berbew | b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 03:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe
Size

74KB
MD5

c0e45ac9048a385fd067d30b85f70600
SHA1

0e5040b889b204f5fc9701702ee6d63a760e6c6c
SHA256

b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21
SHA512

59aaaebd3e306dc2b5f5c7b9ac2e3870c023de6532bf1fbf0d185b614a2c73d7eb242e60a7f4574344a52aabffc1b0b3ec881d2239cc69c833a697d9af7595ee
SSDEEP

1536:ycWyX0fUBf7iRJiHmTeiF/z6ebXGdAQ3dDx8IMue:bXXdsziHmTeixzlbStD+Vue

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2212	Mlhbal32.exe
1144	Ncbknfed.exe
32	Nepgjaeg.exe
460	Npfkgjdn.exe
1672	Ngpccdlj.exe
1092	Nnjlpo32.exe
4928	Nphhmj32.exe
3844	Ncfdie32.exe
3924	Njqmepik.exe
4436	Nloiakho.exe
1484	Ngdmod32.exe
4952	Nnneknob.exe
540	Nlaegk32.exe
2344	Ndhmhh32.exe
3792	Nggjdc32.exe
3156	Nfjjppmm.exe
4620	Nnqbanmo.exe
2704	Odkjng32.exe
1592	Oflgep32.exe
1416	Oncofm32.exe
4908	Opakbi32.exe
3068	Ocpgod32.exe
1332	Ojjolnaq.exe
1888	Opdghh32.exe
3512	Ocbddc32.exe
5076	Ojllan32.exe
2084	Olkhmi32.exe
3028	Odapnf32.exe
3744	Ocdqjceo.exe
2020	Onjegled.exe
1148	Oqhacgdh.exe
2320	Ogbipa32.exe
2404	Ojaelm32.exe
2948	Pmoahijl.exe
3560	Pqknig32.exe
2628	Pcijeb32.exe
4040	Pgefeajb.exe
2692	Pjcbbmif.exe
3612	Pqmjog32.exe
4848	Pdifoehl.exe
5092	Pggbkagp.exe
2164	Pjeoglgc.exe
1924	Pqpgdfnp.exe
4972	Pgioqq32.exe
4660	Pjhlml32.exe
4652	Pmfhig32.exe
4068	Pcppfaka.exe
4940	Pjjhbl32.exe
3268	Pgnilpah.exe
1456	Qnhahj32.exe
3412	Qgqeappe.exe
1936	Qnjnnj32.exe
4588	Ajanck32.exe
3252	Anmjcieo.exe
4464	Aqkgpedc.exe
4876	Acjclpcf.exe
4416	Aqncedbp.exe
2604	Aclpap32.exe
1700	Aeklkchg.exe
5088	Acqimo32.exe
2256	Aminee32.exe
3752	Bjmnoi32.exe
1872	Bganhm32.exe
2208	Bjokdipf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Odapnf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ncfdie32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gbmgladp.dll	Ngpccdlj.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5588	5496	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqkgpedc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 2212	652	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe	83
PID 652 wrote to memory of 2212	652	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe	83
PID 652 wrote to memory of 2212	652	b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe	83
PID 2212 wrote to memory of 1144	2212	Mlhbal32.exe	84
PID 2212 wrote to memory of 1144	2212	Mlhbal32.exe	84
PID 2212 wrote to memory of 1144	2212	Mlhbal32.exe	84
PID 1144 wrote to memory of 32	1144	Ncbknfed.exe	86
PID 1144 wrote to memory of 32	1144	Ncbknfed.exe	86
PID 1144 wrote to memory of 32	1144	Ncbknfed.exe	86
PID 32 wrote to memory of 460	32	Nepgjaeg.exe	87
PID 32 wrote to memory of 460	32	Nepgjaeg.exe	87
PID 32 wrote to memory of 460	32	Nepgjaeg.exe	87
PID 460 wrote to memory of 1672	460	Npfkgjdn.exe	89
PID 460 wrote to memory of 1672	460	Npfkgjdn.exe	89
PID 460 wrote to memory of 1672	460	Npfkgjdn.exe	89
PID 1672 wrote to memory of 1092	1672	Ngpccdlj.exe	90
PID 1672 wrote to memory of 1092	1672	Ngpccdlj.exe	90
PID 1672 wrote to memory of 1092	1672	Ngpccdlj.exe	90
PID 1092 wrote to memory of 4928	1092	Nnjlpo32.exe	91
PID 1092 wrote to memory of 4928	1092	Nnjlpo32.exe	91
PID 1092 wrote to memory of 4928	1092	Nnjlpo32.exe	91
PID 4928 wrote to memory of 3844	4928	Nphhmj32.exe	92
PID 4928 wrote to memory of 3844	4928	Nphhmj32.exe	92
PID 4928 wrote to memory of 3844	4928	Nphhmj32.exe	92
PID 3844 wrote to memory of 3924	3844	Ncfdie32.exe	93
PID 3844 wrote to memory of 3924	3844	Ncfdie32.exe	93
PID 3844 wrote to memory of 3924	3844	Ncfdie32.exe	93
PID 3924 wrote to memory of 4436	3924	Njqmepik.exe	94
PID 3924 wrote to memory of 4436	3924	Njqmepik.exe	94
PID 3924 wrote to memory of 4436	3924	Njqmepik.exe	94
PID 4436 wrote to memory of 1484	4436	Nloiakho.exe	95
PID 4436 wrote to memory of 1484	4436	Nloiakho.exe	95
PID 4436 wrote to memory of 1484	4436	Nloiakho.exe	95
PID 1484 wrote to memory of 4952	1484	Ngdmod32.exe	97
PID 1484 wrote to memory of 4952	1484	Ngdmod32.exe	97
PID 1484 wrote to memory of 4952	1484	Ngdmod32.exe	97
PID 4952 wrote to memory of 540	4952	Nnneknob.exe	98
PID 4952 wrote to memory of 540	4952	Nnneknob.exe	98
PID 4952 wrote to memory of 540	4952	Nnneknob.exe	98
PID 540 wrote to memory of 2344	540	Nlaegk32.exe	99
PID 540 wrote to memory of 2344	540	Nlaegk32.exe	99
PID 540 wrote to memory of 2344	540	Nlaegk32.exe	99
PID 2344 wrote to memory of 3792	2344	Ndhmhh32.exe	100
PID 2344 wrote to memory of 3792	2344	Ndhmhh32.exe	100
PID 2344 wrote to memory of 3792	2344	Ndhmhh32.exe	100
PID 3792 wrote to memory of 3156	3792	Nggjdc32.exe	101
PID 3792 wrote to memory of 3156	3792	Nggjdc32.exe	101
PID 3792 wrote to memory of 3156	3792	Nggjdc32.exe	101
PID 3156 wrote to memory of 4620	3156	Nfjjppmm.exe	102
PID 3156 wrote to memory of 4620	3156	Nfjjppmm.exe	102
PID 3156 wrote to memory of 4620	3156	Nfjjppmm.exe	102
PID 4620 wrote to memory of 2704	4620	Nnqbanmo.exe	103
PID 4620 wrote to memory of 2704	4620	Nnqbanmo.exe	103
PID 4620 wrote to memory of 2704	4620	Nnqbanmo.exe	103
PID 2704 wrote to memory of 1592	2704	Odkjng32.exe	104
PID 2704 wrote to memory of 1592	2704	Odkjng32.exe	104
PID 2704 wrote to memory of 1592	2704	Odkjng32.exe	104
PID 1592 wrote to memory of 1416	1592	Oflgep32.exe	105
PID 1592 wrote to memory of 1416	1592	Oflgep32.exe	105
PID 1592 wrote to memory of 1416	1592	Oflgep32.exe	105
PID 1416 wrote to memory of 4908	1416	Oncofm32.exe	106
PID 1416 wrote to memory of 4908	1416	Oncofm32.exe	106
PID 1416 wrote to memory of 4908	1416	Oncofm32.exe	106
PID 4908 wrote to memory of 3068	4908	Opakbi32.exe	107

C:\Users\Admin\AppData\Local\Temp\b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe
"C:\Users\Admin\AppData\Local\Temp\b2aa2d5b8a9f50a1ef78273db8392e61cc3b1a5b133cdcb59509c9734eb06b21N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\SysWOW64\Mlhbal32.exe
  C:\Windows\system32\Mlhbal32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\Ncbknfed.exe
    C:\Windows\system32\Ncbknfed.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWOW64\Nepgjaeg.exe
      C:\Windows\system32\Nepgjaeg.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:32
    - - C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:460
      - C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        66⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        67⤵
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        76⤵
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        82⤵
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        86⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        94⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 416
        96⤵
        Program crash
        
        PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5496 -ip 5496
1⤵
PID:5564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
74KB

MD5
f90f140e4f3d740dcd70621e44b25192

SHA1
4821bce99c3aee1848291f45c443cc6b1604418d

SHA256
c3755310643265bbd535b9f1556b78b7a5fd6608677c44345bee48215dc87a39

SHA512
851494d054097f665244535bb49b41e2f0f3f1bd0ed676ddb69af166bdf6cc37ce6767debebbeec43f8e64b78e7e3c3a2ab21ce76a85048cb744e599e94657f8

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
74KB

MD5
d379bfc36598513f871922bca1eb7141

SHA1
77b2e894051d5231e1e99043254b2e1fbc7ef050

SHA256
16244ce76b68871677b81278bc5f7a071d963846d1d8c83c0839bc3efd0e4f19

SHA512
302063669329ca1e7496488f19273d1f628f959864df119e93f556def69e2949bedfebb659443b7c018a15e10d07e782259ef080b6c13965a93e93eb8d8c3e87

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
74KB

MD5
74349dcff5a66cc42c6634612c9c2d4d

SHA1
c63459dd35ef09c3a317a6517160baf17526be24

SHA256
49f51171c90399b9733382e15a71d36d1a79bc2fe2b2288d79197d6b00ef6971

SHA512
0019260cc6f475f5ce2056cf6a9025699acd6df8d16d24156fa0c428866bd3058ce86774b8f33dff5b2bb6ddf6cf37ffdc54548032c62fe1471866e990409894

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
74KB

MD5
6597d234a65f44730121bc60c0bf82a0

SHA1
33bd5e08075490571b6f17c1ec91fe1d0bd82a3d

SHA256
0a32d9ab8ce345f019617cfa03e0d1d555d9ec31bec19be8b094f318cc768631

SHA512
63ab618bfafd6611010d430e2c0868744abbe8d2960c2f14df0e1f9748f7f2c68dfdc6d261b405629152094924980506aa6eebf2e64c1142dab5ec17701ffbd1

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
74KB

MD5
ec99fd0fb6cca08217993c780d243022

SHA1
6a39eed654e3e3ef95a0d9d5f94ecbc8303bc8f7

SHA256
217b804ae28bd6af7019fa694061e35c15a0048f4e42891d9e7ba698b2798856

SHA512
aa9b68cceeaf0c454012759099c3e6495eb373267f4d965b418b850794ad921f46ebb20c96bd074ff9ea9c8e1332e5037c8d19e8d27cfb5eb135ad3e484e79d1

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
74KB

MD5
f603fdac69de1b3f91852df7769597a8

SHA1
9cb34cf9a777eeaa5ca74cae206f70f0eee47c01

SHA256
5735e1b0d1f578b7a66529fea7ecdf9871074c37ae59a9404cf6fbf23c060994

SHA512
870cf4015fc19f9b73354983cce56e9e4bb5241818be2929bd751a4cad8f26d55d85e51ca230e3aada12a3fe1dffd3c9f402074d6a61b9a94dd49b7665d779de

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
74KB

MD5
84267fc9845072364903624c5bcb9046

SHA1
b12937a7cb251607e495918238c335bc4937ce65

SHA256
d2153353b39d2a275b93064dfb73e9e01d2a6f91d1eb89e7bbfa61b1e4a6131b

SHA512
2d42e000c7a6fab22c4f3c3b718fcba41cc1aa004146e8cd8120e5b17abdee00297f159f8ab2fb41c508449fc90032a176af5b00c36ba3f2fff76190448cc820

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
74KB

MD5
643a7b440aa98c2c1c6993b3c0ca1e4f

SHA1
a8c5abd90491efcb63df1456aab193797d100e66

SHA256
97bf096f3199f4002a1053e4147f44761a555b0529a8bea1be3cc1a19d4bcdc3

SHA512
d786a5b0e4c07300acf76957943c40b552bd10d86e595ab7bd828c380d544eb5d44279139bd2065414f9ec65506dfb4e24764c253fceb3b0b619835037e2844a

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
74KB

MD5
db564a5068702fb36e60998646c7fce9

SHA1
e73f6a0d21cd5fdd20473ec678444c2bafa710a4

SHA256
bda52864d1754a7ae9e3d67a69e248b3afd6c9257428f7e8319d50fa0ae3c014

SHA512
e3bf5e7c6c3a83c877bb6f675f0721cdf40193d86908dcb56e1e0fbd9d57e61722e08909fe7301b73e76bacc3165889a818fede2d45772bdf6a91f58cf82b656

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
74KB

MD5
e5e10e8461e9383a3a55a7781716bc6b

SHA1
54ce04f5b7c70a6b462ef84289fc6f7d8ee74d31

SHA256
ebe67ac4f7d780a9d68b0de82553ecf7392c8e1ac6f7c65a544cc6b28872d271

SHA512
4fd3ab3c1b6ed064032f6f93df0a350eefbf9fe6a1e8f764cb0aeb0fd5b2c0b61b13faca5724d7e7e26a40d88b6b3f354a34ade544abb01c8e9e751f9efcc82b

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
74KB

MD5
fbbe38e401fae2d940aac21692c0b82e

SHA1
ab9c4d3d910d84042c1b614dc97b23876afb87f6

SHA256
c2e8fd370716d0be8d0b3379e3d4bf2d6845dde64de3c61efc4ccb71fff339c1

SHA512
457f0f19cdf6f008ee9ba3470cf62e2e0ca4a2b2c73d5aaba464b2420ee688c6153bf88aacb1bb6a9c36df632eaa52a376a2bb8027a5be33d628621b902b4fcd

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
74KB

MD5
631cb1cfc3ed592cac3824d559c4b965

SHA1
33b77bf3537c3bffffeb6a4ef76ac8eeef472028

SHA256
10d6feb7573098977326302eb7c8bea1edf8b78217d6e28003230687d7ca7f14

SHA512
ca535b7872dfe17d1a86a0d3eb905573378eacc74b3d56a6f51895db086cc7a9fdfebd3fd66d2e7148743603cea05f6d5e8a282ce9749e0345a4527bca907ee5

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
74KB

MD5
edfe46fd1abcc7a374b923d097d8742f

SHA1
341b01773f887e46f8c66e98c95c6c1c5a8b693c

SHA256
bcb1c9891d2fc82b02b7b5b72878cf832fe7d218e816ffc98e4a29868c815a90

SHA512
7a526c73c2416f96dbb23cb98188bf842e7f48d684ee8ca1076f92f2faf48dbecc94b281e31f8d8f4cb12f1f9f6b356b32b92309e1c2d3a02046daac724d1d0b

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
74KB

MD5
f958451ad4f5c2a4b2188c4000dbb0a9

SHA1
e592a3110759cabb3d58707457f463208732ab04

SHA256
20a6b1b94e6a7724fad45b54d2c2022535f98f4889bc074753783aae936e8076

SHA512
ee2b42eaadf47c7508e7797a693d7cde3acd5a873bda904b53aed6fc18c8ae0a90af1cb59f3a22a9292c35b153a4e1426173331a5e1ecb4fbe6194a58b468a24

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
74KB

MD5
21bd003c174ef9f969436f777e8cee42

SHA1
c82ffbfb656c0955199e784cc808d1866f4f0854

SHA256
c14d15be370e01a1752b1c90d838ebf4541c4d2c44595deecd1df4ebacba51b4

SHA512
b474b26ff90987b1320be7fdfee12a5a2eaeaf771f6a62a03271f59f5312c1b761d3522cb53f3abfe5d6d63cdfaa6d2367ffe63dc7d6b544002761cbd3798bf0

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
74KB

MD5
082cd41c1a0b6762846e226be469674e

SHA1
9695127c6a7865f3e179dd846899fef7471e03b9

SHA256
b5149805d91158d697797aae34d7f6dd3e6f1076b50d7bd751196b853ce9fe80

SHA512
67e93a3e5e791ed31bed7a35ab63602506100dbca59ab64f30b4fbf40da879536b4bf11c357461fe362b69f639d10fe94c14baa47cf6cbced4c78974b6f210ae

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
74KB

MD5
f54b48b9cdc63784b82c71d9d663c477

SHA1
f0c67f3a43df4e718393b5ca65fe54995d4a109a

SHA256
6ba7be04af47b43de03faba5bf2b4e33567a143218d9f1e54e02d445afbebd28

SHA512
df026c393275703657d153674b2b79e96c404260283e6e8ce4524532d1cabdb6f5f904fdd0ab2ce596f3110dd95b93ad3cd9fe0661d481f0f44a09ff2422f2b6

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
74KB

MD5
68ccd645a4f4050e17d897a809933c07

SHA1
a375de34d764cd1ca025f8bc2d58ebf067a2a6dd

SHA256
1622c7cfab9ea14e32d0730065735601f6417355f2a2eb2c875eab63c0ae2381

SHA512
455e11455b8863c87086bc190cdcf205f1a120ded1c2665e8e4d4f78eda23ed326ec266cb8031bb8d7a8d9e40150e1497e0626ced6c062422b98e117bd485638

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
74KB

MD5
e54561a833bbf1f0f0730d23f619184c

SHA1
ccaf8320ce04a2d9467b276740c76142b87198ff

SHA256
8061e3c4886523c9e00ca759d0ecce0469eb35f5bb3c7ba0b74aa16494f8798f

SHA512
943f2fb04113ad5174f09594462840db22ab6c86137156282b6f6eafffb4e934e425e798caf5909535f5aba2a41b327377f4fcf234724b1960582e6e2f2d9b74

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
74KB

MD5
ce42123ba814a286a4f0ac8863d6d9c7

SHA1
dac689e6023f53307702320d77b149f4528e3a3d

SHA256
444e4eebdf9d886bc56715d76dcbcb1dab47d8ad13649d0860f713123585894d

SHA512
826110a8556a395c73bb17790a7a4ede74c13f21a0570c5f86e6a254f59f2d6bef943d52f2ed9ef77b8067d4c91ee48c7571952da55fd0a44b5cfaad4524ca92

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
74KB

MD5
57bf38695a295f5f4ac3db020b4135c8

SHA1
67aa1ecefb454bd3bed2526d8911e2ef27c4cd5a

SHA256
7382682e0f6199556a00c7b4e486123d1d1233b2ac77891b41b197e641ada22e

SHA512
38f129349092a449afdca130494c267e5913324505f474c30ef2bcd5845474a6e1c1f0fa0941453827bf787ec5b2691750b2e7ea8919501767a9d880d1f861eb

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
74KB

MD5
97c9a22d641b945803723c1f537d536d

SHA1
2c2ea875efa658fa5a14b6d22646234a9a150da7

SHA256
d6e31fdf0ea2570851dd56a341c7c20f3cd9e65ed6aa8d53a1833a70bd55f1e1

SHA512
1bd7d609f1bff2006a5cc0fa4b28709e9d8f647daca1b2cede16a8eeace0acedb8f3e0eb41a13dfd039a542aa3b11a1793d6870176fe5ec03e4983c3a99286ff

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
74KB

MD5
7280ca94cc7b07352abf4c1beb91fb54

SHA1
206af4e2dac54b97c4a2947e79917e9b0f9d1b0c

SHA256
5c71bbd629db799c416b252f817ba0f01579c88173562632905747b9a6f85742

SHA512
badef6e2dcbbbd93436f837e747f8018873cf7e0c438e04bd39b99ff6534e3baec7d100e0b5579acf5e9388ef790d52043b5476dedc0a04fee77380e4da550be

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
74KB

MD5
06911aab2ab4f6f888e8b2b584329a16

SHA1
5fa1164f3bc9e03a0b6a96077d4a7c1c6b82ec6a

SHA256
2f135caa2320ed31724006d43f1141b3c611979a4e0c2528c4e692c604b66ab3

SHA512
f0105d21d40d053bdb6ddeb4065d9366adc6a86bc15ca36f2b01979b0a90c061fd3f229c1d4c22d6343428b639c2c04a467b2ebe483a5f103eca670ba506c037

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
74KB

MD5
e73688129143e3acc8331ab60a822e14

SHA1
350c7c9800f512a2a3b282df9405f5ed9ea6844f

SHA256
15bf066ef8aae30523912da4aae8b49c7f72b78df83b8a18b91589a64df08933

SHA512
69c6bfbee6a2f08f54388cf08e47143e991d7208a3cb3a5ec39fc388de2fe220a10d347b590f2382ddb2e199a026dbaaaf4e6d53cb0d36946bb75550167b2a8b

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
74KB

MD5
165b6132df0fbd7aafcf71edb598dc98

SHA1
4af87733cb5bb734cbf9ac18db7d39964106a654

SHA256
af93d333124e3d4068c4ada4cb6d78fd49054e9a50325c2c68be7d2e77dca94c

SHA512
494db6e5b17cc110d66fd7750816fad2ac837dbefcb7a5659724279c72a0b776e4be3e42896e07be308884f82fc3408772b0635237c09217d0224cee3c2a0c8e

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
74KB

MD5
bd75ce288535b7d8cb1a8aa3b68351d0

SHA1
ba8cc9c2c5688b7fc685c9139e52b3c20332667a

SHA256
968a02c198c9f833677ddf656a8c7e8f547d73958c20f37f1da111fe81222c94

SHA512
276773e84de8d68af452a03bda9c44a4601b660c202f81afa5a702554a6730034a1126718311c5d7be0d8d8f001580cb52d68bf8438e86264b5472851f3bd719

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
74KB

MD5
5d04a2b709784075491b91ee09acdd85

SHA1
7ccd900ce01682093d5e857367f49158679c63ea

SHA256
7c4e9a88d72468b2fd3cd0ab68eccd23e6b984f5aa6b18eae4d86c30a1fcab1a

SHA512
3537b51097b731ae485082fcfcfdf76997ba7ad92f178133db1c80676fe130422669e59c5ff3ad1e33b6023b47a4b17240ee1726d2296553f765c4e20fa5c271

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
74KB

MD5
73881604fb4cb01c1ee224265d3cdf1f

SHA1
cb997618cb5a6f0a93e8082d0974932ca4b6bcdb

SHA256
e7f18edbdc4a1545b6e57fa8b19c367aafd27a451f104b82240b9cf3df913113

SHA512
8a70239123dc0b89019e46915294739962835b2c36b5ade65ab563cbbbfae474876f13472bf6681efe80b85b1e190b5166d8be3e990e0f61001d0218929e0052

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
74KB

MD5
ef1d3425293b292113bccf51a3643a7d

SHA1
e2b55318206b8f06f5a3d981f2760a2119d1c42f

SHA256
97816904969df2326e4230956aa64c9426f16f1bb9b828d666ac24b324b3105c

SHA512
a311478ef8c9c87f7d91601099f35f59d6dadad5b9b49b96cd37049b94620a9768e07503e6a3f094dff5b4c71d92b8759db23539d60af602b72e1e8527a92889

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
74KB

MD5
e0647bf26b3d2ca2cb289d87aca68e19

SHA1
f1b8a9760cebb17e16331f5f4131365a75d18915

SHA256
266704a25b99afc2fd37f44adde2ba8d595d29a9ae912288a896f3499e9cbe5b

SHA512
63a0eabe30d8efc40aa0d7c203c33d701fbd88b5ef554d0cb3576e6ae8bef3cdb73046e8fa0d4e8c5c9d4e8452c29f1fa341a55d5bf6791bbd1802b2a53873fc

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
74KB

MD5
f36d4db0b0d5bc46cd6c2ab657f3f214

SHA1
dcbaf151d8c61f0d540b63540029f6572d4ac772

SHA256
bae9f31cf81a59824c4df87887b398449477149a43aec8208191b30deff26d63

SHA512
ee19c13f0126fef3fba1dcef7c2036888502841ab6f78e12aa9273acf3c0e5c2de298b806bfd8bde60409c1ea4dfe860cd1f4425a102b51e94ef66922f1cb1e1

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
74KB

MD5
26defcc6dc9f1d6d04f5751fd8808981

SHA1
a3a864ee0339d7d0b64850cd62de1175f7f48b50

SHA256
926ab521f164f8815ffedd25c86730062cba64984c00fa4559da9edd8200c240

SHA512
3678997601f6d235a1821985002eebbb14943d21fbb67582966190a94e8d445f394a646fa758116ad4f9e92759ca50aa9d9f814ac01a6da2b8182a5936694e75

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
74KB

MD5
99cc7310452cc7f6574df46acb29976d

SHA1
7e4267b3c02a539d196b551ec7d357b55de21da2

SHA256
438636498020c8ec6cdf08af533524b581cae09b8ec4a33230a441614cbe37df

SHA512
5c255dc241d9b8c0b67297e8373c7ed3293e26fdaea9ed5a7bdd2a4b5d539f78e408bb1aae8019616b655fdf0424330b3a7a648c4087f91d3fe4e9c484ae9090

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
74KB

MD5
871647faef098ccfae8f286a35b1b32e

SHA1
c2af8cc966a7bc5e0ac5e2a8cb757f3073c83ca9

SHA256
187e42b645e6690a57f8d9fcbcab06dc1afa1966258696532bcad0e9ec1a40aa

SHA512
3acd214302e8f8c7df3cddfe2d056b96e12d1adcd74ac3fde82aab15d81cc14f735b9e5d26a730571c7e05a17861b69875a0a55d0a42e62b26110cf26423c8cd

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
74KB

MD5
efeaaa00e53f280d62cace5953f0dfbf

SHA1
363e3bb788a3618cf6b28034f9ceae36b897a501

SHA256
7493574b14473b45789a3eedf3ce3988ed6b017de77a5bc5684040fd5a4548fb

SHA512
3f5833e09a7678b43559db6a5646828220e01a028a24125eb3c6cb20dd437550fc87cd9139916886e91d9fc0e407cc0ac5d8c535d42afc668530716f945f6222

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
74KB

MD5
5e0fd7d4fbcb64ad3acf969ee4a0df3f

SHA1
f6fac8e562bb91e217191633264f122b68ec07c5

SHA256
76d8ae3cec3ae72da2174b630b72986b379c015e6d88f37422669121af8bfc38

SHA512
49f15d7e22ae0a03e395d01ec6f9f2d401d2bb0c9c62debf8d34874a8581721f3413bd68eeb6e5901ff27469d11d754903b810e1296a440c7f7e8b3be02e37f2

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
74KB

MD5
97a4ba136c6f196dd9e9c768a688be0d

SHA1
fe61d3ffa3b77ce492222281df3d48fc5410e215

SHA256
6a7b08cb6da5f45528fdbc9695cdaba15a6d21ac5f706f1c674e629e5fdeed1c

SHA512
d9de83b44cdcbf4163a890e2e21ab09b30ccdaf3c7c5d3867dcc9995f560ff1a704b90c7e969843d4d18828b1086b3228f93a8d72b5b69c58b5e5eb6ff779ab1

Download Submit
C:\Windows\SysWOW64\Qjkmdp32.dll

Filesize
7KB

MD5
10eac135b2fb71408df578c859f08673

SHA1
b5ecb051f8981677aa929a031fceb88db27a29f1

SHA256
97409321743cf23fa818f955713a4c43b70bd0f4b89ee5082c6a51f84c72f8bc

SHA512
6b720c4b0096af2c6c7b8e0912b4c623461476b826f9ff58820f3956ab10b5ae206d58d26ab1a4f91e8907e82867e90f1a01437904d4fd6b48f342bc09d77ece

Download Submit
memory/32-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/32-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/460-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/460-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/508-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/540-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/624-566-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/652-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/652-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/940-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1020-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1092-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1092-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1332-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1416-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1456-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1484-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1592-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1672-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1672-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1700-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1820-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1872-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1888-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1924-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1936-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2020-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2084-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2208-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2212-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2256-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2320-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2344-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2404-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2440-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2604-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2628-284-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2692-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2704-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2772-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2788-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2860-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2948-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2976-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3028-229-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3068-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3156-131-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3224-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3252-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3268-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3412-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3512-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3560-279-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3600-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3612-302-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3644-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3744-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3752-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3792-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3800-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3812-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3844-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3924-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4040-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4068-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4080-538-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4416-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4436-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4452-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4464-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4520-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4588-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4620-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4652-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4660-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4848-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4876-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4908-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4928-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4928-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4940-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4952-99-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4972-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5056-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5076-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5088-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5092-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5148-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5192-594-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads