berbew | aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe
Size

91KB
MD5

8723ed86b5c756b77e16110aa4114180
SHA1

d0d252f2a5e5581cc941cc1a142c757eef344a7a
SHA256

aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13
SHA512

9958439d707874f9534e47c8190d560e1c6a6182fea16148b23e5c92aa4b128ce96e4e0bcb0fa17f0264fc4bdbb25accdf4ad2e9f0fdc461a41d7203c1bdb602
SSDEEP

1536:9FOTOBdn9WeFfsjmDzHoecH2dG+eo1xC0GZFXUmSC2e3l:XOTKfR8iVcH24ho1mtye3l

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
976	Njqmepik.exe
828	Npjebj32.exe
2588	Ncianepl.exe
4860	Njciko32.exe
1384	Nnneknob.exe
2932	Npmagine.exe
1436	Nckndeni.exe
1052	Nfjjppmm.exe
1440	Nnqbanmo.exe
4156	Odkjng32.exe
3436	Ogifjcdp.exe
1820	Ojgbfocc.exe
648	Olfobjbg.exe
1900	Odmgcgbi.exe
1428	Ogkcpbam.exe
2696	Ojjolnaq.exe
1668	Opdghh32.exe
3336	Ognpebpj.exe
1104	Onhhamgg.exe
4224	Oqfdnhfk.exe
4228	Ocdqjceo.exe
4332	Olmeci32.exe
2600	Ofeilobp.exe
3424	Pmoahijl.exe
5008	Pgefeajb.exe
2292	Pmannhhj.exe
3920	Pclgkb32.exe
2708	Pfjcgn32.exe
4084	Pdkcde32.exe
4376	Pcncpbmd.exe
4992	Pflplnlg.exe
2520	Pdmpje32.exe
3416	Pfolbmje.exe
3180	Pnfdcjkg.exe
2032	Pdpmpdbd.exe
3976	Pgnilpah.exe
1248	Pjmehkqk.exe
3748	Qqfmde32.exe
1916	Qdbiedpa.exe
4412	Qgqeappe.exe
3144	Qfcfml32.exe
5028	Qmmnjfnl.exe
4672	Qddfkd32.exe
392	Qcgffqei.exe
2592	Qffbbldm.exe
4192	Anmjcieo.exe
3752	Aqkgpedc.exe
2008	Ageolo32.exe
3876	Ajckij32.exe
664	Ambgef32.exe
1772	Aclpap32.exe
4052	Agglboim.exe
4236	Anadoi32.exe
2320	Amddjegd.exe
4600	Aeklkchg.exe
4832	Andqdh32.exe
3484	Acqimo32.exe
4880	Afoeiklb.exe
3672	Aminee32.exe
636	Aadifclh.exe
3124	Aepefb32.exe
3468	Agoabn32.exe
5052	Bmkjkd32.exe
1712	Bfdodjhm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6108	6016	WerFault.exe	198

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdhjm32.dll"	aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 976	3052	aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe	84
PID 3052 wrote to memory of 976	3052	aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe	84
PID 3052 wrote to memory of 976	3052	aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe	84
PID 976 wrote to memory of 828	976	Njqmepik.exe	85
PID 976 wrote to memory of 828	976	Njqmepik.exe	85
PID 976 wrote to memory of 828	976	Njqmepik.exe	85
PID 828 wrote to memory of 2588	828	Npjebj32.exe	86
PID 828 wrote to memory of 2588	828	Npjebj32.exe	86
PID 828 wrote to memory of 2588	828	Npjebj32.exe	86
PID 2588 wrote to memory of 4860	2588	Ncianepl.exe	88
PID 2588 wrote to memory of 4860	2588	Ncianepl.exe	88
PID 2588 wrote to memory of 4860	2588	Ncianepl.exe	88
PID 4860 wrote to memory of 1384	4860	Njciko32.exe	89
PID 4860 wrote to memory of 1384	4860	Njciko32.exe	89
PID 4860 wrote to memory of 1384	4860	Njciko32.exe	89
PID 1384 wrote to memory of 2932	1384	Nnneknob.exe	90
PID 1384 wrote to memory of 2932	1384	Nnneknob.exe	90
PID 1384 wrote to memory of 2932	1384	Nnneknob.exe	90
PID 2932 wrote to memory of 1436	2932	Npmagine.exe	91
PID 2932 wrote to memory of 1436	2932	Npmagine.exe	91
PID 2932 wrote to memory of 1436	2932	Npmagine.exe	91
PID 1436 wrote to memory of 1052	1436	Nckndeni.exe	92
PID 1436 wrote to memory of 1052	1436	Nckndeni.exe	92
PID 1436 wrote to memory of 1052	1436	Nckndeni.exe	92
PID 1052 wrote to memory of 1440	1052	Nfjjppmm.exe	93
PID 1052 wrote to memory of 1440	1052	Nfjjppmm.exe	93
PID 1052 wrote to memory of 1440	1052	Nfjjppmm.exe	93
PID 1440 wrote to memory of 4156	1440	Nnqbanmo.exe	94
PID 1440 wrote to memory of 4156	1440	Nnqbanmo.exe	94
PID 1440 wrote to memory of 4156	1440	Nnqbanmo.exe	94
PID 4156 wrote to memory of 3436	4156	Odkjng32.exe	96
PID 4156 wrote to memory of 3436	4156	Odkjng32.exe	96
PID 4156 wrote to memory of 3436	4156	Odkjng32.exe	96
PID 3436 wrote to memory of 1820	3436	Ogifjcdp.exe	97
PID 3436 wrote to memory of 1820	3436	Ogifjcdp.exe	97
PID 3436 wrote to memory of 1820	3436	Ogifjcdp.exe	97
PID 1820 wrote to memory of 648	1820	Ojgbfocc.exe	98
PID 1820 wrote to memory of 648	1820	Ojgbfocc.exe	98
PID 1820 wrote to memory of 648	1820	Ojgbfocc.exe	98
PID 648 wrote to memory of 1900	648	Olfobjbg.exe	99
PID 648 wrote to memory of 1900	648	Olfobjbg.exe	99
PID 648 wrote to memory of 1900	648	Olfobjbg.exe	99
PID 1900 wrote to memory of 1428	1900	Odmgcgbi.exe	100
PID 1900 wrote to memory of 1428	1900	Odmgcgbi.exe	100
PID 1900 wrote to memory of 1428	1900	Odmgcgbi.exe	100
PID 1428 wrote to memory of 2696	1428	Ogkcpbam.exe	101
PID 1428 wrote to memory of 2696	1428	Ogkcpbam.exe	101
PID 1428 wrote to memory of 2696	1428	Ogkcpbam.exe	101
PID 2696 wrote to memory of 1668	2696	Ojjolnaq.exe	102
PID 2696 wrote to memory of 1668	2696	Ojjolnaq.exe	102
PID 2696 wrote to memory of 1668	2696	Ojjolnaq.exe	102
PID 1668 wrote to memory of 3336	1668	Opdghh32.exe	103
PID 1668 wrote to memory of 3336	1668	Opdghh32.exe	103
PID 1668 wrote to memory of 3336	1668	Opdghh32.exe	103
PID 3336 wrote to memory of 1104	3336	Ognpebpj.exe	104
PID 3336 wrote to memory of 1104	3336	Ognpebpj.exe	104
PID 3336 wrote to memory of 1104	3336	Ognpebpj.exe	104
PID 1104 wrote to memory of 4224	1104	Onhhamgg.exe	105
PID 1104 wrote to memory of 4224	1104	Onhhamgg.exe	105
PID 1104 wrote to memory of 4224	1104	Onhhamgg.exe	105
PID 4224 wrote to memory of 4228	4224	Oqfdnhfk.exe	106
PID 4224 wrote to memory of 4228	4224	Oqfdnhfk.exe	106
PID 4224 wrote to memory of 4228	4224	Oqfdnhfk.exe	106
PID 4228 wrote to memory of 4332	4228	Ocdqjceo.exe	107

C:\Users\Admin\AppData\Local\Temp\aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe
"C:\Users\Admin\AppData\Local\Temp\aa4bc7f5961a730ad5eccd70325d1f901e1061dc6f1166d9fcb4001e6e37ee13N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\Njqmepik.exe
  C:\Windows\system32\Njqmepik.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\Npjebj32.exe
    C:\Windows\system32\Npjebj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\Ncianepl.exe
      C:\Windows\system32\Ncianepl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
      - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        25⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5008
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        31⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4804
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        72⤵
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        85⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        87⤵
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        96⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        98⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5708
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5840
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        113⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:6016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 404
        115⤵
        Program crash
        
        PID:6108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6016 -ip 6016
1⤵
PID:6084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajckij32.exe

Filesize
91KB

MD5
9b256145d2ca43bc8113e29514bee198

SHA1
b79eaaf53fcda0194b4d5bdad17946d30dad997c

SHA256
5b311ee7badce8afe2fc19e5b819b310940ffc1454199c1b3da627351d698c14

SHA512
a87e25b51712571a367248032814a12995339592b9e7e7c83834d26c3785b0d5c6a24174be4120ff2d7c112f54f7e362a1addc6af1be86ac2e1fafbe1717fcc7

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
64KB

MD5
79020b05103bc70125cb3167e23a62c7

SHA1
8363240c9a659dd2ffc507c9857647c438683558

SHA256
bc093ea6c100ac241337a59db5e0f3b34315326b7a05ea82edaa74721d777c7b

SHA512
638ff2d8a3fd2395169594d2889589b39edf9c35f654e484c74f75ce42d07638f700b5d2f16cf33b97773086f48414b3d06a04e3c81de1421f64f6a0eedbd31c

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
91KB

MD5
9a679d7a33900126c2cbc922e556a4ba

SHA1
894455d4abcc5bf909edc9994168d43d538513f9

SHA256
9bee5beda7fa5ed1a30ff9b008db5f0a237c3b9c24e332f894c5fee6fbaa6c82

SHA512
0754f5ec8f7f384693fcc353aa3a56248211da2f8dc15177ccac1c942774f1a7f22cb64869662e556b0eeb6ac4c1b2a51acb7be33e0efca654a62f2054b12cdb

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
91KB

MD5
d177d42ceab09295a5b814464b5463b6

SHA1
65cc02cc44e7e467a072f667ae8fe5bb7889510c

SHA256
b8ff03e673a4f36022497dd3c98bacf0a5a4c5feea35fb97bc8db5f0d054744d

SHA512
038630df08caae539b8db46ccab676a62203226ba834769424d11165fc4ea2c7e8b89598a7b10c2e172a0ba805bacbc271c62fe0de13ce77a7b395b6e721d0d4

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
91KB

MD5
52902e8056719b1cc6fbf12354af1b31

SHA1
3f4778a1cb811f7f060c4467cdde19ab886e1166

SHA256
244460475edd99906500d2ebf0c3e14de22f770558274643184b2c6e1ca3d00e

SHA512
f7cd9a01b0f0c304e4bb4e88f769d705a39d327b1cdb2273bb6bfbe0767c438195676b3ff34855b3132f12e124abb1eea6b6c496a5fab70b31a1878a0313620a

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
91KB

MD5
f131e89ccce3fc08c7a6e889496b8507

SHA1
94c70e50ff8ff39c216ec81d003b0197aa3bfda7

SHA256
2fe564e426a4a68f4fc170a2ae4f4d3e39475182b2e6e8a512a7fca5725b8329

SHA512
e783e0bcf5dfeb84704a3b2169f379ca26e452204e874ffda323704e5db3103f8db673eb60d09764c5183fc9c9be8a6b5fb9d06a53587fb844570fe29da2b610

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
91KB

MD5
8f227901a4d771b54a798746d17a4a0d

SHA1
c2b143f74193851a53560a8f35a312cd46eff76d

SHA256
c4d92ba1326319efd4c9036d3b16ce883c2e60c264d3baaa2fddd941b585339b

SHA512
446180f807fa4f71bc80d80afa4948619f2eb598a9a912487dc240e3b2ad81d79632ecb33414315368fea7e174de7890234d7e1148e1748d64a80b270ffd7729

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
91KB

MD5
11ae18a902173a7f895975b1a011aa25

SHA1
15c36aa86084bf41dd8144baeecc04db845f658e

SHA256
a61876495497e3d4d626f9725cfee0101644810c4a5be9e687db88346b99170a

SHA512
8df50a9df41a865b96183bd30bb9856a1e896e1ed72d6195f7b1c5c3967e9bf72f856d3fc896c8995c159b274b7e7f3a0eac84554f0281a41667ba9cb0d1257d

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
91KB

MD5
103b4d87ec9b8ef40750fdc8d5b80d8a

SHA1
746ca7723baa212af330e810f6b5e7a581d9e819

SHA256
3031dc1e27589950d555947bf14d8ec2b53fc306621d520950382ee05b769bbb

SHA512
0151dd828d300a45a962ec03be9c4cfe4b997d8712080923e61c6e629a1b6ee0827b1d80616699d74de9988bb24b4ee509b67509365dead529a4705241fa9cb7

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
91KB

MD5
878da5a04122be0e8cfe6398548545a1

SHA1
f9d66b8fc1bbb97125074886c3ee7aec871cee93

SHA256
1bfc647342468302f1690dc6a788373ee6d83f230fac7825b83e007c78a62fff

SHA512
3d80980afb657e271bfe11040e8fd0be4e53e0e52c9f888dade95f08dd0910ab1ebd11d78304f0522c4e6c513b453b5b4ccfea33af58e735b12f5cab4f24cacd

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
91KB

MD5
4b408e95559e8138fa746d150b18009f

SHA1
65fe8035cb4983ef69a3483caec73aa013e7a7a1

SHA256
385d78deb5679b04927f9d6c0687977eb38d54dd7a58cb7fc42cde40586ee417

SHA512
c1f4236542c6e767d3cc8d7fc8b21455972de5fcca251f6fc5d9f9f5d29e21d5c6201c34c0ce0cf8e856f0cc55fb07e930f392e3d4ef44e24f9fa2d80b22ca83

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
91KB

MD5
48fa8ca589d0afb506496ddc6c7bfc24

SHA1
9452b75a436dafdbaa3964708f6eed78eb12f6d9

SHA256
4b86fafd8d41d0686db89adc0e3e35bdcd85199a4c789d62ffe5b6c812e71152

SHA512
bcbba91731a8fc452de1173c747c721e589cf89b4daae82ed92ca165fcc8316cafddf3e5e4ebb42007f85c7e8e832fcac04552f2c86ddbfd6dbf909f214dc1b6

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
91KB

MD5
03469a10fa88180bf508b98e23c2395b

SHA1
4ece3ba091a5b4059e77780ee4a09c1758a80c0d

SHA256
a5bd4950605475e97770b6e80f0fc0d4a91b01e32faeb295e42b0cb4e56fd1c2

SHA512
0ba13883f1e25379cbbe1a660b63123964eeacf97313a0785cbb6b9dcf522a84c662514cea422a1b2a67f0f7ed338cd6fe0cea1902740aee34a59eda4ff57a01

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
91KB

MD5
2bc4aad6222432534519053297ffa726

SHA1
11ba121920704a2141c2e3bc927bf913746d6a93

SHA256
2495a37efd062e61a7383d16d3f720a292d6e4523eb9d3868055b794cdd80e27

SHA512
1130f8b5d3c023251e25d6070201312afe657b3f95de60cb1d92a5f9c4dcbf6a483c28fbb9ed468a4f223a7c866b1ec67c8f6ebd770833055f3c654e24b2b01b

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
91KB

MD5
e4f35868da4164ad9da55af185c66be3

SHA1
427a5d3f05ab91fa5a71bcd816583e36201858c0

SHA256
f6cdac7592b3fbfa870e39f3e8d71607fcc25d83889ebe3246d6d59db141eed0

SHA512
a50f6821025f9015b7a4456db9df421f01822399dc3793defd7939acee3bfe8b6caa8ea573a8a8c6356475a16add99b1bc371956c5c0d7faaa3893cd2a9ddc5b

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
91KB

MD5
630d92f52da1a4604e1b034bdeec4fd4

SHA1
39c057a386743f3d9dd9d87c97317c1013a87a29

SHA256
d516ec825a9b76928c6a2d2ef332778dd097c2007eedec8f8bbbfde2a7b9cbd7

SHA512
03426e0ef5e6e73e82afe32bb2243ea2413cec86dc8e63f96ad8bb96f2a72b2ff8f88e779c9d17361a6d20ad963107817e4beb85721bb5c05c04ae0e03ceef0a

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
91KB

MD5
d6eab0f6d4fe80c73d4481898ffa7b06

SHA1
6528f764e4b730be60a47dcfab4bcf8cbc375082

SHA256
7c363e9206269f85b9b53671c4a8ff551dcaf9eadba221282adaa80005ff1c89

SHA512
dd6086f758bda410d51f45f6b93a1db04cd8cd93fda9cf7719dc13721b986979edda43085e3fb4d2c34bb7b019568f6a8fab899752d7a22befe8fab4b6a76f1b

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
91KB

MD5
67e3149ce72b471331d787df87eabde2

SHA1
e983a985f5dcdc7528179b2f73a2ee53f339cada

SHA256
51d7c92a9827e8277e27f85fe093a09cad446de709ba83b2bad8af437a7657c0

SHA512
a7cb7134a487f07aa0e6b84b55543bb7b6d56eb16c0fd6c773edfc5bc63920d2fcf61c7280e8b490619515dc620ed7242f820bd4f8c00df8d9ac3719a3ad1e22

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
91KB

MD5
efc597e02592b537628c26f8e9e28d19

SHA1
0333c7fa1b3a5bb5e46322d81f44f3199fea6f31

SHA256
eee7466d6499fcc9ec0e97f321d9045190fdeaa005e2bb9c85e43bf255c0840c

SHA512
20651fc1bdbbcd7f252d1dbe59f4b6ebe0e6d8c26213480763061d4b54f1fec5bbb1c19a1db44b077dbf5ea35e56895b8debf649205c5ed7e6268f8ef97bee98

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
91KB

MD5
19348279f45f61e9b32290c23f8abfc9

SHA1
96ddca3b7ad84d287a2523e4fb5ecb5ac16cf0ae

SHA256
f4a3799a35b55b6c3be464e976ad4b09e62147d91a8366fac97ff9d5c6d41bf3

SHA512
445fd678bb34528689f9da8e325522f7e0a31325f73c5273f6cd5d3f7552141245a439a07f82cd0289dbdd61b32ab3ed6ce45bd4e0ac98c7a856f24f96addbd5

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
91KB

MD5
30b366dfabf203dda2ec4beaf78c006a

SHA1
4554ec40b58e569057245be6b4e18abc090dcf07

SHA256
9a09139996fd42bb23a2ff62c75434a4d2e2e00fac3f6a26e8142b69770ab5da

SHA512
b447a3dc404f74a5ea91d4e569aceed1ae77fec2478e88c4e20115a7c53c1b7c170416b9a788d5da23959295bb40169e134347eb1229a2afef04f0ac310cc9c9

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
91KB

MD5
1d3c55ff18e5efa5cd7a8bccbfdd47d6

SHA1
b8675404373a4a7b60a2ad850f09e9393d947a9a

SHA256
5738b3467b4393c7f8a8dea6965908791b916cc20d4cb1fcf854059473ec8773

SHA512
8046d641cf81271c93812abc96de4585cb94664fa76c09a872e1c10c8612159b2cc3b62d66dc397ebbbe1ef714ee9dc6dad5dbc3b6c08c51bb211b97eeee0dbc

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
91KB

MD5
2a81dc7af91628b225aa79147f74d841

SHA1
c7bee5430fb2aef7bc6269e3b701a8cb8c636d31

SHA256
5546b5a36c39811f5780678b4907b5ff3aa1cdacd0e4c0e0bb21a8b0b24d6403

SHA512
772b4b954fb1a7ff9a564d5c09d3a3c306d0d18edfe47680168b5e0748e3e9636db14b20d4a7cb809bf0cc8c0784ae7e58e72d0b1e15bb96b1d711b70cb8755a

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
91KB

MD5
75f63702cb02ba145bfa7099c8fb0790

SHA1
6c8cbc8aa65621975745de306f67b9b09a9c8d6b

SHA256
67c25c22b60dbe27c51dd200abee78c473635b90d1a6818520c68af9fbaa2292

SHA512
b964b6629fd7c18fa07e404753ca0dc165e4e8f7e29fbfd1b6ca04319264cca7e7a375c6062adf8038a473313e134d015461cc7bd1603305a429ef51b1ade5d4

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
91KB

MD5
b06929eec0cd016a7aa937979467bd56

SHA1
c68f195c130c2325c165e8f8af5289c6ce9afcf0

SHA256
de589179de1b4b8a17e5f545265cc57ee3b6343b42b3dc7f5230758e58576ba7

SHA512
434b4c7a847fe7b8f9b0b6874968a9e4d073e0b73784656eb50308139908491145d1621a7b625a9df3d9b71cea70bd56297e2fb822becd0fef2572b2ded7916c

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
91KB

MD5
87abb8098062db3f5315bc62e069ab50

SHA1
7424190630f7a9ab381b1cc2a4e21d92961bcf52

SHA256
435f179bf81c1caaeedd45c85a6124a7b70422ce74ac295a38542f2a238367c5

SHA512
f7a986ddd81c43674fd54bd0ec92b94156a3f6dddf89c806fb5dc471ea392af994b956c096380933db5859846f4c9df27399c2c56a56002620ece8acf2b275f6

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
91KB

MD5
a7c77e8976438d24e173a621ce7fea6c

SHA1
f22c29dfaf729bea237963d3ed1819ffdd364aae

SHA256
d04af2c138cea15608202148d814ad0349e21d5e07196d420fa68f8958002108

SHA512
9515701a04b20b179e6c547a4535205b41a14f31d991e529df4f8a629dd2db16a5425871db2df32122fe400aaa1d787490728b7e593cfd448971120c143fe2dc

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
91KB

MD5
bdd7bcb3f6f42af37c02494e3e3b21dc

SHA1
317083597b7ff4632efaa6c3feaadd0ce84efdf1

SHA256
bcad23ebc6e24f3aa123d0e8141cfb70233bc14fc3d07e30f5c2f3dfe0b6df88

SHA512
7eaa51170230c060d1075594658de2961e47eb943ceadccf44ebac0e8c9efe6efd461aaff75919c2af8b40396e4046e711cf7263908791200927968092cb0fe3

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
91KB

MD5
48eb406fcf2bdbdc057952e9eb994567

SHA1
0e36153341da34b851c5290d271d4a604d20c14a

SHA256
82c1295072c10febb947c54db40149bd9fca1e0d9385a76cdbd5d3bef10a9ba1

SHA512
a031601faccbe44bb26541882ca48b4862472d3c68e9961520eff78ed63ef15c594d92c8378e638770c09218c7592f61a68beaa29a28a612e017ba56bd6f2581

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
91KB

MD5
bf9cdbe3656c6b7a0c19e04493ca6eb0

SHA1
1713ef8c3afe5220c2e0f6f65bc1fbd0d9b0cb12

SHA256
860bca894868dafaeb3f97575619bfc122fde6ce17dfaa2a7896ddff74da7def

SHA512
55ae70d11e9172c7310d1e3fecc460e29b26bbee197d34320e1097f2f0ee12535b544959918c72ee59fd6bde31d692aa8e006f0179c46e52891a33467b54a265

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
91KB

MD5
3b0fcffa82cc884672ec220130c15250

SHA1
0f6432ca1a52d491f3150bcc5745a38d7086fce7

SHA256
3470ccc59e6703e865b5f713b1a620149aeff3a3fbb7c2969e7373ca16eadcee

SHA512
71f0df5aad4ff0a7fcd2ccc4c88afdf704051610865a77e4fde10f9809350e71c0c4b4bf39ad06f2bb7c7dc97ba168db07bd0b38e7953657426d7c01307b46ee

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
91KB

MD5
a08701d37a2eb5cf5dc31feaad2af73d

SHA1
00c53a9b75abd211d598d3d2d63a569b38e33f04

SHA256
3d7b87907c6a5dc69d216d5ece66f70e53a9d05b4c7901d6f0a261acf5b3bd30

SHA512
9aad2d982a4391cdbed79f7620a7e4b1e0313cb926dd2709a22b024cef31403523316ab95c02113eea0fc91ae77fa12c3495c7c38a5204a77e5de8a8eebb3f17

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
91KB

MD5
596917ca4fc79d0ca0d5006388a42ee2

SHA1
a5b15b6e5815290cf8c28ecd71a15ea3cbc98001

SHA256
9b5044ed128d91e4d887af970ebd991f380ca62de9cbb277b98150dd233093ae

SHA512
2de630765dd7e52b9faadc9a29d887f3b9216ddc7259f406b5f6f28c1e9951747dd5450994bbbfcce05cf9ae48ad2cf6dac68645b9c1286e53c129adf1ad2c37

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
91KB

MD5
b68762bd31f4158c9bbfd7b13229029b

SHA1
9649cef632d485966d85c47847c23d00089ba869

SHA256
dace4701bd57e27f21a45c59d0b50d3dc18b36fd64836586e552fb7aa693276a

SHA512
c7971aa8ac1c4fd2a6237395fd7e914fa083234af7c85316f382017c3ab08af7243283a32c8de57d3f9b48b0975ad16c75a14576929f155c834da6fea92ae9c8

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
91KB

MD5
bcc25e97c2cd1da484af11700c60dffa

SHA1
efa54b297d5ec49fc28d4933d83ce580f17e2236

SHA256
8cb8de0233f7ba0f0db398e52aed28db9a701b33a17f1270f1ab482c91135a92

SHA512
53d046ccb2de9969aa74026eae90608e488754aef7c0e14e4d5f15fcecd7ae18b60ade166dd0969fc5affb3f0e01cd0ef7319556a1353568c2e7ea0e0b9a936c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
91KB

MD5
6b682f56e086982d89974befd2471625

SHA1
b2bc6c3763b15b6b2b02e15d08387ec411c1ebf4

SHA256
1b99a88613e23710c1f553dd3c4411b5da3da0f4d84393fe95d0154f463b6472

SHA512
7f59aed6fca37994e94c4e1942195fbb67f3564ba472932eec6908858fc98c4b29df7ab7ed9081189fb9b2b90ed4c951ccd890c7fa2f00d88e2e21fbf8d9adfa

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
91KB

MD5
09cce5b4af42cf265c298aea69390a7d

SHA1
0e0e895ef5a08bf170714ae7062be938ff11b657

SHA256
e4bc55b4ea612e5a6d4df3074fff809df5cc95c721f09b414a47dcddce2a714f

SHA512
2e57811ee48857909023f8375a08da7bbbcedfeb2272c7df4607096515576102cc6d918647504c3db16b886f79aa972dd9f2bc0c3555eb948bf85e2651c43ba6

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
91KB

MD5
944a891eba7a850ae3a6da3a20011539

SHA1
5b7477490fbdd735fa8bca4e15fbea9960469b47

SHA256
1e8abe0396eb041dfbfda027c2dde5e2762244b3c74cfe1990bfffbb0f5827c3

SHA512
057ef9590fe14e5a6bae816396d4f2659903a3da86f8437ed20b548d846efb79349da4038e71cd5c3112ed736baa5bf6053dec85d5e2bdc4ae7afb8af27f037a

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
91KB

MD5
2f0b7fa33cdd215daab214ef418d328e

SHA1
d536875e69e45cba7fadf659a621004fa53e2318

SHA256
629001f695efb2dd3c567c3b5052c5791176486b6a974b4f78d0285fa636d55d

SHA512
a0f90e3d7a01ea9594f0550854991e9949719b6daa9f128e61bfd881cc54bdcbf4fe81091066caf9d2fb9a8e1eec00a238a3cb3cd605603fee7dd9bef48e56a8

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
91KB

MD5
bfbf92a0a4fa2c48a747ffe73cd1b589

SHA1
0b8f962f8c8dc65e05ac6841408bdb538536fe9d

SHA256
06715d4e93dee228f49d96d5a54046c4997d24cd9ccab844351a1dc43ddd3333

SHA512
f3de152c17202af4857efb265833611a8702e23147005954f11b3e8e027fa48c3c0e780d1084e9dce6f2cee7d36c6058719476b93607ca78524df169e1cdf84d

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
91KB

MD5
9a4d0e2a49fe53452d78f0996b212688

SHA1
6e8964d9f70ce45a6c9f025f423d5b8e1d7db170

SHA256
24fe94df867e605666f17e756ae7bc5226e906bbf83c4da59768896cafb75cad

SHA512
72810703a159a51a8a13f2d253157f0052187de10bc209e5d576b822fdc91dec7c745d60ea66198e61ee6f8948fde339c615d527362784a6fb14f8bcfe8c1e2b

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
91KB

MD5
3b6026abab926ff30c965ed54ba2a574

SHA1
52442a7db8d194c1b3a73d9fa071eaccff7c024c

SHA256
7184e005d51d52546828ba8e26d99a61102489cd75157d15146f0076c36a4d8f

SHA512
398f640a169668c4185d4100bb496eeb5b5973249aaa14d8148183eae6fa2248a41d7d2bfb821dde59b2912d4860b7bb59a9e8b61b1fcd6f1b0c60e76ee75456

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
91KB

MD5
aa337312ead21d9e16d87221c3adff4d

SHA1
ee1326d1c6dd7b9d2c67235e7214600f6c47c91a

SHA256
2d6e627a6fbc26ba96dc5d57fbe7babca5d343b98a6af111dd58d1de8571cf25

SHA512
2a63478f9047ddba6795512fe5697421a6981b92087bba398d29b97ce2b90bf6f583333b32ffe40c52102a3bf0cdc5c29f275c20c99ea4553c56ce81e5f1526e

Download Submit
memory/392-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/648-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/664-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-851-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/852-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/976-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1104-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1156-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1712-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1900-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2032-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2200-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2292-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2600-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3144-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3316-587-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3416-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3436-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3468-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3484-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-884-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3820-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3876-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3920-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4084-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4116-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4224-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4236-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4464-594-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4672-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-458-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads