe	98
PID 4060 wrote to memory of 4976	4060	Odocigqg.exe	99
PID 4060 wrote to memory of 4976	4060	Odocigqg.exe	99
PID 4060 wrote to memory of 4976	4060	Odocigqg.exe	99
PID 4976 wrote to memory of 368	4976	Ocbddc32.exe	100
PID 4976 wrote to memory of 368	4976	Ocbddc32.exe	100
PID 4976 wrote to memory of 368	4976	Ocbddc32.exe	100
PID 368 wrote to memory of 3956	368	Odapnf32.exe	101
PID 368 wrote to memory of 3956	368	Odapnf32.exe	101
PID 368 wrote to memory of 3956	368	Odapnf32.exe	101
PID 3956 wrote to memory of 2248	3956	Ofcmfodb.exe	102
PID 3956 wrote to memory of 2248	3956	Ofcmfodb.exe	102
PID 3956 wrote to memory of 2248	3956	Ofcmfodb.exe	102
PID 2248 wrote to memory of 4196	2248	Onjegled.exe	103

C:\Users\Admin\AppData\Local\Temp\bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe
"C:\Users\Admin\AppData\Local\Temp\bf49a7f73f9502bd5ed935b0ea10be7353de7bd38347233a80790e2c631d4014N.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\SysWOW64\Mmpijp32.exe
  C:\Windows\system32\Mmpijp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\SysWOW64\Migjoaaf.exe
    C:\Windows\system32\Migjoaaf.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\Mdmnlj32.exe
      C:\Windows\system32\Mdmnlj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
      - C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Nljofl32.exe
        
        C:\Windows\system32\Nljofl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        36⤵
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        39⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        55⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        63⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        82⤵
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        92⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 216
        93⤵
        Program crash
        
        PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3336 -ip 3336
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aminee32.exe

Filesize
419KB

MD5
eabfbd1d327112440839de0440fb0886

SHA1
f83f9b1fdbbd81486a08178ea61a8fdb9f13c4a4

SHA256
49b2e0abc48ebf4ba087b35223b395b182680d6910cbbcee4305a9c7154b74d8

SHA512
be33f7a06bdf7628cb10ee77fa47a3a8defaa0b13ced3d885160c357332a52bbd9e986bc7522d1c6ea2821b7d17dc9a7dc2efb3b0df35c370adccdc1b2da7b81

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
419KB

MD5
3a618a4d2b731044c506c77ab205300f

SHA1
e14970b95f94fe04156af1adfc5ffe3d3b76aebe

SHA256
088bda8a6947db3c90693bedaafddab72b9d30a60c8d5da6ab6a6f536a1240bf

SHA512
c134e80aad732287a52ac5b02d5660c6c83e77d9bb8797a80228f8e7e9f49744e5f57336f10ee8281032f660f1721173c58cce4aa94d7b7bc774708993c85ab6

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
419KB

MD5
6e27c910aa94695f56ecb60d474f9c3c

SHA1
d0914dd47d9ae6de146834665b9edcfcff45566d

SHA256
8f0ee96ddaa1c60b1ec0d15761fe5983b56f59b782a71527a6c17db9453f46e2

SHA512
8b3369543594853ebf708125c40fdc5bdb256761a8416312fbbc220570d7996dccd8c386da3f8d6ac765c7fda04705c327a2f6983ca08c9768b3089119d213aa

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
384KB

MD5
6c918f469df62fbbff68052c969957e7

SHA1
54606fe69498339fbb01f77dec5f921ffd9b3409

SHA256
1639c5b9666e40ce6eac35f26b33019360510cc50629cf74018dd24612f5d4ea

SHA512
765827e9ced2373f79404974879d064db290cca8d6c5a9e1a66b789fa375ec59ec4bf58ffea60c74effe92b1805db5e743bc5dd6eb8ff7798f35278d26004ef1

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
419KB

MD5
4799d2682ade2e21cdeebf0b606bd9e8

SHA1
7b45629e33fb92ff1ffe8e4de0255406662d513f

SHA256
956c7b6c4f5dddf07102f14d38930fafb4ded3cc040e82a64c3d199e1ac90e2e

SHA512
3a8fbdbdb0bc21da8fba473cf2b449425e40ead9f0e3989a224be642a4d20fbce945b2fffa9f607d2b90eee6b8b730859d2af3d5397faffbb97b68f1c51e2863

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
419KB

MD5
4234fbaba3a25d4b7f1a86146fcdad2e

SHA1
da7c0045c378fc35c25996df2dca14685478ebca

SHA256
5f990ae679001c60e34bb05a62e414aaddf841a19e2416fb4b71fcd666bc89d0

SHA512
c61855fa64e6523b2a97192d083e48d7e10225c7f226499d7b89e253eb075fa8279462237f1fbb60843c0195b64c39e0eac18664a903c59401e7cb6a550d527e

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
419KB

MD5
da329f7cf9e783b61482beede46362bc

SHA1
c5f7bf15faf0187c338c7671a5dc408bc1b327a4

SHA256
edd10d0d439b2b612a23d899aadaf5ea1a067dbf7c1ebaae89cf2aab20fd6429

SHA512
42c359fad5bc05b76cda27385db03d54b564bb95572d15437f04bf391fdb9edc2852f76048160845ce4f5b0691a9d7664297344fb9f68ccabd964bd00037aaa1

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
419KB

MD5
7e715fe8d2b50edb4f9d307a71fb8db9

SHA1
1ce54fdbabf5d3f84cd71732afbbe0a5f355759b

SHA256
c25162abff5536ffa283e9a90d925a8be55edc1c74911a1e250860587e1165d6

SHA512
01f4b30b0b825627754bfa41f7f9d2e89de90b317107511fe23ba64687417beec93a245c3c3cd2b6383a3d8a38530076e75de0dd69ba7f36c9aa4c090ac2f66b

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
419KB

MD5
c816989c3e3ef778a05908f0581a21d8

SHA1
5ed89297d7a9ea2ab6c6065649292724527ddc0c

SHA256
c40ada190029b356ae8012f62525217495990a1834495f0814a9239cb06d0577

SHA512
49b0d0747689f1675abf07c29ced2438bb20f7b5938c64142441500401ab45f32ffabb1f95bdfbf1e8633f3c2d9a9f85ad1fc56bc2bc552420dca37848e2fa62

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
419KB

MD5
43aae2811187b48fc33f2b49a59ee7ff

SHA1
2e253b9b3096f8bf9a8df9159b46af73e3894a90

SHA256
c21f3acbcedb914d787fd2d73f323b003a21fbb8c294577293b61441170e43b3

SHA512
8606405336225b6c332a7d002b2acd8734f945acd96a9e117bf641fbba435173a09d16793332d1ea2a27dbd4ca15c103520e29f0e5f22fa9e434cf3fab642618

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
419KB

MD5
f50b25bc437b267588bf9c1dec5753b7

SHA1
0e4ea3642e538deb8039ea63e6c12f2a302b4372

SHA256
817fd72f6fa5826f7e0b55777d02a53bd3bd0ae6ff8c797a113b8c5dd7f5c8ce

SHA512
44e9ee8fcb014e75449ec13d5c22c3e67664e922c889c211e4e314f7f4cb0a916b5b6432a1c4a2b1235f96a6ca6d7510bfa212189931efab62126e6fde1e6cec

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
419KB

MD5
8b8b2381d50fc4c2c4b12744d5d6806b

SHA1
a43eeff37f1eb97f3cffb016272e93df407707dd

SHA256
7042dd9e56d79c2135072c85040da49a9469b7c9d9dd1148d5c0bf6dca74a33e

SHA512
1f1f21a2fdadea4ded4f3ab0c53ca717456cf2e37df6e99bea800a213a07577d5d7467015b9394f24799b511d626abdba4b82fb3959fa446691c4f5645a5c5e9

Download Submit
C:\Windows\SysWOW64\Knkkfojb.dll

Filesize
7KB

MD5
d9eff0624009e215728d08c448b0ae51

SHA1
ef1cb920344d03260659f7f29b39e69ba10c3fa4

SHA256
40d9ea42e3311186a5b7932a2a8cecc8d04a8f033721a1a597640da7ea13c953

SHA512
86818d3fc742796c00032a4733d7e1b0d4d3b802584d3df6d478e992310c43f0e1ac4c8e7313d496669b5805520cd1a7d8cacf1aa5b3dce101d409cf794abc0a

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
419KB

MD5
e6452bc33d7b707e0b37b33d788a711e

SHA1
27ab8ee7c11f9bc9aa57a8405f4fcb0fc619366b

SHA256
634cdfa20f5ec26b51851b9191bd4afcab4c036e47cc0f125a0c81611e469491

SHA512
75f593902099226f68a3f3457a712b8e419311bb65214eb22be40891e55fc3c3bffb59ab0cf83afd357e9f413a4c7758ddaadc9fcc4a91b40027ec4776197674

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
419KB

MD5
7bba7d57af3d36226788c31dc62bd872

SHA1
6ce63d24b52fa5e690253165711f03e37e6c9c05

SHA256
f1e81f36212ecd032f5fb62d9ab56095ad8610275fa86bb67610f54e50b85dba

SHA512
1e6d05c6402d9d7070b239122cdc694e91d203c07b37df223ef456d3fe1847ec5d6cb75e5a6c0af623d246c3621b5668dbd42cfe153182083829238e5a862166

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
419KB

MD5
7de2b04f2b76919bc863111427498d2c

SHA1
11d065d1336cdf2638dd06408529b5f49e30c756

SHA256
5df5d1e8ba2367d0c805e0b530fef4557e57eacd8f34fd703067e65010240679

SHA512
b98a705c2e4634c0dd1d015206e03d02d3dbe2e8ddf4982c583a1cc05a86941a182ed18242073a085b5e250a6c448981e06ce3356b36ff7bfebad1c4fe9017ec

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
419KB

MD5
90b1489f1edf952ab927501b41a2cc33

SHA1
54b9ae2507680281fd32702d4c18867a8552c48d

SHA256
4e6c1dc9d33f72a948542c60be0db3339782b2bb73d5b9adc2743916ed538e12

SHA512
76f263ad57217b958c39aa9686912668cc25babfb015f358e6eea05a5e97bd978b8e2b4e21849b524ab3211850769a0d626eabd26c53c5c6a0e28a01470b7266

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
419KB

MD5
3606f7d25612a8d916f48c86ed718ad1

SHA1
75481508c3ba0c22d72857a23c66b5779aa226b6

SHA256
46a6d7342c50a01c7a22fbd9414fb7f014c12f8b716cab87b992f1b0a8bc3e64

SHA512
1272bca1b7af975586c729774a6959f59d6cd3cc7cd415f53967203a8d0993b5ba32210b726c075aa804a151074183de9951be3cda22a4c4b4dbbe7732c51d5c

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
419KB

MD5
bdbe385cccf27aa013499c3441e59c41

SHA1
5ea3ed7c8ef33dde1dbada49db4ed6bdaf129eff

SHA256
eda054452015957bd8f360c295f392fb38ef1daa2f62a601f5ed10f7d6dfb3e0

SHA512
edd32d81f83bb35894788501b5fb93499e8bad16a07e27d668763fcce9749e95df28f716e26260903b4a3719be22c4c5dd59e72bd27f0823ee20e19e4abd4147

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
419KB

MD5
9b27f1fc8bfcaddd4588512b032a7e79

SHA1
2cfab6800a40cb97c56493437afac00becad37f4

SHA256
7151ac25c2e3ce55d04435abab60bdffd290703ac0c1057e0a8ff89ddd481f3f

SHA512
b594e57a4ca183ab9f66e32a5d5f4a43ad7ec8b136e866a31b700c6a4976ec2172c1a4a0f5385a3428110c723e37cd39b8616cde1cf25506b3586d32508c7c17

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
419KB

MD5
ec34ad7b2f7def98a0021a569f69dba5

SHA1
4e1b1cdbda661900bd742e4990edfe926b7f08fe

SHA256
0b1aa29e9fe420957162d488c0afd0ffa5eb47384a76f4526e1f300901e16435

SHA512
e05aacc2ded04abea2b4b6bf036178a270bea30ae8a0b7da5a549dfbadfe3ce1331eacfb6198fd61a4ba6f28d37336007eb668a415dffa99b14bed23742eb94a

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
419KB

MD5
aaa614e526a00a6b166d7ca8a94aee58

SHA1
90ce476f4b24629060500ab8cafb73563ffa903a

SHA256
52e0bf9a10e90779fbb2fd230458136d973bb01e310ae378a1f57d679de37c79

SHA512
ce5698cd6b85851b835b7f3d0c27dd0cd26e01ba714cf302a853d7f173b0a647f2853627ee9453a541c57eda846b2ed2f44a92e67294a21f9ba19e0ee7b1b1ef

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
419KB

MD5
04abcd854c29b3ff410efe00535364a7

SHA1
31bb4443b3623ba6aa7c210443c246c7f660c446

SHA256
0498c1c239f6237185278b94df628336e124af1c815561994184aa22cdf07e54

SHA512
a68e3a5efb0b4204fb625fe2758171b628b93afd016526544bbf405aa0f2239a35c21e2afb39c8629fd56919edd37c2237a6a42f1fba7678d66156168634e8b4

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
419KB

MD5
ab994257b9639acc1c6faec9b3dd57d9

SHA1
e3d7de3f5ab3762f67330ef48cc9994c54b0d84b

SHA256
a6c3355029a79af6b800198f44c5ae671bfa0d239ac5d60369909a416796b9ee

SHA512
b26085e1e6f61f5ab7f5616f88179a71e673247b90cfaa97a60aee09d14f3aa76201e8d8877d7cc46762136c1e0b3d6ddf67b6ce655fc5ea261395a5f48eb810

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
419KB

MD5
b6b69d7c33820a68eaecdf701b193749

SHA1
5ca16235470bb07ef5ad52897a9825012d7706e1

SHA256
9a2f0f92d4547337b4349810f498446a54f1e36907fdff92649e58bcedfc1ef3

SHA512
d7cf9ce93ca16e30e41329ac2ccee699d7245f1c658c1273f2c3c3452953cfc7a4cbfcc64e7fc94d49d64418be38bc85e224ebedc0dd5cb3bcf557081c96abcb

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
419KB

MD5
048b9062218bbe98ef6fa2176238b7e9

SHA1
c551bd464e8e585247fb8670d2caa45d1876628d

SHA256
487d834354f6112bdc91be1dbdc496ab74ebd25bcb21d74bdfc1dd75315328f3

SHA512
81273458186e24e7d599a719e70e024d3ead765c0ad7014af52749edf175b76c5d4287c22fc382437215f0f414fc55b99ad44f4192e26c6b6e79bf9338d1d08f

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
419KB

MD5
c93ced4ebaf95252e3316f50d77fa0a4

SHA1
7825422e67c70a48cfd84b34e511f31b7ad8acd5

SHA256
5df1ba2ac43094ef91e1a45824b01ba313ef2e76e7dd924d5ce036cb471e593a

SHA512
19c6cfc6f8f1150845c2e873f3bca979449eecf70153e99818afa13a635948434cabc88e142682b626d52ce7075eeb54f0d9fbebf636a6dac6777bd0a301fc8d

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
419KB

MD5
9b8ed5be96cea42e7b2e197c6a3aee16

SHA1
1a5ff00e06b97c9902c4ea0bedc76514f3ba9873

SHA256
2092085fdb4afb06cc42bf5ea0e6ec3b3562a544cf23a7d69e903eba001385bf

SHA512
95867d9731fdeccbd9f5f298bea600da8c6f9344e972fa123a2fb086923c73c7f103e03bbe54aefea4e0fc1317accfeee8833ded5e6aec54bcd755b73b69364d

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
419KB

MD5
23fcf09b4c45d53c1d0edf30fc599acd

SHA1
98925fb0f3da1dab34145bbc5b41753afcc5639e

SHA256
c2a68697803e84074803bb7a3f61fb55f324283f276cee04347f5ae1d39ce47e

SHA512
5a919be7de93947a3d37772904ae5f9ba1c00de91dbb1de572d1fc156573d75129d5701871dc29e7679e6b41b647532fa1deceb195dfcd086ce6a9b20106a4bc

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
419KB

MD5
6b298b494843579866796b4fff40bd38

SHA1
ea410b5a4ad580312b4230b7b9d82f7e38b3fc60

SHA256
4f2f8744af928dc26111cd38f46830fcdf40c491af35ac6331523c3c76150f33

SHA512
12bcee64a65976fea35ee66b5502600baa64e1a1876e03950730d5303220afa885b0436b6d76a8fe5443fa02ad2309daffc6154343902bf402fa794cebc1b7c3

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
419KB

MD5
7707a66964b83ec4542b5628b39fe175

SHA1
79be1f442fcb80c62305d6df082dc1e18599eaba

SHA256
b08a36c1131c3d5dab7d0c064504044ba820419dbf129198ef2a9fcd55af88ff

SHA512
d6072191f6dd4bb6223012ab0d3f57f764e3876aa68c79a91f420737552110cdc78a6e319d8d0ccdd3dc3765e6cb7af3b75a170ae9edce122a92de587b6e1ef0

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
419KB

MD5
3cfa01d16605d3aec27841bfb73f2d61

SHA1
56c84dd4b0566d6ebf3645733e2eb05319700196

SHA256
74e89ff6e2545c52362dc02802ad2fc18611e7a84cdaaa2b60de018a2002cefa

SHA512
89dcc70d3105f9a0bbdc75709abbc7024782f1066136119ac6076626d151a771d31d9d539caf2169d2e6a0a2cae5a13672ad4f6487f2111069c2df3f87361b03

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
419KB

MD5
4eb67bc67c20a56b9fc2dedd69b6f3ef

SHA1
de6985059884d9c1ee48a83cbb81682bb86ae06a

SHA256
64b58cb26b06546f1e2fd8ccca7876988611cdd662fa6096a3508357beec11fe

SHA512
f084f2f55269849f274d5862fd2cb907cda53173825a7ebdfe5afa93aefc01297df7c4590c7c946a705bbb2a50aa4442c505978dcf10040a959c8ac63b7870a7

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
419KB

MD5
931c170e1502b3ce27219d1436f29e1f

SHA1
2328590b8a5eb0a1aa970d85b51913b440835397

SHA256
710e4298afa058945738b15ba340cb7ca67eb2bc02641df57e28cebb73a4c1b0

SHA512
0c497f8b02e7f47969cb0dd5402fd7256a039d21c757e2c55f24f6d4c9a7227c99a4a3bebad0853c7eb7859215938a1ed3cba694fea156ed62e9a04eddf5f981

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
419KB

MD5
e13cde51a554bb2e70ea4ce82768e932

SHA1
659fad67ecf954b52dcb8307542964f7aeb0039c

SHA256
7fc31c23eaa9c33f280e4c8983668159e336116583f8290a879d7e2c5a35ebe3

SHA512
08128694728c3c2583db8dd219cc18534cd805104ccbf08e73955b4ce997f91e6ebd3e57de5711cb5bb07ac5c577ca02c1e1b26490e5fd50c343ed471394d170

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
419KB

MD5
f043b0389aec9b182bfe38ba4ce98110

SHA1
424dc2db126c703862c2fc263fc063fc6981ece3

SHA256
db628d001d2b5a87ef6560a423bcc193d927d9f7c7248a9658d732da91788a45

SHA512
f12186d25457f8db210e94cdab34e70f0016d51f5f1bba4043f9a6840a68c82449bb2428c927c7d9fe41dc1f72b71c33d0a659e88b9b53071376bb3832a65617

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
419KB

MD5
0f7e489eec305591f6743eb2761c5803

SHA1
29401a77ef17aced0f95204b22704bfc2a4ab5db

SHA256
6cfde2210119b8dde1cafea5bb440221fa3f69ff5ee9f4d329749143f2b23061

SHA512
2ef29c8c0d9192f69cdb2172c39c3b65b339cec8483f0646f30c8973f8a2fd4e0c7b3599df46c76e52f187516e1a7d5c382437cc56cd528dca313ede71e2b0ce

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
419KB

MD5
44dad9e3cc0d3a93ce95b649419c45cf

SHA1
f2e093ab3b371c0d78bb893250c7c54edd80679b

SHA256
cbe9e95fce47b8d1148e96e3ab50d8714454d51668d985f1390cb32eb8b99507

SHA512
ebe7ff2dbcd52e0048afd1a2b96852ad67f2aa7b4e32d9b3f817230ed8898e383017b936a91bb413120254617aa4552a3d152dcc41e8db47e484ae4a36a3a526

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
419KB

MD5
267839b6aa875ec23a584b275c89fad4

SHA1
9bc670f3439b29e4c82f60ea625f0c9fd3cee1e1

SHA256
243d7cd81f4b52c08d9849108315ce3a6c8f7a5b2e4cab682d0f70eae326f2cd

SHA512
c6c752a6fd1693b9d695fe88ccd04a89fec03b202bbc7c5384db380e504c8aaed3acf84bdfcfe7feaa1548e63e9fc8794101fda6044c19b0b122ba1b69952715

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
419KB

MD5
40d0ea6835632e22e4facfa63c0ebbfa

SHA1
af08f4868094c439890a703d0eea8c20d4eafcf5

SHA256
cb75e00f450fc4a88a5b302deef7e21bb2cd13de399adaa22d7d82cb13445350

SHA512
8460b808227c3ec02fe03dc9fc841e1718123b075a07c6f5ae4e612e10e8e2662ac6d2773a7f7f6bc8970de13e791be23c39ad3a44bbfc9a853d794897620b7a

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
419KB

MD5
77c23848212a3c85b8b7fc1e67f2fcf1

SHA1
acd26ab9b5b75105fb5ba5fc926b5a5a04117358

SHA256
1e128166ba9c2f2308431b633b5172b5bef4805570ac9a9adc330e54e734d8bd

SHA512
f122cad9b705cf36a319d06dbdef391b6abbde7ea3460a0d08bc4691a9bebceb56c71208e9bc2610b1b1c9d89fde694f8bbf0ba284ae8235ab4c070a4cd7c571

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
419KB

MD5
5f8af9382c593061f0666a3efca9e441

SHA1
eb3183929919f01003aeb10c44396e9a94c1c2e3

SHA256
cdf8001d12fcbfae5319b9cfd89dac71daab3812e63b4ca4552b8bd54291c3a3

SHA512
0baf4612e87f9903e66acb8bef0050551e5cd78bb7c9598db5671d2402fc1c1de37e95bf8603ef6fb4f76ae39f92feae44076589116303e22a7f7989d46a52b0

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
419KB

MD5
8ccd25152fed45d5c0dc46b92a5e8868

SHA1
d6cfa0ae37ad1221ec10d1e03f8ee81d5a75d859

SHA256
49e176a614b13fada9d85a48fb45e56a3d8943d411ab35914054919d58709cd9

SHA512
ebab741364b1e67ebbb7c75a5f7e9aa24227a0c876b86e6a9be1300baba527363a9e4760227548e25c5b1eb02374ae06d21dda95da41b60d264a17db3f858550

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
419KB

MD5
5c4bb700d22ef2b7f6e95755d98894d6

SHA1
18e38600167e91c607fa939cd0c79bf3d6b754e2

SHA256
8cf5907fb69eec55fd6d75c691cc0f4bf6d7db6127504910d1b14b1e474d4066

SHA512
bbbcb2dc96c66d09eaf4c4829a7ecb07aa65cf766cdcdc990b3780d2fa54324102665c1a902cfc6a5b0753f6da8df129d88ef062872a3d105a93ed0f2a0d3d17

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
419KB

MD5
e8a8fadcccab6a1d6a49ac5e1e7b5729

SHA1
9b7d90b6fff143ded3093233d14b75a323644f53

SHA256
76b6107197aa4bb394898d03adcd5e1ddd62e8079904c135e19daeac1838786f

SHA512
7e1e33ad249e22f15ae760c2844a6419695327ce0040303f740acad771c5cab7db26b7c6e81832706949c19d64de24cd486bfdec9324da0f06be313b32bb57ba

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
419KB

MD5
ceef2b12be5f8b87d79c3e34050081b8

SHA1
9599afee36b06666532c5584de1a9a62ad4766b2

SHA256
f71dc0815f0cd76e57d3f13e303dea979dd7d6c9ffd37dae5a6b8efe8b535615

SHA512
d8c1181c9e03549dd251c0979b66f603f183b4ffee290d36e4b516a7ed17090b36b71dfd723a1dfc67a294cebd953dbf0289da11614021d3a0b44c74db74ef57

Download Submit
memory/60-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/368-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/980-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1272-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-626-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3920-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-737-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads