berbew | 635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bc

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bcN.exe
Size

74KB
MD5

b12a0740b5e3821518fa44124eb875a0
SHA1

26303853c32512c29d98e6363d21c83de1725ca4
SHA256

635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bc
SHA512

c9c21548226303779a4ba5e754f4ffb3e4f3d52fd86498e3b9fc334ad248f02b0bfceda2f88144295d37198b2563102bd1122ecb3f3da7060b8ad69aea5f6a75
SSDEEP

1536:h6+69QiBZOaQ/aRPfMcp+nXe4DpPI5rGzrfAnNW:hR69Eel415kYEN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Megdccmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdjagjco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmpijp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdjagjco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgimcebb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3960	Megdccmb.exe
648	Mlampmdo.exe
2848	Mckemg32.exe
4156	Mmpijp32.exe
844	Mdjagjco.exe
1076	Mgimcebb.exe
232	Mpablkhc.exe
1132	Mgkjhe32.exe
2916	Mnebeogl.exe
1436	Npcoakfp.exe
2124	Ncbknfed.exe
4148	Nilcjp32.exe
4348	Ncdgcf32.exe
3392	Nlmllkja.exe
2552	Ngbpidjh.exe
836	Njqmepik.exe
4872	Npjebj32.exe
2568	Nfgmjqop.exe
2524	Nlaegk32.exe
4244	Njefqo32.exe
2932	Oponmilc.exe
2720	Ogifjcdp.exe
2908	Ojgbfocc.exe
4460	Odmgcgbi.exe
3020	Ogkcpbam.exe
4700	Ofnckp32.exe
736	Oneklm32.exe
1464	Olhlhjpd.exe
2688	Odocigqg.exe
1876	Ognpebpj.exe
2924	Ojllan32.exe
3848	Olkhmi32.exe
4360	Ocdqjceo.exe
3976	Ojoign32.exe
3920	Onjegled.exe
4044	Oddmdf32.exe
4596	Ogbipa32.exe
2364	Ojaelm32.exe
3488	Pqknig32.exe
1324	Pcijeb32.exe
1804	Pnonbk32.exe
3088	Pqmjog32.exe
1792	Pfjcgn32.exe
2164	Pcncpbmd.exe
4672	Pjhlml32.exe
868	Pcppfaka.exe
4804	Pqdqof32.exe
2820	Pgnilpah.exe
3324	Qfcfml32.exe
2804	Qddfkd32.exe
1496	Ajanck32.exe
5080	Aqkgpedc.exe
1212	Ageolo32.exe
3956	Ambgef32.exe
4084	Aclpap32.exe
4284	Ajfhnjhq.exe
5096	Amddjegd.exe
1156	Afmhck32.exe
4292	Amgapeea.exe
4472	Aabmqd32.exe
3500	Aglemn32.exe
4832	Afoeiklb.exe
3056	Aminee32.exe
1060	Bjmnoi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Nlmllkja.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ncdgcf32.exe	Nilcjp32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Cmlihfed.dll	Mdjagjco.exe
File created	C:\Windows\SysWOW64\Lemphdgj.dll	Mgkjhe32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Npjebj32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mdjagjco.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ngbpidjh.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Njefqo32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ncbknfed.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pcppfaka.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5148	4824	WerFault.exe	183

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdjagjco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Megdccmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	Mgkjhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfhkicbi.dll"	Mlampmdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bcN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knkkfojb.dll"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 3960	3588	635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bcN.exe	83
PID 3588 wrote to memory of 3960	3588	635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bcN.exe	83
PID 3588 wrote to memory of 3960	3588	635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bcN.exe	83
PID 3960 wrote to memory of 648	3960	Megdccmb.exe	84
PID 3960 wrote to memory of 648	3960	Megdccmb.exe	84
PID 3960 wrote to memory of 648	3960	Megdccmb.exe	84
PID 648 wrote to memory of 2848	648	Mlampmdo.exe	85
PID 648 wrote to memory of 2848	648	Mlampmdo.exe	85
PID 648 wrote to memory of 2848	648	Mlampmdo.exe	85
PID 2848 wrote to memory of 4156	2848	Mckemg32.exe	86
PID 2848 wrote to memory of 4156	2848	Mckemg32.exe	86
PID 2848 wrote to memory of 4156	2848	Mckemg32.exe	86
PID 4156 wrote to memory of 844	4156	Mmpijp32.exe	87
PID 4156 wrote to memory of 844	4156	Mmpijp32.exe	87
PID 4156 wrote to memory of 844	4156	Mmpijp32.exe	87
PID 844 wrote to memory of 1076	844	Mdjagjco.exe	88
PID 844 wrote to memory of 1076	844	Mdjagjco.exe	88
PID 844 wrote to memory of 1076	844	Mdjagjco.exe	88
PID 1076 wrote to memory of 232	1076	Mgimcebb.exe	89
PID 1076 wrote to memory of 232	1076	Mgimcebb.exe	89
PID 1076 wrote to memory of 232	1076	Mgimcebb.exe	89
PID 232 wrote to memory of 1132	232	Mpablkhc.exe	90
PID 232 wrote to memory of 1132	232	Mpablkhc.exe	90
PID 232 wrote to memory of 1132	232	Mpablkhc.exe	90
PID 1132 wrote to memory of 2916	1132	Mgkjhe32.exe	91
PID 1132 wrote to memory of 2916	1132	Mgkjhe32.exe	91
PID 1132 wrote to memory of 2916	1132	Mgkjhe32.exe	91
PID 2916 wrote to memory of 1436	2916	Mnebeogl.exe	92
PID 2916 wrote to memory of 1436	2916	Mnebeogl.exe	92
PID 2916 wrote to memory of 1436	2916	Mnebeogl.exe	92
PID 1436 wrote to memory of 2124	1436	Npcoakfp.exe	93
PID 1436 wrote to memory of 2124	1436	Npcoakfp.exe	93
PID 1436 wrote to memory of 2124	1436	Npcoakfp.exe	93
PID 2124 wrote to memory of 4148	2124	Ncbknfed.exe	94
PID 2124 wrote to memory of 4148	2124	Ncbknfed.exe	94
PID 2124 wrote to memory of 4148	2124	Ncbknfed.exe	94
PID 4148 wrote to memory of 4348	4148	Nilcjp32.exe	95
PID 4148 wrote to memory of 4348	4148	Nilcjp32.exe	95
PID 4148 wrote to memory of 4348	4148	Nilcjp32.exe	95
PID 4348 wrote to memory of 3392	4348	Ncdgcf32.exe	96
PID 4348 wrote to memory of 3392	4348	Ncdgcf32.exe	96
PID 4348 wrote to memory of 3392	4348	Ncdgcf32.exe	96
PID 3392 wrote to memory of 2552	3392	Nlmllkja.exe	97
PID 3392 wrote to memory of 2552	3392	Nlmllkja.exe	97
PID 3392 wrote to memory of 2552	3392	Nlmllkja.exe	97
PID 2552 wrote to memory of 836	2552	Ngbpidjh.exe	98
PID 2552 wrote to memory of 836	2552	Ngbpidjh.exe	98
PID 2552 wrote to memory of 836	2552	Ngbpidjh.exe	98
PID 836 wrote to memory of 4872	836	Njqmepik.exe	99
PID 836 wrote to memory of 4872	836	Njqmepik.exe	99
PID 836 wrote to memory of 4872	836	Njqmepik.exe	99
PID 4872 wrote to memory of 2568	4872	Npjebj32.exe	100
PID 4872 wrote to memory of 2568	4872	Npjebj32.exe	100
PID 4872 wrote to memory of 2568	4872	Npjebj32.exe	100
PID 2568 wrote to memory of 2524	2568	Nfgmjqop.exe	101
PID 2568 wrote to memory of 2524	2568	Nfgmjqop.exe	101
PID 2568 wrote to memory of 2524	2568	Nfgmjqop.exe	101
PID 2524 wrote to memory of 4244	2524	Nlaegk32.exe	102
PID 2524 wrote to memory of 4244	2524	Nlaegk32.exe	102
PID 2524 wrote to memory of 4244	2524	Nlaegk32.exe	102
PID 4244 wrote to memory of 2932	4244	Njefqo32.exe	103
PID 4244 wrote to memory of 2932	4244	Njefqo32.exe	103
PID 4244 wrote to memory of 2932	4244	Njefqo32.exe	103
PID 2932 wrote to memory of 2720	2932	Oponmilc.exe	104

C:\Users\Admin\AppData\Local\Temp\635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bcN.exe
"C:\Users\Admin\AppData\Local\Temp\635f4d530f04557c62677c1291b08d459989a1cee6af1ad3b50e392e6fd821bcN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\Megdccmb.exe
  C:\Windows\system32\Megdccmb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\Mlampmdo.exe
    C:\Windows\system32\Mlampmdo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\SysWOW64\Mckemg32.exe
      C:\Windows\system32\Mckemg32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Mmpijp32.exe
        
        C:\Windows\system32\Mmpijp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\SysWOW64\Mdjagjco.exe
        
        C:\Windows\system32\Mdjagjco.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Nilcjp32.exe
        
        C:\Windows\system32\Nilcjp32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:736
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        36⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        51⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        70⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        72⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:380
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        79⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 408
        102⤵
        Program crash
        
        PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 4824
1⤵
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ageolo32.exe

Filesize
74KB

MD5
f7b4f2c8c3fecc980f87a9c0c511e7d3

SHA1
f8a16ca506e3928753a61fe7c07b75e6887816fc

SHA256
1f6743c0e1124236dcc8c69ed0c48638ec8ac399481575b10e411cdd32ec465f

SHA512
6c7a434ff02c0910ae0f8b8d69e57a3996feb891fe8558628f00235ea68b560210867fc6688ce4b1d136b87c856f54c94c00dc9f24768b24252fae31a60893a2

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
74KB

MD5
dfccb990bffeb1e316cf06dbd8a90e15

SHA1
de040b8ac0bd14294f484e6ea0cd84772e730164

SHA256
8bee9118ec3ce2a76eeda146502611e950b10312faf600ac29d2b8a8ecdff629

SHA512
4fa578b06172c4e2aa92e300e2e8880441b6f33a39c3d898af12a6214a06360443cdcbe1ef2e1812119407f7899333d1dce109ff14893caefd607859617efefb

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
74KB

MD5
3261849b6025c827867f330eba197f95

SHA1
bc44c7d384c64cfee5f0f8cebb864bb99973aef9

SHA256
e597d366589fb3b9e65829e8e71815477dd4dc0858717776562715e0442ced07

SHA512
53f4f01aa63ecf074776203966043ad9622299e01a8b5bf9079124328998163cc222dc2165a5054d576d7d0d653a3ef5ed1ac1b81591ab0f6d283673a3ba2101

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
74KB

MD5
d263dfa6254069cd6e26f78c8a201502

SHA1
84c202404979dfd67e0d4649ca91b77967d71841

SHA256
b8280616c43c32097e6457b24a462d72f3c79b0ee143cbe044ff8e5250966be3

SHA512
664e72ff79032309295fbf11067c945c685badbdf1d5b6b925646c38873c99b1052f99b1b45529ae18feb75048e561a4a59bc228d204cd80ef9c7d5c5656b682

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
74KB

MD5
12e4a4d6bea5b358d4fe70a620aed72c

SHA1
a9c148df38aa414c4bb21c7d413c337269f21841

SHA256
71f2730407916f6e3f03b5c7637aca1fc972ae5801fb42f9b56a5e59bb5ce8ac

SHA512
01e54dd117b5ada271e1c24113709812ea645bb25b97ad5b672f34f8722aeefbf7dab6a2ab8baef924fa3f4f4b00c70cdeaf4ace9a52750ac93432bdd347a949

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
74KB

MD5
8aee369243639760a3a42138da5db937

SHA1
379b4e9bbde4c90e8b2f3116b5de739dcdc9a1d4

SHA256
efa2db6296ff1260ffe62633e9063c0b03022f553cbd29b94ee23dda2fba10fa

SHA512
2efee00fe6042f7aeef98d4e757f93d172ec6198aa76492727f8203e09e78d4644daec85f9730574a75a8ac0ba520f97e60674e68bfca1896e59d84ced7f245a

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
74KB

MD5
ff505f7abc2ac32eeda0d3ea7f05cd4e

SHA1
6aa3b8ecfa899fe3976b7ef837e7f57596dc927d

SHA256
7e8b4bdce8122bff7384e73bcbc249e7e42b7bffd3efae4dc0b7790cd43f76cb

SHA512
34bd4e2d0fc913e2e6370f65cfceda4bad7949e92497e5dc49de3151755c298ad0082dd3d01ca119b038777f0e1730e14823579e7dec19c8b3c05872452d115b

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
74KB

MD5
477693b783b2c2079e92fa2a49f9cff8

SHA1
7f81a44ea8a41d0b3791f150b9e3fd5131fbbde9

SHA256
3c4e7fe07300839fadf582492324e01c39a2ecfca0ada22d296ef66737469574

SHA512
27ad05867dcc88777b1d03007af158e581ccd6530011a0870e43038a6a9b22254c70717a232d9dda4853e61b5eadc7f6e1ce8132793a93c0defd519df6b22bef

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
74KB

MD5
856f009f9aaa04d87d3a48ff932c8a08

SHA1
48126e2e94205b7019c2f878cc1a5a07360be506

SHA256
560c9cd8e3324a2f51bc6c0b691f848ab393aa79bb9a3f63f28d41154f4967e7

SHA512
0f999b86951d2a9bd51d9538d600ee633597bce5ccfea9512d357f4b2560408c2bb7768b0397e7b1b0ad73b2813bf7bc17ff5794392cfa566788a612a66c3ea0

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
a237e6a51456f1f1fac35df6862317fc

SHA1
a204b92fdad4bd244d2960428544d045a6d1df8c

SHA256
6046608959fad343efda52c2ee532d4edab69b6591328ea23ee87ccdbaa072da

SHA512
3cea33131a160ac8b1ff6cf6c362b0ea57dda4b873a1ae87c286ad00a757dd0ce7b02b92cbd75696a116ad278391d0b23b526d97f33db606088fe64ed60e9ba6

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
74KB

MD5
b030c58d6096dcccf6865591cfaf4b97

SHA1
01bd22d2eee32e082e7a9a4b0890dbf19d8adf5b

SHA256
f2473e6fd01654fe920b0558567e200253c4209bce4a813b604e2193db81356e

SHA512
28b6df55c6d09d476c7355136a88335f60a22cf12c4d857d71b851af1c38e37117c58e188992ecfc85c352a52c5e70eb4729150edd448ee26ca28e722fede3ff

Download Submit
C:\Windows\SysWOW64\Kiljkifg.dll

Filesize
7KB

MD5
effdc10001af950f3e288e9a7d9734f6

SHA1
7fbd78c9e0c2e6e8096fdcef043c022859b187f7

SHA256
03a1189460a8e77ab9eaba436d15f9d98a39e8e3e66c733124ebec18f06f1b75

SHA512
5f2b10db4908304d82901f1a4118f2b5498ec3c6d33281038b06a7760338f92a1e702c07d0d739178f97aabb4ea74e80f39605c809af67e0b568999286eca168

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
74KB

MD5
9f9f89ee864ce886e2638979228a35b7

SHA1
5ed8d4caf97904df74de6812428087533704d9ed

SHA256
92dbdfdb42ae0d2c89f9c6915c0033787884fa8bda5c73aa569c56ec77f2afc8

SHA512
6fd48893f8e51dbd049703cb1426e1d3e3007d8275fb933afc7d975be79b3d9e714b0858c7f4bfb0b5578bd5deee9dad3fd62f6e1a5483471b7d5824f0628216

Download Submit
C:\Windows\SysWOW64\Mdjagjco.exe

Filesize
74KB

MD5
a86713e80248ea1d99bc1096f9e07c44

SHA1
88ecba5eeac0f454f9c5a6a9c8a0bca9f006ad4c

SHA256
9680a0c59d92c150643188f1438af1f01e115957d2fbde946d0456f37db6c029

SHA512
525e597089cbddff0a0d8b557d0f7426dad79d15b4e496ec62a50316b11c558588adfb701871db887fd5b31c7d0fc54cade5fb939c3225084093bc69c064c5f2

Download Submit
C:\Windows\SysWOW64\Megdccmb.exe

Filesize
74KB

MD5
5a7fdcdca5673c91b65296a576c49639

SHA1
a628a42c4f39d1fe480f85ecf56222ef860a4506

SHA256
0eca4f39b0587d75337cc59bb59eda0c49f69dd4239c7cc05f712499ab06f738

SHA512
d74bc314659617884b3b3df3a1db59ad4d6329b307790e87e246c3e06dc0ac0144e2a40ac1ac0795f64cad29787fa066e3732314f9742a0943630cfb0608d2c8

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
74KB

MD5
05aeda179cf805a6fba13c8c2ccf1004

SHA1
94d3a6ebbe23f316db0ad5a79843fac67d9fe775

SHA256
900ea6b98063100bb8f35de125ff2ce14ff4c3e29b768061cfe87bfe85cc87b7

SHA512
c97b5af278c808b7c9fb117c0df9c1fcdb34f34afe4092a868f6fbc1542739e4a93c289ab662deb81bb4e7be1f1f8bd823e26683cf6f2362f9848d1e7a921ec3

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
74KB

MD5
52348f0eea63f5dadaaeb0263c1c39d4

SHA1
2510e0b382723b4435e895c7b2fd61b5204d9169

SHA256
ab945fb33259da614866f57450072d183251a84b090a04fc0e1fbfc92169258b

SHA512
09f907705fbc46569a6093159c3e5d61ac70ea39d6a650c1c9d3f1a81e27668e05d473b4adb1a39a467c2353e09c4a976eb967e7578d4f2a3447835865fc93af

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
74KB

MD5
a1161264bf813e8fa6f36e59a82f8e00

SHA1
7da1afe51c45e1ab19fc0a778ddb91b64d0060ec

SHA256
b04621275641c88d7f99caa3f1bb5caa653bb771f5374450d8b942dcfad6ef89

SHA512
9b9adf9c2055b2332562b73c5b6a7d83fcd0c7c2065b1fd34ed3178de7fb1eaf469cfa0e899799983fe36106219e0631a58be12cd3c57faac4b4c18e28cbf067

Download Submit
C:\Windows\SysWOW64\Mmpijp32.exe

Filesize
74KB

MD5
2d5d4508c447097e56ed94ab002c0d51

SHA1
b538c853a8565b747dc16a09a58346da2dc045a9

SHA256
43ee9e0245bbf995912fba1ec3315dffa9fea498ea3eb4b955b23c839d70d797

SHA512
5224583bc715d8d4ecd3df4fadaf035a2c030d33895a942699c8dd86ebd85575c19908afc76ded9e7871c3e4c521433aefd646aff1d3467fcb5546bd79f686c0

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
74KB

MD5
8fca7c24d5813c6711ab43a647e6bdfb

SHA1
67e0aa93765eb3fd79a8a80d815263df0dc48a2e

SHA256
6b618e0f09bd431bf0cc4609a80346034e03af61903f5efa075984a0cc05f972

SHA512
3213376ef5a2ec9e96de963af9bacb8c20f0f6e2075cc521e3645f974b272d9b7fdd76fae78ab440de619d7af3ca5aba605d8316177c8cea82ffa4d4c251e0dd

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
74KB

MD5
fe943b07051d2776000883967d1c762e

SHA1
d4a39110d94c43500d531a7ea34825ba6bdc047b

SHA256
ba5e8d1f181e2ba442fd9c55d51520fb2c851c382a3c9a50c02e4cb7f4e9370d

SHA512
0ba67e445a0a366ce7d431efa6c58314f4e41326df7c6aad5f53a57cf22e7533ca6ff8465eb7e98961ebbd3fd56cc82b31da6277e0e08f025b14161d9b83425f

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
74KB

MD5
55a3f1041a5841309777023cd9eec702

SHA1
3394e7125996ffeb95b0382bf1876e341202030d

SHA256
d9bbd8214c174ad9fa73992fe24f7a939ed4e51ee8d27d8f004c65b9c5b46430

SHA512
264bc84ffe99656c12b473c679cbfd3819d12d7885cd91c36656a840bd8fa29f5edc1239f4393881dd7e0a49ee4b0b2d8360615d94e77910f84a03233ad5b57c

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
74KB

MD5
8f98e173e948dfbcd9f536e15a0d98ba

SHA1
5d483360651422297526adf25fe9b340cb2df40d

SHA256
ed068b084cf925fb3f64577d30f187f2e8908d63e0c46ec38ba18e64774d7ff3

SHA512
53f9734c875121cac8466add97b51ec3748c4f12d464069647fd2dfc260212c799c4538e217641be6bfc4489263b254c2468c0f21bf4522da5918cb40e21e0ae

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
74KB

MD5
be9a19db580d4b40878a02d6b1b473cf

SHA1
f5ae11cd76f29181df90e8afe3aec85256051b96

SHA256
43bbd4458ddf6bb1c62412cf0dd2c6c06f6b6e1673f77e9da4eab771d5829694

SHA512
2530962a805c5786def1604be31a76b8903b2105dba02ec68efa2c84ed287e14611b72a6f48a4bcdf9c9c9203fc9fec6be86f87298df1a0b2628ee91ec16a7a4

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
74KB

MD5
726903fa16dc1c46a7c96edc4e8e9b3f

SHA1
b9f5d75b6191ebe49267ac6bac995d69db0f5b8e

SHA256
d750dbcffd7437571a35a902442783eedf9bbab454c1806997c493cb90b047ac

SHA512
a70d3b7fff2464f78761debc8a6df303d439521974b4b8c5fc7ca2ebde61a5e416807cf2054e018d8bcc84524fec9d164fbf324020e4db7d7a8c13816e3e7128

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
74KB

MD5
4518a5ed71794c45b5fd785f1f2661b6

SHA1
8a517bc92cac71c1ec04e04b37b69a81a4aaffc1

SHA256
91700b60492beb4582346e32498459a9cc009dd7de06498f2dbb19e52ffe728a

SHA512
17d61954ebfa435ad191751bbcbb429e24af5105704e562970a85747e19e35b88e1a96ea8390a980a583f86e29a6978675d073f810bf27552b43884e65941cfd

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
74KB

MD5
2264592be380ceb01bdf4018de1fd6a7

SHA1
464398c87e513cf47e754bdb3d7211ecbbb6d300

SHA256
f3ec5e2f029dbb34332f6f106941c378b86e1e38f95fd718ff9ebad0bf67e018

SHA512
3022aa68a07bcc234b192ae73ae994b05b0ce5bfe0adbecca92fe143e15577547dc34e4459c141ae8b44c8f48293fb2459138daf3ad96b2c970e950a82fc856f

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
74KB

MD5
e623e543dac796f4d2b21bdf5c6cefee

SHA1
6766b93e224aefb27fcc4641422c8d019816836b

SHA256
d4b6b16b74ac2e8e2da463cb9ee6d166c25c841d2450bb47d80464d448b43613

SHA512
90da669cee826f82d58ea66dc3cedb816e65b9326ecb653b21ae9c3922633d96714df452fbf968ed84bccbb62be8d9e4130d1faa69861ac919cc2a5d45759779

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
74KB

MD5
d24699f3727daa943c65e4e20d4110c6

SHA1
c06243aa9834352074caf1449797fd3921dc363d

SHA256
534bdd0c6c01ea733833322c979395be39a6cbb62432c2fb92b59efeb2c6f3cf

SHA512
6e3c525e908eff175c760099fb9b4f6d074a4959fbf282664de0598557f7dd8c14eb31f40a644e8a483b975e4cac8769b16ea9018190dc303c69aa7bf82eae39

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
74KB

MD5
cc99dfbf0a129aee78bfe557843e8ead

SHA1
a86d530759a8f6558e01fb01fad21bb55bf9e164

SHA256
3c615cbdf1578be395be12942a8d94f0b12520a7d9ff14d393051029f3d879c7

SHA512
eba0330542ccabe7cb6ec00f5393bf7a672b0e004318cf09bbe0c263130739b300d239e74c096cd1c7383dbc7cd5493c886e6b219efb21fa8030b168ec4516f7

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
74KB

MD5
c6aea4903671855a881159d3447df007

SHA1
04a5fe4d758604be5439042ee291a1d0e994a1e5

SHA256
1413f73825cf86d51da56be7cbac4c63214f537b021f15731f4a9e7f4051b417

SHA512
f57e79cbaf5b9adb4de676de3b89f3e7e14b3d0dca65584521e9d721ea2f4e159efb194737b50da2d2033ac1bb777f326a1d0dd8b86ebd46c447994a7a2ec736

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
74KB

MD5
22f48038748a0371d69f5d52602026ed

SHA1
c1c8cde58b486ef4a8e30a96759c0a748106991c

SHA256
816b20522ef8cbd03ab32fa4960223a3725d444c687d7b1a80a481c96c114130

SHA512
929cc0c181fc24dbc0393547833c731fd10facf52b7b7de723287388115c208223d7a48f3a9b228d09f5110871e9583c8e21400eb06e93d274cb7d09c5ef8ca6

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
74KB

MD5
567594cec0d3bba746e12925db41d044

SHA1
19a941d25d4f6c105681fec10354cec4cb8832ee

SHA256
6688bb26be754a3cf46903b5abb8c618065fd11de3fae2bbe309b0a36a07ded6

SHA512
0feb76e8fcb9490a8a23aeee97a0db5e9a99d1b9f76eee6a929c6c59fed6db1af4f294899e355d7f1e464bb04c79b17be69106884ff5a381e1062b803b26bde9

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
74KB

MD5
21a6a43f1c2cbd2df5f2c0dbb52453c4

SHA1
848d641058aea6870b96619ce97af9151456400a

SHA256
b6616d76e0f3a4c29f30cfe1f1796d95b3db5bdf62ba57c9a23f85f61f76d197

SHA512
2d6de334267121b19cf02f41916bfd2d4cc90b948d1614e5d069f3a1dd58e6e0642e3ff43607520b65d70047ebd95777895a671e8608524a4cf6ec4e39bc55d6

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
74KB

MD5
2d1e9d854ce8b80c50411e070e2030a2

SHA1
40a02b41282aab8cce9150606dc33fa784653e6f

SHA256
5803eec33d79bf94a08f0b660f5197cbc2d3530eb943ce9a3cdf8e3c58e16584

SHA512
4d56c1f1d72896a1f3cea85d267c6abe229754fddaa1e56fa9b85a4fedb67cf20e4d4dd72ae901f52ac68c1a31bb61c65d39263cb6aebc8eab6dd1a4c53472b6

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
74KB

MD5
c551c44d6fe701c6520d4afeb69f9997

SHA1
d811bef323dea79c98586b5163e4d8aa5a345194

SHA256
a728d9e873c3f205fdc45a70b0915d20f0a32bae46067595e0fcf17ff616afbd

SHA512
f45d35a27c6973482c68cf183af67ce67222c3de06cfaee45c0380f10e04a69b1c11a221484b801fa0ca240d660169a037f5143a0a1a67ef79b91fbc9795ca64

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
74KB

MD5
ecc19a3ca3486c3b06e245a93baafccf

SHA1
5a6716e0574e1b2306d9d92deec9e3bdd594c5a2

SHA256
5a709a8f7c319088fb57b15a70b9a5c048767e41a455ada8850797b586e96a33

SHA512
9bce93548597f7bca94ff3076f96295bed1c8f5cfc4f88bc57d40a547f11fcc23bb2e0f51db2873e7a3dd9d0bd44d5029578c84fea60e7307459a462226b1ec0

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
74KB

MD5
8199dd5908ffb07ad9c499adef3a4a88

SHA1
04621abb76466d27990b54c7034e1d0c0864037f

SHA256
362599ed9539ed3f5b0f33284a8d0bd80de744b60fe9383883c14ee555cec1da

SHA512
33398fbb86f208f930bf9c705473a1199c1c44daf6b1f4bbc8c9879e7628af6b1a229ed68641c9f81d50b1a580e75959fa8ee853affa7bf2e14b0f56d5572820

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
74KB

MD5
e650d1627e2c96a803121e027e709133

SHA1
c4d06f0316898ceee6bdd14afb9ee108380d6f65

SHA256
78d28ab02a79c50b406395a6464c607e73ccb694ad52f3762ca24f5f8db19176

SHA512
84c41a41301d5a4955553aed61b4615fc6d98c9b650d4b34a0eaa3d84fdaffbf0a5e4491c7db36f3df3ac9cca39dd2571bff10a481c8bd89a1236d85be947bec

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
74KB

MD5
0d6bbba0c4d8db1b5e85ee577c38b2af

SHA1
d019c6559fb8789c2df31283f402c481ae5fea37

SHA256
4635f3d6b9cede9435dd8c8d8e84fa092dd1272ae24287636529c18a512d6aa7

SHA512
6340f66450152d8cccfb47550ca3c82b4efece62fe1c94a9c94aa8a4c01f7e49576b171933ce89bbb3ef4799a4ae3b5dd1c2bc86c73da6f6b1d0c45f6ef44d23

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
74KB

MD5
613bc47f09f00e58741cedb3a9cadf17

SHA1
5d982bd8ccbde46e2709e600854948499acd8cd5

SHA256
bcd0abf4b45fd9e290960e85983498113989acf66f48e9afb0b9334fb22b480a

SHA512
43a986c1a73fc3bde378e27d1927d8b19cd9b14ff5952c1ae404a79b7e8550d25b3361ddb4762e3a6cbe04905c61539bb872f5d16f5fac308ced8a1b68712217

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
74KB

MD5
748f9dfa91cea27900b9f326f82e1525

SHA1
b24c2f236ac35f6939aa20cbc01390e8bbca303b

SHA256
b1943e416c000a21dfb9f50b39eede9043544226d5e79aa043666ef631880071

SHA512
3f6ba54c8cbf97ddf30e6e6c638c50c9d520f6d077cddbd0e208c873c3483dc5227fc5200fba195bc059eaebf14c59926c853d64e82900938a0bf701a383e68f

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
74KB

MD5
0b29d4b5671d2b97be7236123d51961a

SHA1
dd783c230d1c0e59324f654cfe62b1b2bcbdf03e

SHA256
500d3aa08995953fd0d135aa7c2a2a2ceb2d7147dd9d27c10b1c2593c64e5326

SHA512
33ab5ab48db977cea9953b26ff27f882a4702fe4d3d9eb8d63622d8aefbd5c94b96d38f624f8c677e7ebf12e19d1b694645f2921b7fa259a83c8d1da6ae436b9

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
74KB

MD5
a1a130b179d5e3282f3fa78de2f04996

SHA1
37c397f6655610d50309aa72cec3531ab3da15ba

SHA256
b8180ec5a3e2dc1656213329c47837a9238c931096a7b151ef4697054d88ca5b

SHA512
c331cd9093d55a805836b9d4cee75f2a6f7f10cf8a5e73199487c7356d6d118d85466c1881711e06367a2e64086369c4136048f4a4f9b08a657fd7760239cf50

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
74KB

MD5
56a3c0445bf90faba099f063b33805c8

SHA1
19a14923da33c42f13848f9ea2cb2ea6f7f0bef8

SHA256
8594c0f5c4580a5b17a9316ba2135c584b1d766974fdf70630de48bdae483065

SHA512
4e3a15cb2da4cf6c0a41309b4c3ba7e7dce5333d2e81a561b150081c41fbd47cdbe9ed219851aa9bffbb58e71ef2f74bf8d995079b4e6dc417a27970011e732b

Download Submit
memory/232-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/232-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/380-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/648-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/648-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/736-220-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/764-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/836-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/844-44-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/844-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/868-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1060-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1128-566-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1132-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1156-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1200-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1212-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1324-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1436-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1464-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1496-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1668-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1792-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1804-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1876-240-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1968-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2124-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2224-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2364-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2452-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2524-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2552-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2568-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2580-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2684-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2688-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2720-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2736-538-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2804-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2820-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2848-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2848-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2908-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2916-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2924-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2932-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3020-200-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3032-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3056-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3088-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3108-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3224-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3232-594-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3272-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3276-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3324-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3392-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3488-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3500-434-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3588-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3588-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3636-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3848-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3920-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3956-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3960-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3960-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3976-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4044-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4084-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4148-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4156-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4156-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4244-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4284-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4292-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4348-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4360-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4460-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4472-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4560-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4596-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4672-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4696-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4700-212-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4804-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4808-460-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4832-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4872-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4984-506-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5080-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5096-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads