berbew | 7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322N.exe
Size

96KB
MD5

bbae330691205873307890650be952a0
SHA1

c4f416cf005e9ca80edeaf7861c31c328f80f807
SHA256

7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322
SHA512

4060a647ed3e7aa9a270bd85f193e5d38ba4de4501fa8a1283ac90994d75ef993933e161d66296eabeb5500454312d134a0cf69dee84ec3f4d70aadaaf9e728f
SSDEEP

1536:yVcEI7JsK6bOB2Gr+rX5XXOdqhz2La7RZObZUUWaegPYAm:yHK6I2Gr+rX5Od4QaClUUWaet

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlefklpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4436	Miemjaci.exe
2444	Mdjagjco.exe
3700	Mgimcebb.exe
3944	Migjoaaf.exe
1924	Mlefklpj.exe
3180	Mgkjhe32.exe
3880	Mnebeogl.exe
3948	Ndokbi32.exe
4860	Ngmgne32.exe
1168	Nngokoej.exe
3744	Ncdgcf32.exe
4864	Nlmllkja.exe
3640	Ncfdie32.exe
2072	Njqmepik.exe
3016	Npjebj32.exe
1212	Ncianepl.exe
5072	Nnneknob.exe
1416	Npmagine.exe
1480	Nggjdc32.exe
3364	Nnqbanmo.exe
3296	Odkjng32.exe
5112	Oflgep32.exe
2640	Oncofm32.exe
4880	Odmgcgbi.exe
4596	Ogkcpbam.exe
1400	Ofnckp32.exe
2776	Oneklm32.exe
2660	Opdghh32.exe
1396	Ofqpqo32.exe
2432	Oqfdnhfk.exe
4964	Olmeci32.exe
3804	Pnlaml32.exe
3432	Pnonbk32.exe
1580	Pfjcgn32.exe
2872	Pgioqq32.exe
2428	Pcppfaka.exe
884	Pfolbmje.exe
412	Pdpmpdbd.exe
3284	Pfaigm32.exe
4184	Qceiaa32.exe
1188	Qjoankoi.exe
3900	Qcgffqei.exe
5092	Adgbpc32.exe
3380	Acjclpcf.exe
4020	Ajckij32.exe
4340	Ambgef32.exe
4008	Afjlnk32.exe
1720	Aqppkd32.exe
1956	Ajhddjfn.exe
4692	Aabmqd32.exe
8	Ajkaii32.exe
4468	Aepefb32.exe
3308	Bfabnjjp.exe
2420	Bmkjkd32.exe
2132	Bcebhoii.exe
1300	Bganhm32.exe
3632	Bmngqdpj.exe
464	Bchomn32.exe
3208	Bgcknmop.exe
2384	Bmpcfdmg.exe
4384	Bcjlcn32.exe
2492	Bfhhoi32.exe
2152	Banllbdn.exe
396	Beihma32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nlmllkja.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mlefklpj.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kiljkifg.dll	Miemjaci.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mlefklpj.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5144	4516	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miemjaci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4436	4376	7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322N.exe	82
PID 4376 wrote to memory of 4436	4376	7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322N.exe	82
PID 4376 wrote to memory of 4436	4376	7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322N.exe	82
PID 4436 wrote to memory of 2444	4436	Miemjaci.exe	83
PID 4436 wrote to memory of 2444	4436	Miemjaci.exe	83
PID 4436 wrote to memory of 2444	4436	Miemjaci.exe	83
PID 2444 wrote to memory of 3700	2444	Mdjagjco.exe	84
PID 2444 wrote to memory of 3700	2444	Mdjagjco.exe	84
PID 2444 wrote to memory of 3700	2444	Mdjagjco.exe	84
PID 3700 wrote to memory of 3944	3700	Mgimcebb.exe	85
PID 3700 wrote to memory of 3944	3700	Mgimcebb.exe	85
PID 3700 wrote to memory of 3944	3700	Mgimcebb.exe	85
PID 3944 wrote to memory of 1924	3944	Migjoaaf.exe	86
PID 3944 wrote to memory of 1924	3944	Migjoaaf.exe	86
PID 3944 wrote to memory of 1924	3944	Migjoaaf.exe	86
PID 1924 wrote to memory of 3180	1924	Mlefklpj.exe	87
PID 1924 wrote to memory of 3180	1924	Mlefklpj.exe	87
PID 1924 wrote to memory of 3180	1924	Mlefklpj.exe	87
PID 3180 wrote to memory of 3880	3180	Mgkjhe32.exe	88
PID 3180 wrote to memory of 3880	3180	Mgkjhe32.exe	88
PID 3180 wrote to memory of 3880	3180	Mgkjhe32.exe	88
PID 3880 wrote to memory of 3948	3880	Mnebeogl.exe	89
PID 3880 wrote to memory of 3948	3880	Mnebeogl.exe	89
PID 3880 wrote to memory of 3948	3880	Mnebeogl.exe	89
PID 3948 wrote to memory of 4860	3948	Ndokbi32.exe	90
PID 3948 wrote to memory of 4860	3948	Ndokbi32.exe	90
PID 3948 wrote to memory of 4860	3948	Ndokbi32.exe	90
PID 4860 wrote to memory of 1168	4860	Ngmgne32.exe	91
PID 4860 wrote to memory of 1168	4860	Ngmgne32.exe	91
PID 4860 wrote to memory of 1168	4860	Ngmgne32.exe	91
PID 1168 wrote to memory of 3744	1168	Nngokoej.exe	92
PID 1168 wrote to memory of 3744	1168	Nngokoej.exe	92
PID 1168 wrote to memory of 3744	1168	Nngokoej.exe	92
PID 3744 wrote to memory of 4864	3744	Ncdgcf32.exe	93
PID 3744 wrote to memory of 4864	3744	Ncdgcf32.exe	93
PID 3744 wrote to memory of 4864	3744	Ncdgcf32.exe	93
PID 4864 wrote to memory of 3640	4864	Nlmllkja.exe	94
PID 4864 wrote to memory of 3640	4864	Nlmllkja.exe	94
PID 4864 wrote to memory of 3640	4864	Nlmllkja.exe	94
PID 3640 wrote to memory of 2072	3640	Ncfdie32.exe	95
PID 3640 wrote to memory of 2072	3640	Ncfdie32.exe	95
PID 3640 wrote to memory of 2072	3640	Ncfdie32.exe	95
PID 2072 wrote to memory of 3016	2072	Njqmepik.exe	96
PID 2072 wrote to memory of 3016	2072	Njqmepik.exe	96
PID 2072 wrote to memory of 3016	2072	Njqmepik.exe	96
PID 3016 wrote to memory of 1212	3016	Npjebj32.exe	97
PID 3016 wrote to memory of 1212	3016	Npjebj32.exe	97
PID 3016 wrote to memory of 1212	3016	Npjebj32.exe	97
PID 1212 wrote to memory of 5072	1212	Ncianepl.exe	98
PID 1212 wrote to memory of 5072	1212	Ncianepl.exe	98
PID 1212 wrote to memory of 5072	1212	Ncianepl.exe	98
PID 5072 wrote to memory of 1416	5072	Nnneknob.exe	99
PID 5072 wrote to memory of 1416	5072	Nnneknob.exe	99
PID 5072 wrote to memory of 1416	5072	Nnneknob.exe	99
PID 1416 wrote to memory of 1480	1416	Npmagine.exe	100
PID 1416 wrote to memory of 1480	1416	Npmagine.exe	100
PID 1416 wrote to memory of 1480	1416	Npmagine.exe	100
PID 1480 wrote to memory of 3364	1480	Nggjdc32.exe	101
PID 1480 wrote to memory of 3364	1480	Nggjdc32.exe	101
PID 1480 wrote to memory of 3364	1480	Nggjdc32.exe	101
PID 3364 wrote to memory of 3296	3364	Nnqbanmo.exe	102
PID 3364 wrote to memory of 3296	3364	Nnqbanmo.exe	102
PID 3364 wrote to memory of 3296	3364	Nnqbanmo.exe	102
PID 3296 wrote to memory of 5112	3296	Odkjng32.exe	103

C:\Users\Admin\AppData\Local\Temp\7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322N.exe
"C:\Users\Admin\AppData\Local\Temp\7deffea81fdf0f0216fca2a2d605249e5290e1ba2f06fa2cf23aeb835792d322N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\Miemjaci.exe
  C:\Windows\system32\Miemjaci.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\Mdjagjco.exe
    C:\Windows\system32\Mdjagjco.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\Mgimcebb.exe
      C:\Windows\system32\Mgimcebb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        48⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        74⤵
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        82⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:852
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 216
        92⤵
        Program crash
        
        PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4516 -ip 4516
1⤵
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
acf0ce19bdde3554e9d5984b49196136

SHA1
ae5ff6eb68020a03cd35bf4c778bf61f7a0488ee

SHA256
9221d053e086b764e7c516496b5077ad2befdabb2914b88e5aab1d299d2331bb

SHA512
15b0f14930456a3d6226d65d8f8c837d851aaa7177a25dbb8c4b07805d06a4a41a8729eed6384fc43ba662d371d27c63391377c7e5d2c7b1f485b2b0bd4e266f

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
f1322e3ecf92d660c94d8d2fee6cdcd9

SHA1
b1b7b2f057d545231e96d04289a94c8d1706810f

SHA256
03755a99ea969a13aa6ced23ba2513eeeae4c3d3adc667a41b9bc32bb4d4633f

SHA512
618d056c021436432e29a1ccff131f82f332b503032c8ad1a574fa0ef73660fa116af2f4daeb4e353cd8acc897ee50aa3ffc582dc0a6b81abe4cfb6ed1b700e6

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
dc5c2d0fd627eb6a9418f015387b4410

SHA1
334c5c424959c724d67db7e59b81544c3001d555

SHA256
741d52a8abcdd16c3b311bb8f34ae76bd04e2d86ecda64f04afea22c73282518

SHA512
586100de3cb6d8631f4a765b189f2492853bedca854d228cbd4112a3869971c67b7b16ad73a78b641629b239102ae12ab3eaba398132513b30dd2310a9d3d522

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
96KB

MD5
4f2b677d0bc55a2fec2a99c776246fb1

SHA1
d2c544c85f434c55380569406f539553367aeb5f

SHA256
5601157abe468c71b8f9e2cd048df3a89e244d39f8641e8f2e05b5fdbefa8858

SHA512
a5fc50c8bb55cea51910f5f249d3c8f1ad509c88a8c60197760e1a13efd071da517962425b3986466abfd45f7766546e08f8f23f0d9171ba33a242000ad62160

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
96KB

MD5
a9bcf63d9b3e4c39521b6e8afb87e776

SHA1
d4820ac4e8808c5c768adc745808b33a0957e3e9

SHA256
1925c8474189030d670bae8b65235e37dc01f7299b5f160473342fbe18bc52b0

SHA512
6c34fcc8b6798097ca3f5f68ec3da9e800520a0cd818503ca66a80dbe0a6e13a17850df212de952b906a7bc70f29410b5bf8c785569d776d6c511b60031a0fb5

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
8f0a5f713b86f0ab128f0d782423658c

SHA1
6003a65a02e05e40fa671aca5b735a3ba416b3af

SHA256
990dd45c2005c181e3ce9077976a761d2c72f7740d62ab0087687bff74b1288b

SHA512
b76301e8a1ca65901f8067613c41cf50602a74d23cd4b6f8251245e10044bea0fadbe9ac38dcf34850047cd1c6d027a2d4a9c7643bf645a3532afa1e11511c42

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
96KB

MD5
1e6d8c769b952aadae6fdcc3db75cabf

SHA1
505ae0676b7ad03d89fc0c8407c783720441af91

SHA256
d28ad484519069454f3b40c7ff536b73efceac4f979fef2b5ea468d95a6ba725

SHA512
2b785f87d5ecb3114adbf3ee228ba5d1224976d129a6d9c69345949dfa828db414b1c6b950b1382724f3fe9fcef1e78f449b3f00e49a6e63eea01781f570c4f1

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
ddeb311f23afeaead69a3725e8222e23

SHA1
1bf9a58cacd1bb24cb885b992423c722ac100947

SHA256
64dcc1454399af83e9ad0ae69cacf6a23df9fc4e75f67ab7b122104473cb338b

SHA512
6ff71df1c1c2a13582b32c051aeafa489636e1cba6a4d5706553a75879419ce071988becfd9d176b72fbdaf39aa65072bfef825db412b5ef4c895340b5ed9487

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
96KB

MD5
a1a3731499a04a39311ef5c9a93fe69a

SHA1
32caeed0907a8d29a1e97fa326ad0fe3063638da

SHA256
1fe36d534e86933c09bd4b677809cdfc90e9d60f98139feb2bc0ff69d5c0f394

SHA512
f8e253672091e1b5c6ac7a14d4a678596f9bebc048a09868b8730a67d8d72acc22665b100af969767c8f8e8a4a135bd8b65f4276e43dbc79ec0ffcf31dba1c39

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
96KB

MD5
9329bb466bb34295066178caefa527b1

SHA1
d4b2add0b63ef28bda09a1bf4033f1248df06af6

SHA256
40f9135d3948e7e4b2988a41e54539e49d56f655bbd7257d63e0209f9b30455b

SHA512
cf96c1a9a7943b61f04dfd644ed1e68a0833bcae1afd9661c861c8057517daf97dfc8a3fa680f9c59b10c0e32ffbd779102061036a72b5cb1da6c686619c8996

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
96KB

MD5
0dc505c4cde1933a678521043437495d

SHA1
07c4805a201f7a93118b2e6d6252082e8cb4f838

SHA256
eec62fe0f1ba118aca9fd0185b60fe527c613a7fe2836da702c79fdc311dba3b

SHA512
79019d9d2a54819448380f109cb7012617ffe6acc3766d3bd7f1a5f986ef30997c8502ba89ce80d5a09ea449a50c02646f7feeb80e3df617fd4708f366877b1b

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
96KB

MD5
3b7d89629f08c6920de7898227253da6

SHA1
3246dcd5be5115ad416337f0ef268350c127a5d6

SHA256
5bb40fa71f206c68f05628647c3cab74828017113f03bf3c9c56479be1415d40

SHA512
41bd47a6642234dfa7538ae84a5ed3d20929b49435df31e1c2d11c05a03223e6f9b1b6633e20d2deda32df581ac9e16e7ec22e95e90f0ec5cad3ac7bb8326c0f

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
e8837fb6ac3607f241dba65182cd90ce

SHA1
3b0c4ec579c4ff5c6a5938c4b9773bc187a3377d

SHA256
3ad45acf24f55391c00956a386484db5278b1a88aba072cd478fa4108171eb6b

SHA512
c25509c11a7e185d997532456ed11f440fa140a7c2739a871505ef0cc54e25906c5712f840272097abf7d1ee593781c874fe751dd41442d39a26917f37345948

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
f362d03a7b941f666502f7b95221418e

SHA1
23d2299d6acf53ce8915229da340094c84f00826

SHA256
6e4930d8a2b2b48c1fa3f3e35e57f024f166b3c52a3b19f0195b0b05ec67cc49

SHA512
6db3d33c93fdb7f32fe9fc402a42af1550a533769986a0d9bce8f97a1431de926917be4903ef6e2fa27e213b5410a323ac708278c52bc99874b5c6a285aa5a3b

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
96KB

MD5
652133ba6c6384cf8b52a07e04237a41

SHA1
6f0b5d29c5e1847085954860f0bcaf2c460502d6

SHA256
2f21a854e74338297bd73f865f0fd72744f9246d22c8a5dd86aa25b75d761079

SHA512
bc49435a36f0d6b1a84b60277dcc1d6e1fb3ca5e65a691e1a4cc893ed3abf3679c07e83be20cd4049d6067978ff7ea0d2cc818e308b7562eca4ebf33acd65847

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
96KB

MD5
93fea039cfb793e8ab1a77bb1ae6b764

SHA1
78de1fbd6eb554fea2c07985cd68b4cab89b03c6

SHA256
8408d8a2b2a1358b4168b3036ddbc354ed6e1ee80570f35f09e0318d254c9f50

SHA512
3dfbc069a0f5f75a9e753ec5b4f024b8a1b5434221911b912fd80cd45b18a564475e2944e6f3931d57d010f6a928b4d3f5dcb1613e4e147f1d843fd3f075dfbe

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
96KB

MD5
e2b328078436049ecc49198fa57d0a64

SHA1
f6c499e3f1c87035d4dfabd53a6d856ee57ecc92

SHA256
8a49cfb181485a7d1a7fbcf02ffeb88693e68538978ea918b5b307c11c8be169

SHA512
27b924994e9ed16794a2f4cd7adc90b054fe1520f6fd08dbde3623cb0f5b455ef25aa578b5adb7979143f153627b976326d371886dcacb3ccf18a697dc946638

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
96KB

MD5
98644690ad6a78b39fa6d09547a32bee

SHA1
37095af83d9198afbdd12703ed7b0a79ac74d201

SHA256
22305bc8607e2e25340444e2575b01449fb09cda15e1340a836c88d811c286a7

SHA512
4e50cefa8613f0bc2976797a8cd6a55afcd3ae3047cbd6df665a5f1e25315d67ad002c38bee473ee3dfabf0f4253190388580ca2b1e3b174051b46c0dd86a0be

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
cab87620956b13c64ca5d7f6a454be2d

SHA1
4bac7e0d14f8bfc5ce498191cad3d2d07920e8b2

SHA256
3c46058063b42171faf82913ccb651801cc18687872aba2c4670d0cdc0cfb999

SHA512
369c3c5236fa352bb9dde5fb05bf47732003d8b22c516ef4380cf08fe9b5232318c2c1d1f880d3eb5264f1e6eff90acb1dab981429c187853e6b0f5865bc84ac

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
96KB

MD5
3e3d654902ba1d98f2695704e2c15126

SHA1
7e088c0a48491f7eba643974b73fc9b6071670be

SHA256
be7422e1d83908eea0652838f3aaa7e53781e077da496248e21db19a093f2416

SHA512
eec7727a12b79fc25ead3789c4224d34899acf585abe7c741826f6236ff9d2c9ac14b7bb2123945cd6358d92cdfec0046b4ad45adfeb089442a000ad8ee5241b

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
96KB

MD5
cf9db61b20c5561fdd5381639ac5c523

SHA1
4776ae215897d8a6007b716c4b81f98178354964

SHA256
58b73117574f1a5026b8deeb8aded77869ffadf5088a5aad019bd7d45545a191

SHA512
4fd711d25029c4fb65d5f9d33f9915c02e7d1804603202786941b755b543d3abbf16ab3c1021f205725e02aed4165cfbd88a41c948493ac133736c325b0daa6d

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
96KB

MD5
6f3ff2e600aa77cdc72bc5a7c25e9f4a

SHA1
10ae9b08d35844849fe555c697602ea43c58b79a

SHA256
3735dad6ee85549596ae9aa6722c2030a7fe998d38479dffb7559f51d713bd28

SHA512
6cdf4525e3b4490c52f94906cab756059716834aaf0cf88f9c1ab914259f28ccd1d12841b5dd4853d458daa46d31c692fabde8b36eceeaee929cd9915bfdfdf0

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
96KB

MD5
bf6cc180e1a7081e2919364e8a1a4048

SHA1
65d818f5ea55866e73c0a8e8ad21d65da3b5182c

SHA256
56e2d818471a6db517755d0ef797887ca4f5780f627f1adb7630d90ace514cbb

SHA512
d4dcd37d38e23a53542591f4c66b5309f95f870304ccd11ee594e0b532686254b479835c111cddf15aa4536f9ee2e2c26d09e6b0a24f665ddacd36a441d58ed6

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
96KB

MD5
ac38c187ea93800de3de22a70fc4f006

SHA1
b9a5a71412b1f1e74b5131955aef56c3e26f1a9a

SHA256
adbc0fd40d5b457b53b3bb6d79c3cf9cd071541332baea3614bb7b6af61d73e2

SHA512
34b7991a6289b2ba6c088edf7176f1e68ec52011198c3bb29590f29f45ccb432dc54718a4ab9718f19358577ba1d45f11c42815edfdc2df298aaf0254b0f2de1

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
96KB

MD5
8e825cad8a8fefe2523db7995c1c5695

SHA1
32e0e534c20eba18f483cdf19ad0f56bf04fbdc1

SHA256
05c401c308d26c2492eff1baafd0cae2a6bd28f1d073ff52b736b6c302e52399

SHA512
9e18b69467f8e048537725e8e7df7fd30349651624b637c0908dfba75322bf3b49b697dd1653cf52930f0905ef7ab5104d03f6d9bce729c98710bb8cc30dbaee

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
96KB

MD5
5a39e0a9867d1fde0647e0b0104e2595

SHA1
5facbcfb6f41a035a592a0c3db714ca8307215a5

SHA256
21d24213dbfb8004b2f555fe4479706f8840b1de72133aaf143e13f9749b156c

SHA512
b35a4da4d293a3035b88dcd1676a03b04ebe4e82337088dfd65d6b99b6d36ae8e49d6b120cb331da1939499d340b7a1e484787e09af8472ae838419090f16833

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
96KB

MD5
9d382e170015a68cdef76539e7a8b515

SHA1
1d9aa48dece52012557f192aef1b51e3b4d3892b

SHA256
0441a75c1581c2fe220c6af7aca58753f7004e99a093b96afc7a4e1568a00909

SHA512
944a6dccdf2b31abcb9f405733ea1519a37095d8b25b700ea92e8464f6dccfa67ca1a6589e6e84bba086a2c26ddd87011116922709c341299cb8ca79c0c206e1

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
96KB

MD5
e62b89c87c89a345542fab1095d8efae

SHA1
48299e2209878be0a77b06e0d85a8589fa8ff665

SHA256
a998d14bcfdbefb7573cd9e48b4bf8b900280ef1a03358e2c23520b00551be27

SHA512
bf0dd597800403fc6adb8d0b4898fe36e763e0e5396c9b3d554d7c00e1886205f5ca59de61aa033159f13e74cd8c74c831ca5d068381dd5bf351e2bcb77b10ca

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
96KB

MD5
923320262f76cd1c6c4b486a7c78484c

SHA1
1effaadd3dfa96985c44405637e98f6dbb539275

SHA256
74e0afde3e8ff9b3dbce26d378f0e55fd2a8b65b8b945a271d21369420c4590e

SHA512
6252cd7b6750396c30f339417f94679866d555dd47879975a0f64d572e5fe16fdc6035ca2b9d9a3512cba4745719ffd0de7413d49110a3bc2532bf0de3863c40

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
96KB

MD5
a061dacbf8d1aed2c618de9bb1c88c87

SHA1
c87dc2777d38603089e5047ee61a3bac13ee7930

SHA256
7556095e5dbaa7c39d6c5c089c1c3adad1351c5998c509ecdefcf2f429447e71

SHA512
e2130473bc6ae00cd7655e68e68595237d3018267c465cb984c28dad8c24528192a2fc88e80807ed6bb5ed40c22f683030788cecc427b4261196ee7e8393421a

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
96KB

MD5
a5548006df5f3e31f83214682ba06612

SHA1
069e95b6568598db20bce372d863b8e5b6744ced

SHA256
004e190d249c70ed3bff9d6b2c28d1077f85c28194e0accd978818a492c1830f

SHA512
95a72bf886ff5b11275b31968992ca537760a100d2e76b904077c84ecededf7f5def1c330613d6ef0a248f47d6c91459b4ebaf843c69bef7bf6a144ae411e969

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
96KB

MD5
7f3073b4da3f37b0c0ea62e6addab71c

SHA1
60f1f49037dc7d28493f1e949dc4cb6272955efa

SHA256
ee531a2c7c01f0356f4ad3dc97cf4765d576f6f34197232e13b7ffd5b5e9119e

SHA512
d1cffa2aab679ccebb31170339ecc98082311252049782c5ec8d4e562796cf053fef685c01af49d7a12ac1c308e33f039bbf06bacb3f0c15d00ecc36205dc3d8

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
96KB

MD5
e44690fee680461fbe0907ff6f168cf3

SHA1
d4ffd702b0d76dd355f835999ac51882fd53b1be

SHA256
cc69bd3fcc15ad0d292841752228e45f079cb7b08009da59236deabd0747c1ee

SHA512
b26fa02fa73a5c5b5b747ecfa062a014dabf5de5e9e9a272ef4769296ba5baa2e4de472614b73e1c3fe9923e771c4dcea1604158797b1320e116edc81f482244

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
5d4b4f1666146bed1644718c13374585

SHA1
84b5e0ae7663936cb98d1582672efd5a68a50abd

SHA256
bdff42b3e6739d274f38e99712734c5b4115a01fed7a978a1f9a01316a78cca1

SHA512
6a94c5952b8a7e2f4936510a9cca426240cca87654c2bbf1c843df7370296873b03e38b9a26927c839a965fe9e81ddad08fbfa54ed2481e67d0b8e417caccda6

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
8560a882739a47d2f2346d87fe245c77

SHA1
fd8f76f512f913d033226c575c78ed8db2e1edfc

SHA256
7695e5b3250d2b22f26807da228e47049a77066772c6d9c3fc981b70481bbe65

SHA512
c8a31dc30b17f58afa0634b4eedfee9659d20f6e810ee39d66790d73acaa429a57562e2790f09f7cac16de4ee292f99738cfefb3b44978a5bf42f1054700eab4

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
96KB

MD5
e6f8b3b26df3d7843160eb51ca3c2f72

SHA1
be4d07bd97d4c82236944db7a908e7b85da7d5c7

SHA256
980d7e9aba7fd927376c7fa1ff876b0e55072dda44c8f1e1a539b20a046a3d6b

SHA512
ad643c0e345228423e3d1a39eaa8f9304453ffb6555b00c12c26e507723b9ffe2985b2212610253dcbe15ab7b7e9b9475c05237ebc9b4fd138a69bc798e7fd00

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
8ccb14a0a0d911dc89e174532a870b3d

SHA1
35d0030bb2438c6f2f9b9e059d041ef225f00a08

SHA256
d2737db14e5c43652a4685e4bf9601ca198169c0dd3b75dd163a3536a94fb87c

SHA512
d5e33e6163df0f5bc49ea193f5c75d676b7f3e59cb1881ce011810ce5bd5bc5692d28d8f34967430a94032dea801807edf81eb9615572b832c638bde00d5e42a

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
96KB

MD5
59da63ae2e1d6a2fb6602950c4cb5b53

SHA1
e9617d840c7d7397b95db5a2f2f0a4c9ba5ae853

SHA256
d149a534b969d075c1479d296d78e22fc7d3860b74fe1b680dffedbcc2ddf380

SHA512
4964258bd05bfc90134711b81ffc65794c6423f7c77cf9397cc60da632b327f9b4f77975d92978abfaaed0ae22d0ea262008cc723ce65f9038fe4e58a88b1d18

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
c09e48b0d6c14ff951cca494415265d3

SHA1
074c73e7cc56b3c2e6a4aa9282a3e0854ac8dcb2

SHA256
f99127f0a0bf2ba50eb5898864f74c335fd189b2c5b578a7891d9770107e7bb0

SHA512
ed68c422bab2dacf05bd1c9d8e2f5cf118093a7e5cbad639baa353cc8d0aa65c4725f0a1b7501726005818a0d6f3a75ae934616cc2223be5e19fed9e866cd1e1

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
f3e71f2ca00b4f982278c5709e3e1a13

SHA1
b461ea82a4f7e2207c21beb5a4c733b4e2177bef

SHA256
1b50f374fb7ae3765020121f867b4e9128078c472bd5cbcad3143df7513412d6

SHA512
ca0bcc127cbdc3c7fbe83dddd0526101341568e522ef52bd69b58e47359944433f3cd8c3c700628b25d8ce6fdc8a061bc7b43ef56ccb26b0216e157c8cba5f0e

Download Submit
memory/8-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/216-578-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1400-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3996-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4128-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4376-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads