berbew | 64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Size

64KB
MD5

baf07a48182a918f74fbb0cc9c39b4f9
SHA1

c4743124d1719c1a7531d14d95f2ae65b1122c7a
SHA256

64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3
SHA512

08fa74b4d24a71e3df8b260cbde904c30f1e93e3948aa31e9ef1b46f51dcce9778226187fe5e7e91e5f1c4864a7204e6bb5ab8b05431d7e0ff0877d5aaff387d
SSDEEP

768:7f2MRLmZaWc0egAiSgVkrr0qnQ/1H526XJ1IwEGp9ThfzyYsHP:7fRRuaN0egAfgy3RWBXUwXfzwP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggjdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3028	Mcmabg32.exe
1052	Mmbfpp32.exe
4212	Mgkjhe32.exe
1944	Mlhbal32.exe
1148	Ndokbi32.exe
2520	Nilcjp32.exe
2904	Npfkgjdn.exe
2816	Ngpccdlj.exe
4584	Nlmllkja.exe
2356	Ngbpidjh.exe
3796	Nnlhfn32.exe
3540	Ndfqbhia.exe
1952	Ngdmod32.exe
3944	Nlaegk32.exe
228	Nggjdc32.exe
4312	Olcbmj32.exe
1448	Ogifjcdp.exe
1516	Olfobjbg.exe
4344	Ocpgod32.exe
780	Ofnckp32.exe
5052	Oneklm32.exe
4936	Opdghh32.exe
4980	Ocbddc32.exe
2012	Ofqpqo32.exe
4540	Oqfdnhfk.exe
1456	Odapnf32.exe
4324	Olmeci32.exe
536	Ocgmpccl.exe
2364	Ojaelm32.exe
4808	Pdfjifjo.exe
4752	Pcijeb32.exe
396	Pdifoehl.exe
3764	Pnakhkol.exe
2068	Pcncpbmd.exe
4376	Pflplnlg.exe
4568	Pqbdjfln.exe
4296	Pcbmka32.exe
1880	Qgqeappe.exe
1984	Qnjnnj32.exe
4924	Qqijje32.exe
212	Qffbbldm.exe
2380	Acjclpcf.exe
1796	Aqncedbp.exe
876	Afjlnk32.exe
1152	Ajfhnjhq.exe
1912	Afmhck32.exe
4760	Aabmqd32.exe
2480	Afoeiklb.exe
1824	Accfbokl.exe
4112	Bfdodjhm.exe
2516	Bmngqdpj.exe
3812	Bgcknmop.exe
4884	Bnmcjg32.exe
4020	Bfhhoi32.exe
3608	Bnpppgdj.exe
4060	Bhhdil32.exe
4600	Cfmajipb.exe
4336	Chmndlge.exe
2148	Cnffqf32.exe
972	Cmiflbel.exe
2536	Ceqnmpfo.exe
1832	Cnkplejl.exe
4380	Cnnlaehj.exe
2308	Cegdnopg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Lafdhogo.dll	Mgkjhe32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Mmbfpp32.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Ndokbi32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mgkjhe32.exe	Mmbfpp32.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Npfkgjdn.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Mcmabg32.exe	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aabmqd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4644	1252	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbfpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjkmdp32.dll"	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffnijnj.dll"	Mmbfpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djoeni32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlingkpe.dll"	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkknm32.dll"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmijnn32.dll"	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgkjhe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 3028	4436	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe	82
PID 4436 wrote to memory of 3028	4436	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe	82
PID 4436 wrote to memory of 3028	4436	64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe	82
PID 3028 wrote to memory of 1052	3028	Mcmabg32.exe	83
PID 3028 wrote to memory of 1052	3028	Mcmabg32.exe	83
PID 3028 wrote to memory of 1052	3028	Mcmabg32.exe	83
PID 1052 wrote to memory of 4212	1052	Mmbfpp32.exe	84
PID 1052 wrote to memory of 4212	1052	Mmbfpp32.exe	84
PID 1052 wrote to memory of 4212	1052	Mmbfpp32.exe	84
PID 4212 wrote to memory of 1944	4212	Mgkjhe32.exe	85
PID 4212 wrote to memory of 1944	4212	Mgkjhe32.exe	85
PID 4212 wrote to memory of 1944	4212	Mgkjhe32.exe	85
PID 1944 wrote to memory of 1148	1944	Mlhbal32.exe	86
PID 1944 wrote to memory of 1148	1944	Mlhbal32.exe	86
PID 1944 wrote to memory of 1148	1944	Mlhbal32.exe	86
PID 1148 wrote to memory of 2520	1148	Ndokbi32.exe	87
PID 1148 wrote to memory of 2520	1148	Ndokbi32.exe	87
PID 1148 wrote to memory of 2520	1148	Ndokbi32.exe	87
PID 2520 wrote to memory of 2904	2520	Nilcjp32.exe	88
PID 2520 wrote to memory of 2904	2520	Nilcjp32.exe	88
PID 2520 wrote to memory of 2904	2520	Nilcjp32.exe	88
PID 2904 wrote to memory of 2816	2904	Npfkgjdn.exe	89
PID 2904 wrote to memory of 2816	2904	Npfkgjdn.exe	89
PID 2904 wrote to memory of 2816	2904	Npfkgjdn.exe	89
PID 2816 wrote to memory of 4584	2816	Ngpccdlj.exe	90
PID 2816 wrote to memory of 4584	2816	Ngpccdlj.exe	90
PID 2816 wrote to memory of 4584	2816	Ngpccdlj.exe	90
PID 4584 wrote to memory of 2356	4584	Nlmllkja.exe	91
PID 4584 wrote to memory of 2356	4584	Nlmllkja.exe	91
PID 4584 wrote to memory of 2356	4584	Nlmllkja.exe	91
PID 2356 wrote to memory of 3796	2356	Ngbpidjh.exe	92
PID 2356 wrote to memory of 3796	2356	Ngbpidjh.exe	92
PID 2356 wrote to memory of 3796	2356	Ngbpidjh.exe	92
PID 3796 wrote to memory of 3540	3796	Nnlhfn32.exe	93
PID 3796 wrote to memory of 3540	3796	Nnlhfn32.exe	93
PID 3796 wrote to memory of 3540	3796	Nnlhfn32.exe	93
PID 3540 wrote to memory of 1952	3540	Ndfqbhia.exe	94
PID 3540 wrote to memory of 1952	3540	Ndfqbhia.exe	94
PID 3540 wrote to memory of 1952	3540	Ndfqbhia.exe	94
PID 1952 wrote to memory of 3944	1952	Ngdmod32.exe	95
PID 1952 wrote to memory of 3944	1952	Ngdmod32.exe	95
PID 1952 wrote to memory of 3944	1952	Ngdmod32.exe	95
PID 3944 wrote to memory of 228	3944	Nlaegk32.exe	96
PID 3944 wrote to memory of 228	3944	Nlaegk32.exe	96
PID 3944 wrote to memory of 228	3944	Nlaegk32.exe	96
PID 228 wrote to memory of 4312	228	Nggjdc32.exe	97
PID 228 wrote to memory of 4312	228	Nggjdc32.exe	97
PID 228 wrote to memory of 4312	228	Nggjdc32.exe	97
PID 4312 wrote to memory of 1448	4312	Olcbmj32.exe	98
PID 4312 wrote to memory of 1448	4312	Olcbmj32.exe	98
PID 4312 wrote to memory of 1448	4312	Olcbmj32.exe	98
PID 1448 wrote to memory of 1516	1448	Ogifjcdp.exe	99
PID 1448 wrote to memory of 1516	1448	Ogifjcdp.exe	99
PID 1448 wrote to memory of 1516	1448	Ogifjcdp.exe	99
PID 1516 wrote to memory of 4344	1516	Olfobjbg.exe	100
PID 1516 wrote to memory of 4344	1516	Olfobjbg.exe	100
PID 1516 wrote to memory of 4344	1516	Olfobjbg.exe	100
PID 4344 wrote to memory of 780	4344	Ocpgod32.exe	101
PID 4344 wrote to memory of 780	4344	Ocpgod32.exe	101
PID 4344 wrote to memory of 780	4344	Ocpgod32.exe	101
PID 780 wrote to memory of 5052	780	Ofnckp32.exe	102
PID 780 wrote to memory of 5052	780	Ofnckp32.exe	102
PID 780 wrote to memory of 5052	780	Ofnckp32.exe	102
PID 5052 wrote to memory of 4936	5052	Oneklm32.exe	103

C:\Users\Admin\AppData\Local\Temp\64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe
"C:\Users\Admin\AppData\Local\Temp\64fec9e4e7f9f8293f1427fe4ff57b7137a7be8d026a6b812c1463db28c610e3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\SysWOW64\Mcmabg32.exe
  C:\Windows\system32\Mcmabg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Mmbfpp32.exe
    C:\Windows\system32\Mmbfpp32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\Mgkjhe32.exe
      C:\Windows\system32\Mgkjhe32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 396
        76⤵
        Program crash
        
        PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1252 -ip 1252
1⤵
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
64KB

MD5
dc6d726903f72907c883522b6ecaf96b

SHA1
c33a48788912deec8c5d06f0daacd25ab9d92420

SHA256
66424812d15ca2d26d451aaba8dbc86e9c6a35b1c544b540218f75cb12da052e

SHA512
cdc03bec80d06c7f740dce49c8165c272c69d365dd5601e9ef695c44055b28cccb73dde139374e430e3afb715071e2d60fa095a26b08c79fd09f2ebf94424350

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
64KB

MD5
23c72ea595a6231af08ef7d430ba93af

SHA1
858321a327b4746c799e25f592f64a5618f25d40

SHA256
f580890f4f70805e80c96f30d3bea19a0b5bb15373a4af755307b2a5e986a369

SHA512
47a4a91f1d45751c93f77272de4c245c614b97a1149dd385ee37a9359fc22fd8b034a4a34d9c0524a5aa6fb547fc97acff12b60604f07ac161f8d699af0a922e

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
64KB

MD5
e201f69fc7068151dc81427d679c8460

SHA1
c19099e0982a2fa5351b97377d6eff11f520c1db

SHA256
9097472e299fa38ce0f0bd241ccc0081098e1a8ed7d5d396877381b9887eefc9

SHA512
fa733ab7f27f5f3a251af1a6734d1fb54c9d23481f25ee0d26f87a78b244e9601fe5a0243c34e343b899372b56472f0715d69bfb4dc763ad1e44a9ea0e1cf541

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
64KB

MD5
1629462cd8452d25417f77d5629c0d3c

SHA1
eb92bffc5a22688611d3b8d65d04d860d31524bd

SHA256
c8218bd84b22be441d887b9781dcfa43c1c62fbcecfc3015243001cc20977fab

SHA512
9eac5897a4adc809e5e5065f6d8e14fa507082dcf2393ab1c0300fdedd96c91fcaf73a4f40f50e1e9fb874cc41a073c665aae6696248ece6ac6233793e286f20

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
64KB

MD5
f5faefcbe3fc488af8aaa60aeab1d62b

SHA1
8bfc955c8d3370991d2108109b83dcdab283b33d

SHA256
7e91705353d09a793ad5a80b2d4a141201108bd3759f43ced2c5417a2f2003b8

SHA512
3f454dc5ff2752097b971aa78cbebc3addb071b2484a451172fc608b5b1e9110964f98ce5ff6bafdafa3506c78e39a94c9bc55c4568206af96494b2959e1c3d0

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
64KB

MD5
5cc5400c57834e3723d7cf01958fe2cb

SHA1
af93e702a8cb498d99a1ebd0fb81d90a3f3a0223

SHA256
9fd560faf2c01837c0141c6055e74d05508871a1538e3ce64eb8b9714c8c2666

SHA512
d64d7cc8b3cbb3331cb7de12adcf085b3314bdaad79692e421df83a757ba80c6da5559abe73c1a2c06a2e520bbce4415140e1d8d40dcac7e1fbfc23b89eba20f

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
64KB

MD5
f56b4189b7ff122fce65cbb2b0c895be

SHA1
9999fda7ae033bb195cc2166fc445373c4b0078e

SHA256
2a0e7bfdbd123363cf72661d206ba09c4d30d3651a8a326573c988943ec005d3

SHA512
a3c246b7a581215c33ce7c77336d72840f16359b0f3379d49981e4feeaf2ea6bac3cccdffb8742235485f3ee40cbd738bc443971ee7e35d58ae44419bb706678

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
64KB

MD5
95e98a2c1159c25143574811fada26e0

SHA1
ad90a176320de3802de363ed9994b7e5be5d80fb

SHA256
d0d07318ee4c2252b8c8cf629301dd0f659d61932bbbc54b2b65eb9449830b63

SHA512
fdc3facd84fa4efec92ed125adaa7f2e9f0f25ac6b000aa9a6232296a42b3ed2b4e0ee2550930815202d2673eb1e89aa4a8bd5644ad06dfb1d0bee794e93a646

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
06dbfa034b749e1815345f058968c2db

SHA1
376f12961cf1196bf78b18ae951653bcfe6f4189

SHA256
40f342737ca3119cd8d2934c9bdcd8cad777f172dd400725397aee36e9137bb0

SHA512
1ca02b19ee8eeb2eec0b6e056b8f0573ee172e5d3440c52f91cc3e7f55900b41c430505bf1dd4ae8205d1eb1dd5dec7a2133a5b71356412c3ba02fb2721c0bb2

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
64KB

MD5
8c9bb721a3b235420828e089175a5bde

SHA1
cb950127fb2eef2434112f23398a4a5155f25a68

SHA256
78dc84163bf0a9144a2d4a21cf5ff8d03a40ecebd9678d0705df4339d9623aba

SHA512
01d2d8266537e113444821f3b42395f9ee4c0cc3ef03d8fee02c1e224430c0bbebae555db3b94d9bafb8a0d74ffc0c5a716c4ff62d605aa0a4f2a2dbebc71516

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
64KB

MD5
264ac9544a461502bcce38dbafcebfe1

SHA1
d9ed7cb417595af0aea9f3d86da15e1140c7c350

SHA256
041b6d065878a1b6f43d0c0c249c97afbac8913188018e6732b1575d998fcafb

SHA512
5f9a15d5f61a0b63bc84f2fbba9f092b1e19495af9c7a9e32e98fa22ab79a8e9684b8ae6d95d03bc7ced681f3eacd652b4acf15e350a837dfdc186ccf5ed761d

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
64KB

MD5
4e1108642905a2f16bfd525f0bb83731

SHA1
d7a737faf8738cc63b983c4139eaf768bc58abeb

SHA256
4045da21e6975b5b2062faae7c99d66a35b63f78630bab610c7e6afb2840547c

SHA512
11a9a9c8107a4c57a100082b329eac59acff788ecaaea3f8a29d7e17fc97eb4cd1b4752b59e1c7a8213c7d055be00a0775f78d22546c30268e2802e88ee62f7a

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
64KB

MD5
e0132e0d703446603bf9888b43ec50b9

SHA1
86b8df42bf0bcf1ef6a8ea5c45d0eabee0fbbc39

SHA256
421153a9fed30e20b77c93902f0113b6ab6644109e19b0f5925360ba1739dddd

SHA512
4240eef406e9481b36aca25e29954d9f3b520afa336b45a63f5b5ab860fbe4d94aa7b3b35dd6f3ac0436a613332272cb827429ae46fe51c0a68ab99d69ec85b8

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
64KB

MD5
8746869fcd52a22a0e7f72898ed34b26

SHA1
5f7352807ba55c2c45497f289a694afb1c45a36e

SHA256
dbc77530063bd0e41f2c1bbb6ad4a068fda1e3c583b657429bd55947c8d8c585

SHA512
e696ab188bf9089e8712cf510c1b81f91e55044a8f1ae5a92661979c18e1f1963a2f0728b29c202debee1f76f70cbbb11f6fa621ee4aa5113fa3154bb3fd7085

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
64KB

MD5
0df506c79786465fc56c284b237c5327

SHA1
b5b93e2cb1fabdc8ef0271bc420a8cbcafca2045

SHA256
1525c59798d4464483ae3ab0615823005063acdc9ea09d43d9edf2fc03017371

SHA512
14b106a7cf336726f51793db5706d1ede13c34ccfa310a27d40f57f23c312d4e1f1d03f18e1db1f9480a10ea2db54932476a728958a2045dd517fce6c76b767b

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
64KB

MD5
66f34bc40ed8b676fad2d72285b51ea5

SHA1
dbf2c8c2562c7c3bb75475bed26202696d49cd33

SHA256
9bb036dba419371c33f8d74dccfa2aaf4d66091218c35af86b9698a8faab5b05

SHA512
d6f361319ad67b3490e50b0e65c0a08816736dba6c35e7dd08e03163c7c38a5e6e4cf64f8c0281fc07736dd3ea7060323fecdbbaf7415bf9d4e1c56d9f8c66ab

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
64KB

MD5
eab57cb73bbb9807b44ac64ac5f21093

SHA1
cf35e3ae66d65656482dafce902be2e2b7944092

SHA256
0628b38bb7c752581c10450f4253c0d3a707118288e785d0bb7e7562c4f3cbac

SHA512
72fe1d7f41e354c13d9cc7ebe6d0729154c520c6ea1314fd386183d5fdbfa21505c16aabc354f26b5d8e57462f26e8b40876d53d522951c1d0793d6385e198cc

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
64KB

MD5
1ee9e12841e3a046d7ad06b44ef10447

SHA1
8870cb4b2e74016d12f197b012f013051bef8cf7

SHA256
dc6d5e24a290ebf66f943ea11343a3cf36aece81a9d1eed4c920bbca62ca9b2a

SHA512
82bb0d2c2a2db3b5eda39112dfa6d3a6e39595366b6299ad4d09ef4f8547045d8b99b61d805b953e6d875f41aae4465eea8fb294024f55846ed9eb0cea166e71

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
64KB

MD5
95a634417594474a3d0a7681d8d7f3d4

SHA1
106cc6fb695f25e2fc955b2a2e80274408076ef8

SHA256
38939a44011fec99f6b88f2065b2733f5e9f1f7a6d4d7fa92966256b2c010542

SHA512
c464ab82950ff49193212a0110df3a5ea0c9bea6e858bf1ed6113130f07eb677ecb80a0455c05352804017c385ccb6100af0cd7563349146823d0875d157286c

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
64KB

MD5
7453e52f7ce06f97dd9eb12d4655b0d2

SHA1
7a3e60f0f40e5a7882e3e7d8b5d390ed4fd6d25f

SHA256
b95f242f3477b589ec62e6d6d8ce241f271e7025648f96b5ea3b5995b7a96a21

SHA512
55a010bfea5ffc86caf0b29a6df40823126ba7582ca3ec2beba0375e9a2093a31cda0d61926ac68a32cddd5594fa246caf8e019678c0b9e33d18673f2dd489a8

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
64KB

MD5
cd99bd326f70334c9a3a5d0f94e48943

SHA1
49fe17fe4605068ecc0ba62c401c12176e401273

SHA256
c7478b54b298632b718a8d3fd7f62a49faf5bc6870c9754da8f5e3cf6fce25ab

SHA512
44ad574cbf4ef3005b0790b64098a8349444cbe3ce5084a2818fad05271bf4bd008ab9b59ffc9a0ea6561a77551b44a16b650c97df27e656c448fdcaa84d662a

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
64KB

MD5
4d423e640d8167a92a231ed8b8420e69

SHA1
8f92684444c3aec6c5d89563df06a80974ac41d6

SHA256
34dd11e979f56a81a1c6ce4d18cab11b2e7c4504d09387e9bfe232d4cd3093ff

SHA512
5a1d23c57b6934997f7ee6b28d4535c29698fb8d7014efde5b160cf19eb4d25bba5bc2cbee24a0bc3e47e5396f9f1ab1527e9069051f59e770b577c9f72b2467

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
64KB

MD5
30a7380d88398189b7952d27c8588920

SHA1
9bad855cd27dd0dacc8d39b001422de747d22eb3

SHA256
57e88b708a688791a47e83c216c3a82392fa1c2d788a04dd4704075ff6576b81

SHA512
d1e9860c07477d1b9cfa96eca1a531303f3e784a070b2c1cd485679241393f0327ef8a690ea0787a4747219a12c7d8bd6e2d72ce253e4d8cc4185bd1b10b310d

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
64KB

MD5
84df1839489f0bb94e91b380c6a61214

SHA1
edae52bf55229082c051896c7fda7afd03572bbf

SHA256
8cf4217b8b98904fc9b0c8398410907f48ad36348ebbe5ad95809c5bae575828

SHA512
faaf476293f30f3b9f8d12d10b31f585b84ac70d2fdd76f90851f8820fe8fbf484be0e1fffb4dafff88ee9e45b1f02d359b0e8ea683749ef6cba14fcd75bdc00

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
64KB

MD5
0e9bf82f991362d7ecbf015ad3a4108e

SHA1
256b2ab60f2a00105e516b5ec9fcd381338e3c67

SHA256
0ea21eac5e968227be9981b25fb65412eba79b01090f1fab82e35991268d972a

SHA512
dacbaa899540939eb874461d782dbfc72edaed7e0d10367f04fc1419d96c769b4c142fbc401254cc2cac7efb4a4890f1f4abe8ec31475c232481af69097b2024

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
64KB

MD5
670d8cfe6991358af8639f7e45422e59

SHA1
d93ea88a687c31751270e77ac2a43d18a82643c2

SHA256
c71b83e6c6f3d6a5700acbb0f82859c3a6567e2c859af300505333ecc0b69994

SHA512
fa5027a7a259513e23be079e167a9104b1237a2d1f895c5599b11d877e264627adec374ffa401f2c7ba9d930c429e5806bc5477ca06d120ded9fd8b664d32b2b

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
64KB

MD5
2125c43c873c7d8b544b2b89a9349dfd

SHA1
272f7595bf20ced6e22d30c73377269286fbc380

SHA256
cbb634c37d3edd1a1de081cda6c1821a146a85d5ac5b9f3f0a6e2f43c94554f6

SHA512
ff717e5f147312637f976e001fccc7d313cd47b8fbcdda43754ae2b707ef03d90e5ce0778b89c8fee920bd45dcb1687f1c2f69477e434f34af55b1dc4cc359f6

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
64KB

MD5
ff1bdde6d959e117e489a35b67df7e13

SHA1
cba3cb7ff1ad9d5175e766a161716404fd3df20b

SHA256
65e777653e02ef197f2b6673be8591e661a7eeb4652f78c2fc83ac0ee2a33391

SHA512
16c859ed15a27d4413c1c7a06992d7372a62388157dd40ef1c1fe231dff01edbcf316c755de0d9abf53d866745210d11226003ffa2259cad5f973cd2c42b1183

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
64KB

MD5
637189f9a9fd230be81ec888955fc86d

SHA1
437bfe9b8dfe0f299a235eee5ffb3eae8023f9ef

SHA256
44dbac5ad8142bd54960abbdf42f6aa38b7230572458833140acfe1570979952

SHA512
7308d3d7b544538b42473feeee44b35b39b90697d51e8a3f429570c86236fc8d1356540c6acec99bdf0e796e15d25e10b2346dba8d84b83e9e43d654fa06181f

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
64KB

MD5
ed17681b06afa3f177e80a018a5ad61e

SHA1
b5542e03341c0531855e12bb309a5d5bfde7f0d3

SHA256
fe8c32a1a221eb7e2deca81ac4e388376eabb0edbf2a8ae3839e5901a71efb72

SHA512
58904bcd9f1c19fe1ca049a69ecd99419d83f5ab55485b9701a8a364fdbd3aeb9a82fbb77f341578a50017b9103aa8dda4a791d1b041b74762698b1c1f1b8e96

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
64KB

MD5
39ca49686377ee1dd27c1e12dca781d8

SHA1
ecb40630f492d26daf71e87c1c05eac8c9d100c9

SHA256
a2baed324d7cd07cdaea191a77121375f3766a08dc987bd2a6b15c390d724b32

SHA512
92212f986399950ae3b36adb774b0d347ca65d25135e5c26a74b6c805d2ceba331b82b09550fac7a865c801de36f5cc5056296e1414f4dbd26d7252533f84ecb

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
64KB

MD5
1ea7613583f3b4e3f34a6cad70c1f4aa

SHA1
b857598a2b80ad7b36ce39c58baa391f346804c5

SHA256
6ffa41665088eeb55332c9d0a3079a7b8456813b6434572aaf23a4a8f6a173f3

SHA512
8b45210ee84d4c9878877071e5dbe38084aa8049a7923585d175725a7e702aab5a1ef67d9fd0eccbdaa7fa60c85563fcf294819a40eb6e7dd1ea750699d3b17f

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
64KB

MD5
35ec825af7957bbf2fcbc41269c26c10

SHA1
576174ad86392c3b83ceca01f8ed41090f8e8e07

SHA256
e2a17f84b19c9c30fdbc5664393a3347872b5f26185cb0f885db482bc0309c6f

SHA512
a885190efbeae27d133dc44135e64d1a24c896b3a20366fc26663096fbd8ca5fb932d7bed3839d50d39f7353b343534de2a2a136a47d312d43c8d3a977d752db

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
64KB

MD5
612a0f7084c5424ff12b53217213570f

SHA1
768807749956115ba5e755d5bbc98090ba9805df

SHA256
5ec0596bae02bc479821b226e247166b0d9fcfc5ca8843305a75d0b21c080355

SHA512
936d440500879b51bb6aef5f7c642ab20d1e7e3b025d9c51826737eb4a454558baafe7cd09bdd36cec86894d08a8f61f7403cef1dafe142b5ca64a0a06473871

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
64KB

MD5
80579bb21cbff85d5cc20e0d809eb09f

SHA1
450b25bc3cf7dbe6dcb523b118126471877db8d3

SHA256
fa40576825cd502871175a39861e1912c55172e4df07194ee651ab530ce890d8

SHA512
4ac6f7e1870daae188693f8765c2cfd7fbe8d4452c7864d2ec57b226b5584f810f2156f794f2fd2bfb3b51dad23c58a1de8f6e25b62ce24c3bcaf42dea8be20f

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
64KB

MD5
a205dd75ab444786dbb96563b96c7450

SHA1
d1b2dc816c8ba995cc467e6debb4fd512e981d05

SHA256
6f622abc1af2039d1bae40f27453a37ef2ce5300f023e003e700c5befc25b1ee

SHA512
476a33096f308639fa4c984cce88995fb9be59df9d249160af53b4b3a90926b5b90e0dc5b1561af9e7976cf044d7843ee9176bde457e6ca9160165fa57f356aa

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
64KB

MD5
af9f0977b84dcbf316afd90ead421e13

SHA1
2e9b3d9b01b869efbbfa887217f5d3c9f8e76c38

SHA256
033c0275687b0b91545fd51ee52474d67771014c7e9ed34f6ff70463436adb24

SHA512
57fbcd2f912a618bcad01c6aa739bd681af80ca5fd738bfa328e8236db52ca30a5d93ef5d1a1895471b6cbd3a581f975b4957d7276ef6859cf974ea6e490a851

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
64KB

MD5
98e3221b035ebe3abc7974e66374d3c7

SHA1
04e41d2032d92fb18fcc9cab48e1f539b2607595

SHA256
ccb694dc1543866b14970cb28208552c58126579717751feed3bb80bf73fd960

SHA512
9f9e89b0bda23fb30e80317b77b5d7735daa099c395045243f17feaa1fdf260d11e4968d657f157ff3200dc3e3d5cab9e30f42be3a67b5e21a39f82c78bc5494

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
64KB

MD5
1fd0de6f0720df9d2127b0c6cbadf25c

SHA1
fcebadbdf858b399c93eafe27e5f9173fb501479

SHA256
9e53bb215d8d1a6e674dde41372706c8a1ca7fbdcc5e70eddae7aedcfe4d587e

SHA512
7bd8a7d7de3e0ed5ad7fc8e71bfe6727c8df1ef49e4406631a99a8567a9fa31e47a9f2019912a0f10b31b3ed0c2f98b094cfb67777f123d55dd62c180c9c657a

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
64KB

MD5
967386addd811ddc53396b3ec2184275

SHA1
b4778a8014ede2de88c6b8c7307cd1c9ca97b04f

SHA256
4892a1e97940a758385eb0c653f21dd93b25aa55059049ea288c19f444e1f37f

SHA512
c2ea2e6d893294277884b07f103195e74a74c3f31e0dbba0a0c53c043b0c183ae043943d5df12370b1d989c95932accc4855f45a12ed363aeae9af787d5c7b98

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
64KB

MD5
c7eeb2cecb07a404557e9e82ec384b32

SHA1
9250a8724d404c742d406d5352d4a324c8de5d8b

SHA256
ec44f49bce4062eefd43b11f8052b5453b7472cab4994ec0c53903e41c7c309c

SHA512
965db6737e7ae08ffb078f7bb4be95a4c232b37d636e5ab0e7173286ea3ea32ad0e01da565d5279b98152f94fc02bf6f58b6ba90f6bf3f752c2c3eddb710b2ce

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
64KB

MD5
53a0b6b9b93691d0b232f178533d98ec

SHA1
03380e16c70c78f64f10d2166d60ad096332f2ea

SHA256
101c7fdbafcad011348dec5fafaec7d7d83b71a34eb3151bedcdcac787f4e8fc

SHA512
03d44518137137fed16bf6e1918f0ce49ef824e2c6f4289eaa23333459898353922a585c4c806f21f1a7c7cb7be6a1fd2991aaf72a6bb03201d860432a68f450

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
64KB

MD5
c37c653aedf4043aee8cf9cfcaf1c8a4

SHA1
ed9e0f61590bf2f633c0a9be2648a9cdb81bdf97

SHA256
652007a96a79360d0929e03f4086b71366be4a8abba079ec2ab914a6b41581f2

SHA512
b34312b32d016f04741e0a47e083013cd0d3bbdb34ac0a37c6047bf5f93a77121e0465115798184df4945fbb076beb35cb91ace22772e3aa6990fa3d17f2ebf0

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
64KB

MD5
61ecfe02c772aa79c3be6a8cfd387477

SHA1
f891fb776c1b8ffff39d0d403d1e2b08e13d1ce2

SHA256
e9ff25275732898fe2a2cc8fd3fadcb3269fc40d50c2f756f26b9ea566684d5d

SHA512
17190e0a52f9585600f7de9f7ff49ea2dc9d69ec36174d5295e251723a455892ac92cd811c0e8768999be83bb7b36448e915bc2489492144c3321e9c5f16c79e

Download Submit
memory/212-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/328-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/328-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/396-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/876-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/972-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1448-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1952-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2364-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-535-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-525-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3796-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3812-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4112-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4212-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4296-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4344-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4436-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads