berbew | dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309f

Analysis

max time kernel
102s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309fN.exe
Size

92KB
MD5

5cab42c58d2df083616abe0264078380
SHA1

bac2a2cb31f8317e02097188196c13e32677e96c
SHA256

dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309f
SHA512

81ee5a0f7f91501d68433ea6a51c898837bf0396e3f4f393b350b2fe229bc6e01af65f7d0a2f24c074f4611c1e576ed6eadc81e66c9e780fdde32d30a04f17c0
SSDEEP

1536:o7YeLCbQjxJpGxSmLFu+a7OZ0WjXq+66DFUABABOVLefE3:2ebQFJpNmq7DWj6+JB8M3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3392	Ndcdmikd.exe
2328	Ngbpidjh.exe
1252	Njqmepik.exe
4216	Npjebj32.exe
2252	Ncianepl.exe
3184	Nfgmjqop.exe
1844	Npmagine.exe
3352	Ndhmhh32.exe
2532	Njefqo32.exe
3404	Nnqbanmo.exe
2112	Odkjng32.exe
1488	Ojgbfocc.exe
4356	Olfobjbg.exe
1060	Ocpgod32.exe
2872	Ogkcpbam.exe
1056	Ojjolnaq.exe
3264	Opdghh32.exe
4004	Ognpebpj.exe
5068	Ojllan32.exe
1744	Oqfdnhfk.exe
3488	Ogpmjb32.exe
3832	Olmeci32.exe
4956	Ocgmpccl.exe
4888	Pqknig32.exe
1016	Pgefeajb.exe
1740	Pmannhhj.exe
4564	Pfjcgn32.exe
2612	Pdkcde32.exe
4496	Pjhlml32.exe
1732	Pmfhig32.exe
1996	Pcppfaka.exe
2936	Pjjhbl32.exe
2264	Pqdqof32.exe
3280	Pgnilpah.exe
2820	Qmkadgpo.exe
4752	Qceiaa32.exe
2732	Qgqeappe.exe
992	Qmmnjfnl.exe
1436	Qddfkd32.exe
1484	Qgcbgo32.exe
4704	Ajanck32.exe
3896	Anmjcieo.exe
1804	Adgbpc32.exe
696	Ageolo32.exe
4792	Anogiicl.exe
740	Ambgef32.exe
1688	Aclpap32.exe
3980	Afjlnk32.exe
2464	Anadoi32.exe
2128	Aeklkchg.exe
4748	Agjhgngj.exe
4848	Ajhddjfn.exe
3860	Amgapeea.exe
1352	Acqimo32.exe
2356	Acqimo32.exe
1892	Afoeiklb.exe
2660	Aminee32.exe
3124	Bnhjohkb.exe
4012	Bmkjkd32.exe
2908	Bcebhoii.exe
4256	Bjokdipf.exe
3372	Baicac32.exe
4676	Bgcknmop.exe
2016	Bnmcjg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Hddeok32.dll	Npjebj32.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bfhhoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5792	5660	WerFault.exe	187

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goaojagc.dll"	dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 3392	2808	dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309fN.exe	83
PID 2808 wrote to memory of 3392	2808	dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309fN.exe	83
PID 2808 wrote to memory of 3392	2808	dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309fN.exe	83
PID 3392 wrote to memory of 2328	3392	Ndcdmikd.exe	84
PID 3392 wrote to memory of 2328	3392	Ndcdmikd.exe	84
PID 3392 wrote to memory of 2328	3392	Ndcdmikd.exe	84
PID 2328 wrote to memory of 1252	2328	Ngbpidjh.exe	86
PID 2328 wrote to memory of 1252	2328	Ngbpidjh.exe	86
PID 2328 wrote to memory of 1252	2328	Ngbpidjh.exe	86
PID 1252 wrote to memory of 4216	1252	Njqmepik.exe	87
PID 1252 wrote to memory of 4216	1252	Njqmepik.exe	87
PID 1252 wrote to memory of 4216	1252	Njqmepik.exe	87
PID 4216 wrote to memory of 2252	4216	Npjebj32.exe	88
PID 4216 wrote to memory of 2252	4216	Npjebj32.exe	88
PID 4216 wrote to memory of 2252	4216	Npjebj32.exe	88
PID 2252 wrote to memory of 3184	2252	Ncianepl.exe	89
PID 2252 wrote to memory of 3184	2252	Ncianepl.exe	89
PID 2252 wrote to memory of 3184	2252	Ncianepl.exe	89
PID 3184 wrote to memory of 1844	3184	Nfgmjqop.exe	91
PID 3184 wrote to memory of 1844	3184	Nfgmjqop.exe	91
PID 3184 wrote to memory of 1844	3184	Nfgmjqop.exe	91
PID 1844 wrote to memory of 3352	1844	Npmagine.exe	92
PID 1844 wrote to memory of 3352	1844	Npmagine.exe	92
PID 1844 wrote to memory of 3352	1844	Npmagine.exe	92
PID 3352 wrote to memory of 2532	3352	Ndhmhh32.exe	93
PID 3352 wrote to memory of 2532	3352	Ndhmhh32.exe	93
PID 3352 wrote to memory of 2532	3352	Ndhmhh32.exe	93
PID 2532 wrote to memory of 3404	2532	Njefqo32.exe	94
PID 2532 wrote to memory of 3404	2532	Njefqo32.exe	94
PID 2532 wrote to memory of 3404	2532	Njefqo32.exe	94
PID 3404 wrote to memory of 2112	3404	Nnqbanmo.exe	95
PID 3404 wrote to memory of 2112	3404	Nnqbanmo.exe	95
PID 3404 wrote to memory of 2112	3404	Nnqbanmo.exe	95
PID 2112 wrote to memory of 1488	2112	Odkjng32.exe	96
PID 2112 wrote to memory of 1488	2112	Odkjng32.exe	96
PID 2112 wrote to memory of 1488	2112	Odkjng32.exe	96
PID 1488 wrote to memory of 4356	1488	Ojgbfocc.exe	98
PID 1488 wrote to memory of 4356	1488	Ojgbfocc.exe	98
PID 1488 wrote to memory of 4356	1488	Ojgbfocc.exe	98
PID 4356 wrote to memory of 1060	4356	Olfobjbg.exe	99
PID 4356 wrote to memory of 1060	4356	Olfobjbg.exe	99
PID 4356 wrote to memory of 1060	4356	Olfobjbg.exe	99
PID 1060 wrote to memory of 2872	1060	Ocpgod32.exe	100
PID 1060 wrote to memory of 2872	1060	Ocpgod32.exe	100
PID 1060 wrote to memory of 2872	1060	Ocpgod32.exe	100
PID 2872 wrote to memory of 1056	2872	Ogkcpbam.exe	101
PID 2872 wrote to memory of 1056	2872	Ogkcpbam.exe	101
PID 2872 wrote to memory of 1056	2872	Ogkcpbam.exe	101
PID 1056 wrote to memory of 3264	1056	Ojjolnaq.exe	102
PID 1056 wrote to memory of 3264	1056	Ojjolnaq.exe	102
PID 1056 wrote to memory of 3264	1056	Ojjolnaq.exe	102
PID 3264 wrote to memory of 4004	3264	Opdghh32.exe	103
PID 3264 wrote to memory of 4004	3264	Opdghh32.exe	103
PID 3264 wrote to memory of 4004	3264	Opdghh32.exe	103
PID 4004 wrote to memory of 5068	4004	Ognpebpj.exe	104
PID 4004 wrote to memory of 5068	4004	Ognpebpj.exe	104
PID 4004 wrote to memory of 5068	4004	Ognpebpj.exe	104
PID 5068 wrote to memory of 1744	5068	Ojllan32.exe	105
PID 5068 wrote to memory of 1744	5068	Ojllan32.exe	105
PID 5068 wrote to memory of 1744	5068	Ojllan32.exe	105
PID 1744 wrote to memory of 3488	1744	Oqfdnhfk.exe	106
PID 1744 wrote to memory of 3488	1744	Oqfdnhfk.exe	106
PID 1744 wrote to memory of 3488	1744	Oqfdnhfk.exe	106
PID 3488 wrote to memory of 3832	3488	Ogpmjb32.exe	107

C:\Users\Admin\AppData\Local\Temp\dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309fN.exe
"C:\Users\Admin\AppData\Local\Temp\dceda1b30a32523ffcbd1380477e1e385004220632b46346e59586b2aeae309fN.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Ndcdmikd.exe
  C:\Windows\system32\Ndcdmikd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\Ngbpidjh.exe
    C:\Windows\system32\Ngbpidjh.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\Njqmepik.exe
      C:\Windows\system32\Njqmepik.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        26⤵
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:740
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        69⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        86⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        93⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        96⤵
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        103⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 408
        104⤵
        Program crash
        
        PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5660 -ip 5660
1⤵
PID:5728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
92KB

MD5
055e9985d7d15ee1f9f7182b6b48a947

SHA1
b847c6314cda9cf640a60d09797a7625ff868d31

SHA256
deffc0e7d6f5782746b93d1dcda229378450065297208b9666768b5abd891b0f

SHA512
2c53df9005308e558c1e30e7219d457bd109c52413c3a29ca880664deb4ec22d45788578a508a254995397808cdb030dc4723809ae5a225d6a3f6d9bf41c6fa3

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
92KB

MD5
5e3538a94024ff18f78c57cff6616de0

SHA1
5622114021ba8155e98dea17f66e1ba3f0d7a851

SHA256
b8376599de7953a0fc14183f12165ca364333aebdb1d698ffea0e5aded10f201

SHA512
c8fcdac2f21982f80510e516e00760eac025768d4a6f51ce5b79e2900104518d61966eff11f5d799a59b81f657893eb7e878b7bbdddf018c17429d5e5da4612e

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
92KB

MD5
b1a02225a55e9262afdeda5aac6115d5

SHA1
aed33cd2ad965794f4a5dd680ed03e0807be8a58

SHA256
b8e3d3ab31fa4aae0451e93e4276efd5274b4e871bd4d23d7d9c5764df27d4b1

SHA512
8ff003c255704c37036e7549d73dac82caaa3175945229b41556b631160f793efbd239822f0b98ba2b802f2003d543290cb6a375ad6ce66889a8728cd480946d

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
92KB

MD5
3b2be6973dcf71a56199b5d4f58390d7

SHA1
8ebc42308f01ce730ef8691e6463a5f24ddd77f8

SHA256
82df3731293ea1e4c633f558e2e7952ee52997595312a9d42e1633d33f95b7c4

SHA512
4b4d2e26296346b91015b320fd0d45e8b256134fd7a37956a814e35cd2cc9472a402f20bd3fc24dfd6e55cb349a870ddda0950e101eb1b8b874989cdf4fccf73

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
92KB

MD5
b162bcf9632980bbd56be8ba6979ccda

SHA1
e90fd55a7b09cdb9f3cacf5f41f54b4b02763225

SHA256
3e6a035464b9ee2c42a28b07461eade61b422b243a62b649cce6540534336fc6

SHA512
f48234b0e9a7b88544ee1dad463cf43fe78a53422fe931e2407ef73c1767c4c013bfcb9b0198440f957ed4936919782846c61d222940b5ad75c8eb995a637f86

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
92KB

MD5
1e075364810c06deedbdfea9371f9f47

SHA1
b3033b92457011aae25c05c85ad20f1e5cac6392

SHA256
fff6a1f362de280c72f52eeb551929a01ee833b6b172925223dbc4560dcae146

SHA512
8f0037e2c46921607ec8fd33d598a1ba16ffdcac9ce53074758880395b3efb63fc792627d6573dfa44d8b2e7f6bbf1f7c1bad7028690b57fbb58421fbd51c911

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
92KB

MD5
f0f5082dbc27bf17f2dae137e3dc2805

SHA1
baa142ed9b8c405f6cc10ca111764cdf62b0205f

SHA256
a4ba7e8dec2d8894648d7922de30718b94c9cc9d58c9c67a17f34605c56bba71

SHA512
ad954c180eb37ad047b816e08184f692489de0c53d622e3010f6bd5571376bd6b7bb503c420e9f53d6febb9615c0036d44026742a12a2556f0ff2244fa98b0c0

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
92KB

MD5
5780b6136e59acbc806277a0a51cb821

SHA1
631217097bf57dcd885e12391cd1a6ec9696c4fd

SHA256
dbe2c036831bb9376431da2a8a62138d5551133fe9b289c1cc0449fe573730d0

SHA512
a2cb956105fff2ec489ca6cc051c71acc8bf8be9869dbcf618da480bda9eeb56395abbb87f198de37718643ab85e0926cc2a9b02a5a39ea41fae94a335397157

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
92KB

MD5
dcd2597afa5348a7598d6464ec6baa00

SHA1
3bc382209caa9db2d3e0f07b39768d6b1f9daa13

SHA256
020caa0e057c1a86ff85159fd7476615bd205ee7909fccbac45c5078e49913e7

SHA512
264b4de749239adb772a22eee3f457b1bed7a745ec1286c2f30b4272cbfce14d4f223bcac7be85a8684571c1b85941d297e290d843a02ac54a1e4caecf7762d8

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
92KB

MD5
0f8feab5c47eac830abed43b7361deb5

SHA1
4a7ac8e62af34a4e96b3f461fbbbaa0ecd67c20b

SHA256
b62106ef26b2a0e9d7392a6bf251afe75485e318519b11ea91ad1822ec89c267

SHA512
9d0215ab70839fcb93b39620742e76087b296200ab70261170cf795272ab2b6e84bb34587864ae4f55f8dd71e477f007043e70f114a41beb8129320ca8887a73

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
92KB

MD5
63cd278c5a73751c1c8aa83d0c6bb02d

SHA1
d6ff830352b22c005130deda776d7a4f37828a5b

SHA256
9acf8460ffa64474d81393a94782ddc301ff09234453ba037368689e65a4ce2e

SHA512
26554752ac9b2294e77c5e66134e1a7f85e43f55dea7e24ab81fc25abe1637cf11112f87958406bcfdfcd81c1b2320c3b463a6587eab31d8ad6c25d81b3d07c9

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
92KB

MD5
6a05b1906084969663ebac033fe79ec9

SHA1
962f557fa37705f307122303bd5c6de5dcd2b29b

SHA256
e3e49ef698c6560b9749340550789853af20a9b5aef93684102d6f09e07e1981

SHA512
8adec3329dea2b6ddffd70d5fd13b24be0afab119ce802baa2a8d88e88d0700033338390f3aa1f6f306445ba15af12a10311611750b41b112670ba95251f5492

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
92KB

MD5
e6d8f02319f75c28dd254656d6851207

SHA1
75af3728256068d4988a5d702830e198f5330d72

SHA256
a1c0df6d57f8eb4ab18267b5ee1db117d09d72e4cea4bce336a0683989cb72c0

SHA512
740a894beaa0e30bf809a2f014a2554c34c533543ac636d8f2dd4666d98cb7541ded13ddcb64e8eec0cf2642cddc960b30441f94b4b1940d0519666984c3ed0c

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
92KB

MD5
65e200c06f19a2bb6a617d4b2d68fd67

SHA1
c0cb80f2ad7271c3374506b1058c3b73aca8db5b

SHA256
69dad0df6e75694e707878df5e5e2c6f5b1db487a271050bc516a8334aec2527

SHA512
7f040d69eeb6be2c92705f8ecdf7110c6ae15a97d4c24288564da32e34af7011826631a140a067bebd087d3836c3d1d480bf7cba970ecc5b93fadd85ab55e7ee

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
92KB

MD5
704ccc4c9dba95b3e86328e4fa27eaa6

SHA1
0e113ffb49839a2b0d52db47874f1febae4f0761

SHA256
6bc3d54ff955f391e8de27ac8e774e7a4263dcd0aec262a86a2b7e0532381c6b

SHA512
565c86fb76375f277491938ab5643d0d588df7fa011094b595afd76e5d4b40e3f90456fba82ffe5b8248be3d84fbcb9f18128d6016114814cb3b9311bdc03c36

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
92KB

MD5
e5f081420cfc647db4c07b107b41411d

SHA1
57cf0592f7a87a55aa05544cb829146f7bca3a86

SHA256
29e6703f57baeea3fc89a5f9ee9906fb9cd80b12022f30d6a28252908c9eb409

SHA512
68035b20eb0f4a5ad40bb0f547f245483cac188ebab469a4a63905a51094bbf1ee74a458b25afda4bfe72cabd53e15b418dec802f4986d37f5fd9d5d661e01c6

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
92KB

MD5
ebbc091729843413bd26a282efbf3a1c

SHA1
3aaf6ea9d2c2cd1686a820b930807e94774faa86

SHA256
c6d6dcca606bf3e7302bc3f4c152fa72d6213fa2471c4d1fbdcc211c107a7881

SHA512
df0b3ca5c774de919be5e1475ca12ce754212f03bf81436128cbbd005aeae4bf61b911af8ba4311d411b48d99be90977436b93710f927885c0468662dd8a8ba3

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
92KB

MD5
f08aa2bd2a27250ecb1fcf9df8fa721e

SHA1
e9d52bbda33c903c3c15a9508529a460e489ab90

SHA256
c0e5bbc0ef48b167456523d318c91fa2526a731b856007c875fb088160ead2f6

SHA512
741c87e0122e7b28f06c9501862b396b13de3979e909a8faffc50b44304647aea3e08553aec9c5bb9c8142cfa26b8594fc6b1c55b817daa6dc447189fefee3d2

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
92KB

MD5
38040fa082e5cdf95d43241670b1d5bf

SHA1
f771c068090150c58383a2a2f99d540cb4c3943e

SHA256
4c44a1f5334733a1fa43c7d2164ccc63edb12190ff08f060d4df12e488d04dd0

SHA512
1de4610b9be329ed21a241e07c0fbd9b99d1b54cd80a38b3992f5b0d6625e22b4adb63b8a7460344224ce5a0db3a858f552a591510074f7378ad6c508db5307a

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
92KB

MD5
bbbe7e5d2b9299d0b4a1fc4342975e97

SHA1
be600a45dd155bcc0c12518ff4407dc52dbc0748

SHA256
df4e2049b425f83ab9d694333fceb71aad970a03f649bfcd35d316da0824845d

SHA512
73b95feec2d92699d180cc350f1fc7ffd40e621a128fc15583de5dc487ed2e24ac43faeedd357aed8f5a9e5b1874ab57bb8a84fccdc29a1270a664d87879ba16

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
92KB

MD5
f5d08b6c20d3863fbc68b928b0c26e7b

SHA1
de10cb11b575969d4d26ca86d0a080df4bac8af9

SHA256
5dd6ac3296377f6ecbf57bef3af48f1c898437e8663a4256702956c5c5bd5092

SHA512
f9785a513e12872c03d0bc2e7bb3719a7dc61e2a2fea85f06b877001e4db039edfebf41970cda85eb8a13c8a94ff4a10b69713f9a13e366811ac2bb66305d3fb

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
92KB

MD5
3546da72045ba7d3e0d520af1a2a452c

SHA1
e2c05583a9d17bd6fd62fc986be0c5bbe0d8e530

SHA256
2fed3d81169b674beacb2a722bba7e9523c281c04f8af9289f7cf83a0dd36356

SHA512
41786ce82f60c53fa42079b52b7fae780eb0341b6a3e858fabde80cbb8f43d5610131bec6626a04077bed3309897e82750950544a617b89471e49769beff02e1

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
92KB

MD5
8b569db47be2a2746b2af2b79a392e15

SHA1
2f62f205a54485887c9f28cfde44f3892955a466

SHA256
205b1053df9fd63ab4856453c89d08b2d7c71b50d8532a27d37c1d6de723afca

SHA512
1d97853f9afaac3b7a974748476690e9a42ae39dd6e7f5562a18de2221bc7cf8fc9073740ac41ebb00b7ea1c6e47794d3539f8b421aa59d82144b40bfbfa8962

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
92KB

MD5
f017a98ff0f782d2da1d0b3e4cc2f0cb

SHA1
ce113f38908066998689798537e696ad4374601d

SHA256
40049bf23a4cd50138d7ff4e3a09ac39a24672f611b9cad064513d344c6e3c90

SHA512
1757c3c58f4218384ebd8e74ecf24e8058de91057fa6fb6b86ea01d5e1af9b8ae77549c796e3e9708b09080724fd8d72e78594e1953cdf8ebcfd17eea87692b3

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
92KB

MD5
21a4149765baff49886e12bd93994360

SHA1
7c7cdf77061d432bce36df2f48eef51ed927a85b

SHA256
cb38f251c63d6cb715daad4f67795197146c8371f5b6b1a70bf65014c127ab06

SHA512
df3f069005b7cf20b2e47e9460b03ab25b131eedf8fb0a06c320ed34e5b7649d5699ac35305d1865287d29866b9f5467a0ad5353dcd023dc5e464fc0292e7dd0

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
92KB

MD5
1d2f00b4c53848c0cbf1ca13c8b49f64

SHA1
d22f4547cc22e663f7b2e2da6c195e45e981e309

SHA256
d82bdc155d02fbdcce91881f830f8b3479f11cd92221ae8522a488ec1c9f350f

SHA512
6f104a97a0fa5e4a0fa249705276cc1a256db32f1dd939954140b95898a9459b5ea29638d762c5fa8bf4ffd468ef93853f942e8f28bd9be510e656dce4af576d

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
92KB

MD5
80d2784530564b8fabe01ebf7e9275bf

SHA1
951503d24875fc1929b4842572d55c6c310a5861

SHA256
64477ae52ba281735130287c83a03709e061fab684a7960a45ad25a832dd35e9

SHA512
0d07fc6348b9bd0e841665001550cb7551194727a471054f96cf9c6d683eb921416c8659cbb095d3feb542ed769267220e787fbdf3faf77ee75827c01f33c404

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
92KB

MD5
2c0ca9b5c5b48c89330c878f1acc6ebe

SHA1
6965acb629ab85b82c43f673618deb998de93668

SHA256
447b4af9b5abe00c8ac8676c059faaa15c93d24a360ab17656317c20567d4517

SHA512
23ee81f4edab40e8b707135f4280e8ab71ccad027f3a37ad70acf0c44d011419d3d1a240c1511dd01d8395127595aef8282d24d4d80af04cf1d8e8be2de069c3

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
92KB

MD5
a8709a11a7c9a9cd59fabbfcef457bf7

SHA1
082ba9efa3a4b0865c6a6294d8772fafd10c8d6f

SHA256
ceb6c30a1ed40d2974c7a0311e0ab0be191769c598c5fd68560952a06e76f53d

SHA512
444a2d6fa445976a3af4b356d7fe3f33874888d1f5e3208aeea4cd9cf59d2fc99660eaaf1bf09162d17ae4587efdf731fbbe13046535fcfadbb64362a7504be9

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
92KB

MD5
ea3b24892bbe4a53f3a1a95c424eff16

SHA1
3cc95c875c68cc582af5395743fbd04ea1803e02

SHA256
1f0476a35257d47cf36ef4c7db3cfd7cdc18543d92634555dc44cb95ad72467b

SHA512
60e08f14a12b71056d0cbf9ab2b3eeefb9d489884d820a21d9ab9668e7b9f5d83b8a6e55034688c5a787da3d8fd8064fcc580d9da771e4c40c414f088f8abd6a

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
92KB

MD5
9341982a2cb2765a11e76b9e1f412689

SHA1
63dd85726f45b02b88a501e4295e0cc1a643c908

SHA256
b63414135e006ae8457222aabdbde93dbd6f6e0738c8b565a9e9f12268044f77

SHA512
0e5087c98ee8bb029aaf44082727bcd5f01b8798a997e485167bd8bb3af569576e086d0683737e63f789a563c27439f3ecc399b20d71514f0906484ea87d3f3d

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
92KB

MD5
845d875c447b85c7c83ae7e66f7eaaf6

SHA1
fe6124dcd59abb8e955d42ec4c928ed77123bbcc

SHA256
345eb9f46b4b6ae53e4413410c6fc37bf46b073aa987571fae3092d0672b532c

SHA512
244d8ee38bcb511c4ebcbd3fbc5c6c0ce93feb2cf5937e53e06d4800f0fb3e5b8b99d0584d1ff69417919294a8fbfea9e848ac501b8ab88cbee96f3439a10c3d

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
92KB

MD5
8491093a9a3d56ac2c974425972c7512

SHA1
9b6612007591c25f0d3512c8b92f6804e484cb9c

SHA256
62a9386de2b3600b598cc00851dc607f94b0899511a4682b2465c39c17ee6544

SHA512
ddeda6edc840137721439b0258917220bd6f1d4fdc8fec398f38840f2c7aa08e8847cbe328c70fd7e5bdce2f2e7a1da6bdcd65deec5869c98f179cc2f2c3148f

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
92KB

MD5
cfe2337edb89646be44a7e410d3b1aa2

SHA1
ad136629e8780f1e2112983c3456d5ace9d2b64f

SHA256
4ab8424b804825e6fc90b8f953d64fea27cdb86bc0e7f566df3566a56af1d7b5

SHA512
5e3cf9ab5d8ff67042b3ffbe506d186173d7324400ff9e4963c219c1186c2a626b8a056cab2f35dfd8a179968c3e1249774a5afebb5893a9525db463e2959880

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
92KB

MD5
f2b8075e41751e71dcb4254d9b8a4d83

SHA1
df420be4ed4b8bf65c8d6e6a8770066bdfd43599

SHA256
ae1c85417053f82032227c36f05a215d6d982ff5c2ace2b79b6bddff2ab417ba

SHA512
ff3d4d6d86d8ad60cf39828ce2434cd05ab78e49f9f53152e08d3e9a219660420667989a6b48396e8002c47a94954778d957e2558e9e3b7da80117a1728b3b68

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
92KB

MD5
aa59398a461bd06e82d0773b0a40dcad

SHA1
4fd49cb38eecbfd425d69960350ea5e42e4e9dd4

SHA256
1c69c5e84a2887552e27264a9e712444cc1652fd84b195913fef691ab505f1c5

SHA512
fbf1155fa710c16ebda679be33f8889765e869afc7b8033299e7fee46f2ea122457585ebca8de6b21e79f88423f6316a62c5994db624fcc9ae8df85a2e152b42

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
92KB

MD5
ef351b2183f03b7c78b01b7e1de91eb5

SHA1
f255bf003361b8646b70dee157e327701d11ff8f

SHA256
b97faecc94c654733343a35ba9252901eb06eac0b65e82687b15ccfcde63f69f

SHA512
58e3cbc3f9b6d393cd6c9c6b04ab075800fb0c1a8335f27e93e88fa0934055572ea8e33d5db4b0f39e1dc628e8cf5385cc16d5e1d7a443ff4015ba81967f6066

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
92KB

MD5
161ff1deb4d863b77702251d8377e83c

SHA1
b5e2ac76586ee49db191907e1196519e20342c9c

SHA256
77a0fc02bb38ed3c19c51a4879d1fddecb5b1b8b75661254a95fab48ee1e1ed4

SHA512
8f2eaa4c0e01998f545151cdcf510b5332640dfa59522487fd966d71605aebafb203c2e8973a55e480de0bd9b06c9e6243afb83ebbe800700968bc8a981cefd1

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
92KB

MD5
b966521b7b4405661264f827e9331558

SHA1
5348db28f025b729973fb7b347f254dc38316ad1

SHA256
82910beb672f77b1a8941ecf9468a2563fecba023f0137809072533bb2ee16d8

SHA512
65e3850d1b80192077fa052d8f7d38415bb2f777a8513335fe638c3926f26b0a18cb8e1a7842e69ec24119523ee2db34c57669dab82f8a157994f1c29728bad7

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
92KB

MD5
ab265f172b57ebe9612817786fa76321

SHA1
4cae5fc7f4a2edde67d5684b8d51d31e86225269

SHA256
0f3eacd22effcb37ae792884667bad113fb98f75f810aafaf8ca1a7d64c9e9f6

SHA512
0bc6a83ff4ded6e5a4195b60ef7e7141c9609ee5890862fcc33b2bb14627d48028f8e380a680612aa9af399de2f43ae0838bbe38cfa0618186e59649c9469470

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
92KB

MD5
78115097304faa1d92451aaa15db4ed1

SHA1
69a0df878da54484963fb38c492af7006b70d60a

SHA256
feb1ca7f4a200fadd6220a3f215060012857ab36e0de586dd471455b8f17fa5a

SHA512
dc97785d7b30c4d33be296c96d8ebfe6f48bf9d0daeb7e7e67483135cdf52beaafc4add7abe77641d2a3bef5952768f41c6c61f6aeb3d6283e5e69160bb87edd

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
92KB

MD5
6dece67db2b414c3f1fcb3b727ed56c8

SHA1
69fd716b2150224002ed937572d6790b45a6b893

SHA256
ec1b598f147f471fa9b2a54484f5d563f8318c80a8059ecc450dcb0d94d9524f

SHA512
55d91ef193ae3831da8f9db20a3534db4a35571232a419f2bb224966350fb99c32b10c6f6ebe3154e3c86df1ce44a8af579a59637a84c988bce212da75cea7c4

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
92KB

MD5
b747b469bc85f5b5303e9e9baeb759ed

SHA1
4af61ae221d8ac6621ab8a1117bff61bdaa0f4a6

SHA256
95a7994cd47ea684b7ed5603e42fed464048d48f68fa7a7fecd0405af3542578

SHA512
1fcd7678329ca1e5f648e3c87fa70e1ca49c51be59c93cd0704602a14f154bbebef157a3cf6ceeed69151f0236bccf9fe6b05e1a5d512064c5b03618ae23dbd7

Download Submit
memory/640-523-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-457-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/740-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/992-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1056-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1060-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1244-499-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1252-561-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1252-25-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-536-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-299-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-493-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1484-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1688-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1732-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1740-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1744-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1804-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-589-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1892-397-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1996-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2016-449-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2032-505-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-575-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2328-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2356-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2532-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-534-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2612-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2660-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2732-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2808-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2808-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2808-535-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2820-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-421-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-555-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-517-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3124-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3184-582-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3216-475-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3220-463-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3236-542-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3264-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3280-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3352-65-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3372-433-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-548-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3404-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3788-562-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3832-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3860-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3896-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3980-353-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4004-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4012-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-569-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4216-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4216-568-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4256-427-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4356-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-583-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4564-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4572-481-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-549-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4632-487-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4676-439-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4792-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4828-590-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4832-511-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4848-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-576-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4956-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5068-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads