berbew | 37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e

Analysis

max time kernel
95s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e.exe
Size

182KB
MD5

ee96ce47b7cc61cdd7ffb84069a3f4a0
SHA1

7639641e0ce4ac9c9bb92073fdac32c84b034bf4
SHA256

37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e
SHA512

df74f6de75b45a5638027b577f5207e0d7357342a5aaa68c08f780e08460e61531fdafd4ede7eba2c608f9a77da654ed792c357f5571a3f2ed9dce45eec81392
SSDEEP

3072:pp5AyVPMDN4sn7KGKYXindfrQMSYHEbZ/JIKXn7KGKYXindf:E4sn77Xwl0kHEl/5Xn77Xwl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miifeq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4884	Mgkjhe32.exe
1076	Miifeq32.exe
3052	Mnebeogl.exe
5020	Ngmgne32.exe
1844	Nepgjaeg.exe
4664	Nngokoej.exe
2332	Ncdgcf32.exe
4492	Nebdoa32.exe
3956	Nlmllkja.exe
1568	Ncfdie32.exe
540	Nnlhfn32.exe
684	Ndfqbhia.exe
4692	Njciko32.exe
2900	Ndhmhh32.exe
4128	Nfjjppmm.exe
1428	Olcbmj32.exe
2884	Ocnjidkf.exe
2932	Oncofm32.exe
3572	Opakbi32.exe
3344	Ocpgod32.exe
1396	Oneklm32.exe
588	Odocigqg.exe
2336	Ognpebpj.exe
1956	Ojllan32.exe
4136	Olkhmi32.exe
1488	Ogpmjb32.exe
4544	Olmeci32.exe
4604	Ogbipa32.exe
1468	Pnlaml32.exe
1032	Pqknig32.exe
4668	Pdfjifjo.exe
1680	Pnonbk32.exe
4104	Pdifoehl.exe
3432	Pggbkagp.exe
3500	Pmdkch32.exe
2712	Pcncpbmd.exe
3680	Pncgmkmj.exe
1388	Pgllfp32.exe
4740	Pnfdcjkg.exe
2388	Pqdqof32.exe
1532	Pfaigm32.exe
1644	Qmkadgpo.exe
4256	Qdbiedpa.exe
432	Qgqeappe.exe
4064	Qnjnnj32.exe
2440	Qddfkd32.exe
2828	Qgcbgo32.exe
1084	Ampkof32.exe
5016	Adgbpc32.exe
4956	Ageolo32.exe
2016	Anogiicl.exe
4820	Afjlnk32.exe
1804	Anadoi32.exe
840	Aeklkchg.exe
3304	Afmhck32.exe
4420	Aabmqd32.exe
3292	Anfmjhmd.exe
5092	Accfbokl.exe
2372	Bfabnjjp.exe
4252	Bmkjkd32.exe
4920	Bjokdipf.exe
4976	Bnkgeg32.exe
2196	Beeoaapl.exe
2244	Bgcknmop.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fibbmq32.dll	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Agocgbni.dll	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Njciko32.exe	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Ncfdie32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	Njciko32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nngokoej.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	2724	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ngmgne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmccd32.dll"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4884	2352	37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e.exe	83
PID 2352 wrote to memory of 4884	2352	37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e.exe	83
PID 2352 wrote to memory of 4884	2352	37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e.exe	83
PID 4884 wrote to memory of 1076	4884	Mgkjhe32.exe	84
PID 4884 wrote to memory of 1076	4884	Mgkjhe32.exe	84
PID 4884 wrote to memory of 1076	4884	Mgkjhe32.exe	84
PID 1076 wrote to memory of 3052	1076	Miifeq32.exe	85
PID 1076 wrote to memory of 3052	1076	Miifeq32.exe	85
PID 1076 wrote to memory of 3052	1076	Miifeq32.exe	85
PID 3052 wrote to memory of 5020	3052	Mnebeogl.exe	86
PID 3052 wrote to memory of 5020	3052	Mnebeogl.exe	86
PID 3052 wrote to memory of 5020	3052	Mnebeogl.exe	86
PID 5020 wrote to memory of 1844	5020	Ngmgne32.exe	87
PID 5020 wrote to memory of 1844	5020	Ngmgne32.exe	87
PID 5020 wrote to memory of 1844	5020	Ngmgne32.exe	87
PID 1844 wrote to memory of 4664	1844	Nepgjaeg.exe	88
PID 1844 wrote to memory of 4664	1844	Nepgjaeg.exe	88
PID 1844 wrote to memory of 4664	1844	Nepgjaeg.exe	88
PID 4664 wrote to memory of 2332	4664	Nngokoej.exe	89
PID 4664 wrote to memory of 2332	4664	Nngokoej.exe	89
PID 4664 wrote to memory of 2332	4664	Nngokoej.exe	89
PID 2332 wrote to memory of 4492	2332	Ncdgcf32.exe	90
PID 2332 wrote to memory of 4492	2332	Ncdgcf32.exe	90
PID 2332 wrote to memory of 4492	2332	Ncdgcf32.exe	90
PID 4492 wrote to memory of 3956	4492	Nebdoa32.exe	91
PID 4492 wrote to memory of 3956	4492	Nebdoa32.exe	91
PID 4492 wrote to memory of 3956	4492	Nebdoa32.exe	91
PID 3956 wrote to memory of 1568	3956	Nlmllkja.exe	92
PID 3956 wrote to memory of 1568	3956	Nlmllkja.exe	92
PID 3956 wrote to memory of 1568	3956	Nlmllkja.exe	92
PID 1568 wrote to memory of 540	1568	Ncfdie32.exe	93
PID 1568 wrote to memory of 540	1568	Ncfdie32.exe	93
PID 1568 wrote to memory of 540	1568	Ncfdie32.exe	93
PID 540 wrote to memory of 684	540	Nnlhfn32.exe	94
PID 540 wrote to memory of 684	540	Nnlhfn32.exe	94
PID 540 wrote to memory of 684	540	Nnlhfn32.exe	94
PID 684 wrote to memory of 4692	684	Ndfqbhia.exe	95
PID 684 wrote to memory of 4692	684	Ndfqbhia.exe	95
PID 684 wrote to memory of 4692	684	Ndfqbhia.exe	95
PID 4692 wrote to memory of 2900	4692	Njciko32.exe	96
PID 4692 wrote to memory of 2900	4692	Njciko32.exe	96
PID 4692 wrote to memory of 2900	4692	Njciko32.exe	96
PID 2900 wrote to memory of 4128	2900	Ndhmhh32.exe	97
PID 2900 wrote to memory of 4128	2900	Ndhmhh32.exe	97
PID 2900 wrote to memory of 4128	2900	Ndhmhh32.exe	97
PID 4128 wrote to memory of 1428	4128	Nfjjppmm.exe	98
PID 4128 wrote to memory of 1428	4128	Nfjjppmm.exe	98
PID 4128 wrote to memory of 1428	4128	Nfjjppmm.exe	98
PID 1428 wrote to memory of 2884	1428	Olcbmj32.exe	99
PID 1428 wrote to memory of 2884	1428	Olcbmj32.exe	99
PID 1428 wrote to memory of 2884	1428	Olcbmj32.exe	99
PID 2884 wrote to memory of 2932	2884	Ocnjidkf.exe	100
PID 2884 wrote to memory of 2932	2884	Ocnjidkf.exe	100
PID 2884 wrote to memory of 2932	2884	Ocnjidkf.exe	100
PID 2932 wrote to memory of 3572	2932	Oncofm32.exe	101
PID 2932 wrote to memory of 3572	2932	Oncofm32.exe	101
PID 2932 wrote to memory of 3572	2932	Oncofm32.exe	101
PID 3572 wrote to memory of 3344	3572	Opakbi32.exe	102
PID 3572 wrote to memory of 3344	3572	Opakbi32.exe	102
PID 3572 wrote to memory of 3344	3572	Opakbi32.exe	102
PID 3344 wrote to memory of 1396	3344	Ocpgod32.exe	103
PID 3344 wrote to memory of 1396	3344	Ocpgod32.exe	103
PID 3344 wrote to memory of 1396	3344	Ocpgod32.exe	103
PID 1396 wrote to memory of 588	1396	Oneklm32.exe	104

C:\Users\Admin\AppData\Local\Temp\37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e.exe
"C:\Users\Admin\AppData\Local\Temp\37e0cfad5308e0f730568c0b0fb6fb40a2d7081951f9b05c1b026176e6c0267e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\Mgkjhe32.exe
  C:\Windows\system32\Mgkjhe32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\SysWOW64\Miifeq32.exe
    C:\Windows\system32\Miifeq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\Mnebeogl.exe
      C:\Windows\system32\Mnebeogl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\Ngmgne32.exe
        
        C:\Windows\system32\Ngmgne32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:432
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4064
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        49⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        71⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        73⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        76⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1268
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        95⤵
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 212
        99⤵
        Program crash
        
        PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2724 -ip 2724
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
182KB

MD5
b57fef0842932741091d046e59bf8e20

SHA1
bfb832a5b195b424c6f4cc53481bafa2ddf0cb5e

SHA256
461ea799a632615162a29e8867c0a8697b399aff02286c64aa5b07967e5a86c5

SHA512
e7ddee974d04e7f684cecc56c679516c7e9662e9503350de8840d287dee80bb8015fc7fde80a476284a779a9ab4a62c06ea0472b492ab92d7986d20350899658

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
182KB

MD5
08f55b2e2d3113bad918d63666e5773b

SHA1
a49dde728bedd2f6bea56d0fea35aa05bf0c4078

SHA256
4e91104a29e45f1223b3ddf2762986c57bfdc0b0895893868a5a86ef18b06316

SHA512
a8148ef9a79a111114a2a36495441b94ebf72b8796e0b321c446af8826143c0340b0dadd7dd165f730fa75ebc36a320a8432333007f72c9c7e900ed3e7ff547a

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
182KB

MD5
173ffb8d193c0e0efba8fe69f7e3d7b8

SHA1
fc18504425e63a80181e94e2f435a130e44bd04e

SHA256
4e5c0686ff338c886458adb47ff843dc57fd226450022a2b670bc11eeee11b08

SHA512
3d6f47b2911ab6db128ff58adaeb1ad2a2f9d2ee470f5b3badb7c53f9d2bacda0c1c60f7588e96843fd4e4927a32f61edbecaaf9d9587e0f630ddd27e5aaeba4

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
182KB

MD5
7d3ad7f2e6e29168ac29051e8dfb556c

SHA1
d30d3f415334ab565f967776865465421b06e2cd

SHA256
35e5d2204ab67a3d37a199e8837ff09434734723c1cf0b524787f682d00e0741

SHA512
ef280c6bf4e89014925ece1f86bdb3038f8749a6a92cbb5c911dc3cf693bb1935c9c3a9b272ae0479625285425e9efda16e9b56532b14961d51b67f9014dddf6

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
182KB

MD5
d6a7b45179128d0826d2c426e86b5587

SHA1
dfc34db146cded3eedf39b144c544dd86e9eef02

SHA256
efd1b8c166a7e6af75ff58bcb519b8f4f2dcde25cc953068923d2e213d59c955

SHA512
16fe4e2c7a4c154bae9142c795fe90ec675d1031259f0fce169a59f3680ed818078a68fd44abec2cb0d5ac768338ac099adafe0d681c6a1a340f43451f9c7760

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
182KB

MD5
8641fff4f65291cd6947a7abb603316a

SHA1
ca25d6de2084349b50c1c9f4111951e7994fc148

SHA256
fcb7e1128083eb305970c851f4b5fc0030645b1f93c09af9ec24eee588cd4885

SHA512
b21ca12a95667e162626788316de6c42d265cd2216a7d4df83a666498e60cf06d1737d0089806f2b06e5e9152b0cbb54b3907d05a3f850aa2acf5326c4d9f5b5

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
182KB

MD5
9a5b458fc1eff9269d0c09db5f1a5978

SHA1
e561d6ff076561ee950d8a3f37b888cc79d9695b

SHA256
490e275e25b9f8e442cd6523d2e29a9c2ee100d0289145a5af4c06343b252b8e

SHA512
7e2cabe4f4f5c7a87f8bc31f801c45f1c99a7e1afc8b8ea86f4469769c530f78a9f4e9e382a1af8686e6a6da5b3506f931a07a7c2a1ca3c6e613a863a5b349c4

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
182KB

MD5
3483c9b60029a41a94e62da3335c9bf3

SHA1
a3a9c7c416856ca9803280e8de681ada46a24e50

SHA256
36c8e70054909a5516b3cd0da5f30957240b506c96a1648ca229a11192ac1398

SHA512
e59750d11209ec197f12a834a57187e923f6be2a36ee233d30c93aa2a6523441d307fe2a3953b2a3fabed8d831d144ff5b2934f14ed0121ff7ae21dbe4103e00

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
182KB

MD5
28035573490f4cd526789c55c0a4cec4

SHA1
1d1587e84b96653e136f3e652f6bb4af45d6a914

SHA256
37470420ff86147700c1bd4394d797dca32a972ae5c416e3b7e886b2b1ef9989

SHA512
993f06ff639bbc30415951e88f1bb55c9d9a0323520db7f9b6a8b569be98b50ec8eb2ae5454a2fbe6e7d7e8f0d59051024e633c26718b88ce57a5eeede9b0cb4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
182KB

MD5
394c068f69f2b6f49f18a32c66e88e62

SHA1
4b9ffe5a8e09f155fb06b461807d6d68b00afea9

SHA256
171f6cd73a02f57ebf81c8100233450229163abbd60caab09b1c69dc0190d896

SHA512
92e085e8acdb12743b953d80ef4d6f1e216dfd68dbb049afe406e9a7035d852d9493fdd859e5c5256889adf2c814c2fd3f21964d05e68717474aca336a15b10e

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
182KB

MD5
5d61218ad9514ff509836cb204d1809c

SHA1
148c59246a9f655bf60518b098c968f5710705b9

SHA256
13d28ea093bfaa75743e9803e4983d54837a33820244e44d344518fb33b01bd7

SHA512
cf0ae254be3a964368a5302a513e4a014363e0223c59d5f607aee4213422dee2c479b2626500db4513ab53ce4cc64d5ee6a2ad7af8cf33cc98e18af63a929079

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
182KB

MD5
f42a397a7f0df9a758597d30450aa239

SHA1
8e285c5149491928fa498fa984bf7353ff851b68

SHA256
016fdd2db7dda149223b323ad1c0389e598b29cfc15e068b3141a6f65e69128f

SHA512
ac907df101bc7a9adeabd5d340973815d3302f24a81c372c9fc9c6ce6989fa0c72fbe6ee924a999ee45341c8fe4dc6ee0ef4d35194563970dba3f830a8df5129

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
182KB

MD5
884c11595bf9dbc0d57bb9cf5f6823ab

SHA1
54d5b8bb48d0eae7f610fd3bc27ff7fd9e0fa90d

SHA256
276b9faaeb94a4254ad9f517eb38800c59ab52124dc0bc238356596a170f7bd8

SHA512
55533e194c7d8c75f496f2108bd89a28c7b75aa00932edca471aefbfeb7742167c2d44b510a9da2225882f7723165732f40ca0600ebfb82c69b17e0a5c4a442a

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
182KB

MD5
ceb0dd1bc084d2219cb4349920e5fceb

SHA1
878125eea4174dff0427d0e69570caf4e0fbdf95

SHA256
f8d661eb3c89efe236f4ee431e9305ccdbd366f16ce61e3758becf97f58490cc

SHA512
b1fbe42ee4e3c2add469d70711d27394a865f919eaaaf7f02ef8c5468df8039f4edb2c474b6016ffbeaa7490132851ca412c9f63f56ca2c19ac695427a39fa52

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
182KB

MD5
fdeea69b0b6f3f0c9640cfd699cf00c3

SHA1
1384690863b9a92d22dd5d11468e11a7cbcf3ac6

SHA256
bb7183b21ffc8a0e195ad48fdc6fa7e13e10b3ddf3ee6cbd7693ea3a1cf9d69c

SHA512
214a61244d77f3bc2f4e24ceaa396e40c0350b9b9d161b47c3e65c7d241882b3ca7cd15c30bfba69cd6dd3b8ff277b053162f328d90e293526c4007f6bad4dc1

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
182KB

MD5
149fd6494030ab6c5ff860196286cc1c

SHA1
22886b3ff79c492ae903fe6330a77197a1cbaa6d

SHA256
7df710d7c5a6057f3b3225f0fd29f7f2ae0cafd83463d0ac9b9092355742d6b0

SHA512
b8ce3f2c551385bee61ea62dfb7782ac22f2370f4306e7c06d770ac4f70f384215fc3b197d15a7ec3c06214388135236150b0ebd99f60a4575c6a77b2f0fad70

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
182KB

MD5
30040de2138fbb3a0233fa2ff7d7562d

SHA1
586531d8401e1f144f84af468082ae2f578a581b

SHA256
70c18dcd9765ea9f4da51c1b619448ef1c454ffe343bb87ed72d22696779d242

SHA512
35abad89b393b3a30098bc538a9cbc888f4b63e9add30783e27dbb1d7d92f9a6b7d890eaee28f5042e6ddd18612509a127c0b9dd99438801031fdc697a8d4a79

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
182KB

MD5
ebb89c79ac8e007733a6e2785ee6a569

SHA1
fbb4d2040b904bf4f13102fdb6891f6a257f1f55

SHA256
83d5cc55ee3588dcfb7b5c85caeda8719fce822ead068b889c681f11d317d404

SHA512
627711ef12c4acadcac54e94d0907789c8935ecdf26a16f30c5c4dc2201902ba21206cdabe31b2704746439665d7f103816f7663d35851ccec662ebd619705b6

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
182KB

MD5
b0fd3616ff0177ded349dbcd1260240e

SHA1
ffc6d5be3d105c3b694f98abbdddb7520d1ec37c

SHA256
0866966c1112fabd645d6624dcbc308a4ec0efa894abc65a1b3b4548b6f3ac08

SHA512
21ccf6998f05208d00b5cf3054905f5511e607a5405d0124171780c4616ad1c58beaa89817c383d0a2f9620d752c687396c0c1b7eed0dc611a8486e6dcdedfbf

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
182KB

MD5
12f2b9ed967ebf14dad252312f2f7cd8

SHA1
284f7be9d23420527aedf7efc3220dafb2024dc0

SHA256
0d97e74f81b3f218f9547907ebae56f0456660cc0d98497fe96ed6d1aed722ea

SHA512
804db0bd7e68b5c28b93416330a18ffdf03932adcdff8f4aadc49578cc4d1b5ad0bbbda84b59d21e92b0c75843ea56a3d9f39dc1627c290a52e1de1ccabf645b

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
182KB

MD5
6c7dd93312b9bb14abd34c7aa5a0b9ac

SHA1
59ccf01eb65df3f101603d533f7a564541788785

SHA256
99c76045d75205f10d43aa671101e842b21475cc1e66dd02436e7acc9fa0d939

SHA512
8628cb357681b46db10f2ea41151d6b847c43d2d96b899dc18f42d7adb7302793289844ec77f583b03f9188aec4e47c88b9b6d4b73d1a27f77209521239d801b

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
182KB

MD5
262a7f4d2e2c78a5c3f94ee7b227f40a

SHA1
fee167f9e466b0c35a5d0a1cdf420e9a7b0c1295

SHA256
d77645e65f068174d0603c37bccca29a0091b93cbfc7bbf9b30d412bc26c61c4

SHA512
bc7ebca331e6afa39d789d49176f832d5f2f8e663cf61999fa2ad738f2eae967403d6cac3609fabc2d7d702a5e9a5f3203ac0bcf79ff7816fedc30bb29db93a1

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
182KB

MD5
8a639f21821b235da94ebd503d7bf862

SHA1
13f32c53f4fcbeabda26a5c87b5bc5422ee29434

SHA256
b18b9413e3af43b20ac181efba84f51d47b4dfc6b3e024f3248735b5695a888a

SHA512
f9e3024009f0089dd3e00b33b2f89f7f70f56852a7a45afb852ab58e137f57c8492309c29e6b1984e49152ade813902d4046d818e32547136b1827eaac34f840

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
182KB

MD5
cf0fe0df8b610a0b2889ba70e09471f8

SHA1
3cdba941564f71fd61d26ebd133b92e13a2059c0

SHA256
d4c04b5aa3d891eaad414451bf12a73526797a539460c5c7421dda5ca7111bec

SHA512
140d8a7facb18bc14ff90be2d817a631d611d0d6db16497644a17ea746da4a70d7888f7a1c5fc9f4a5b732891f80652d91a9688b499a95bc4b8383bbe6f6111f

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
182KB

MD5
bbe0ad4f5506ebe4603d52826527a862

SHA1
b6cf8ff2a09f6ed7bd56f4cddeea1e4fa3a52d00

SHA256
6e19a42cf053822a4eb47cddc80543e258207511a22ccd63efba89a0dd98c4cc

SHA512
1f7ed371cb027ca857859fb82eed57d0aa9af25657863376b3f477120b5e9418a900df1957307cef270e2456a62fcdd300d1ef1ac2a05ac64bcbf2ebedd3f2a1

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
182KB

MD5
1ecc4dba4c03e1c2b1023ba7200c3fb3

SHA1
8884336be7ffa69d03f16bebce62242ac17128cc

SHA256
430ed6a84fdb23b3011a1ac401d70e97e5def17c057bd3524174a1124e12875c

SHA512
df801aea7afb49d899fe91d240fc09d70b3a3da791cddefa6fcfa264dbc954880ae16d4b5c1c05159d65517ca059b728d3dd840ffffe87c1a2c2b42a2fea5a8f

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
182KB

MD5
9f8d66e72704d24f3f6abbce49867bb3

SHA1
68a6cb09435c54b783d26fa3e2909108e1a95942

SHA256
a22ebbee8e93fa37cc9458820dbb77a85907a784ea91c241994327e4bc0eeb1f

SHA512
8ed484c7d5a04d2ac7f18592fe6a52cce8c4f90569485a1ba1ca7b7e3432acb72e85702d274b96acc55d5b6e26d989783d79eea419ef0d29592c4e61c180ec95

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
182KB

MD5
dc1670cf240765b65ee2d1fb07fb801b

SHA1
04a8f4e62b1b899d775c28217c540a6362fc9769

SHA256
e38f7cd2dfaba9b27bf68414724d4376b1da651a193fba200fc1ecea7efd1907

SHA512
84af1601300b74842c565b4df5902cdfd54b2e69d5a16c19023de2af4ce61c373be98f3a6ec9107e19ea05fe11a21c77b1ed06194d1039c98b9e93d9b97b8bc6

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
182KB

MD5
ebe5ebb7d68419ccef86a06bef59669a

SHA1
05fddbdb935a6b00981cfc73b25db95b1ecce4c8

SHA256
08e9860a05a5aa8e965d74752e8b4d3ad7d1e52fb653e186d34fee313e507645

SHA512
61aabc07ac5374727de3f66f5837dc1fc8ae438e956877756599f1e2a34550835e684c6b2aa0de9e9bef4ee3c149d360009766016634fcd53295d793acfcd6ea

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
182KB

MD5
58da08e130549d5e3a3444856e720cee

SHA1
8c47b9ce0580b58139565ca661bbdf570e8dc506

SHA256
b214efc0a4f3ad5d8076f4ab7a7bc3415c871731f610547c1e4b9035fd14f248

SHA512
16f7043938573d7b2cf5b2ab4a11258a877a384a12fedd3ae92e447f04786b37e9982fb6cf5fc66ec9612553765c66f2002c4c79f4437c5fcf53e1c592f95ac5

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
182KB

MD5
034b6ee322bc1e006a9e5bf4ab3a2321

SHA1
ced01cf444cbaae00321c79bc17decfcc3fb2653

SHA256
e18b7e98d8ce5716b884d885c420f5ad6963106853f8f606b82a040ccfd54c4a

SHA512
46d97d3fbe36e95146678079769fcb37aabd263c4e33e6ff3e8b6a13abc6f20db11e45a0d62fffdb09f91e9cff4748e32079dbd920b16c7f772e22873027cf04

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
182KB

MD5
261c5489e280aeda7e2ef1a9d11de4d7

SHA1
29651b32ff4d3e046aab0b37402ddc3f66422012

SHA256
7d044720fb28420744081990934248e5e7bea39cba1a60819cf9074ff533b1d9

SHA512
390fe43a30045798eda27773c19a785b3a3a193e650a170b637fc41ce2fab763ede8bf38a824470d8d89b972c02f9edb919cb10f6a642dba338849c7c4e639bd

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
182KB

MD5
a7fcd32e955e4581217c93d7de4b80b0

SHA1
ee5083e3a576d1c81d2a95ed0a3dc6e82e0ebde2

SHA256
20da84bb7cf03770f2d892c6dc0b4f6a78b3d0426aea92affedb87ce35c70d04

SHA512
c0d7382f08cc4db7c728ac70cbcb25a5cf3d2bc9409afc6d3224ac195227d5bfb073671010e398ba06b204b1ad2f84955bbaafa0d058b445ae808f04347f368a

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
182KB

MD5
502f4a6d067972341fe67666e5cae7f7

SHA1
7b3755d9a7bf71d79889d1f2113cc55a87f9347d

SHA256
bf7f80df0db3aa8ec929e59c2fb68ddd8c9b858284a2180e6a606bc4c3649f83

SHA512
3bf6a871605c54b7882c2251d85c3a1f4c55ee57fb17dbc72f7f78dbaba08103da399c5e865273424a05ac11ccc7acae9c3f4e938cab6bef739cb0fe89d17955

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
182KB

MD5
a460985f5cc7ef1b4ac9450b08fdcd9b

SHA1
c2ac24619135d887de6600d48c218c9f2cbab257

SHA256
fa4c85586933b02702ffc1b2a4ebddeb7d7e35cda225426677722a81be072026

SHA512
e344edbbfa59e7cfea272a8ccf0c25e992900f6667aec452a579c2ebd316a3a37ce72e17a2f1d924cba40abe2b0a7658a8d3d4e5bfd88d6d780e0d34201e0e62

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
182KB

MD5
255b0a165bc53a5f820df2aa12913e44

SHA1
09f26e32b13583e4135db64eed8b4ea1ca1a9763

SHA256
bfb45b46f60e3779097ac52fac348e94d5e806a2b941669e801410d62029d29c

SHA512
38e7dc493fbbb54bebb743437e1d044423469896cc79e57be35c0a71fc4e3d452735fb1c52734530a1c180a1343c10c902e7349dbb023075dc6ad5f4f2e74039

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
182KB

MD5
100858cc3ed74155537952cef254e251

SHA1
536f5afae0dfa08ea3e25b2fdd285faeb05cd7ae

SHA256
4d7b4e55e0ceed6ce44ddc338b5076ff5d355c35d895f0349c7bf4667fde9e58

SHA512
016cb0486279a6f24ef474e21cba39e547187c669ab17b5abcddbf46b572ecefb3e6308128f2903d39b8fb01de207023293401ba6bd03ece857bd3ed35ac859a

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
182KB

MD5
ea055e442c7899441df3b473acc3b16d

SHA1
ca8f4be8f5efdc17897b75fd2e8b4eda4caae357

SHA256
6b6228e5b98ba256eff970dd1b909c8bf077cedc6b5e75528c5c086c1291e11f

SHA512
e853239ac79c64f9ceb47469b808cd5c836607fa2133643d3a469399d1c517033d3321547212bacebbf5b9d93f75c05010a010f97a749e4e6e4784a78388609d

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
182KB

MD5
724dc4ac2186092fc2973152c275c8bf

SHA1
a8554a29e9d7fa89ab7c0d72fdd7258482f1d51a

SHA256
8c7ea29e775b443336bdbb4b536c64ccae4d314da94323065b15ae6c9989ad78

SHA512
815ec3ac6783f780f9683cc180e5611906131b1d5e49da87274b4106a8c0cc483dba0aa07188ffa377b37b2cc62342855bee64bc2aaf03d262ce9a235ce1c84c

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
182KB

MD5
da13873eacacecd8b886ecf0b3123e04

SHA1
288cac169799f74288525ecf47d5adaac4bb03a8

SHA256
0053d39fd32d26ca2ece837d4bbfc07480652758d2135cc75de59ccdf5e61e92

SHA512
4863832ad359f648fe54c1df007f556f1fc8f092dc94223fe8732ed867c19736d269a4b30fd4c030c8c8b34e1b69633ab052e871ef5c4d1de06d9693d207201e

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
182KB

MD5
9ae1cb2025e9f30e67051ea4b477ccb9

SHA1
72ab67c0d5b0382371b3280a90c0395b11b903c1

SHA256
2c946b3c85edbaeb8024a4fbd39b8dcb77e4b8ac8101ae00ad5cd0279834352b

SHA512
5450bc1f06eb3f2357fe0aa6f7a90a55058520b03f1ec3c4f27d34ad75572e6c7b573bfee2b010bc372e97c691dcc217062e6158deab15ff3570e2c4f667433e

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
182KB

MD5
bdae03a465a8bdd1d581d872d1ef6faf

SHA1
f83b7ef23a555ab44ea502c4c6c92c938b85276c

SHA256
2852cce760a8e87339097835576ec4ea5421088a86dca2f6bee9e85f341812b3

SHA512
fdb3fc84b31820708505b8bf8894e21ff1b3c615d709cdc82c896b36342926a105413f9b50de095e63645f98daa3f61c8ad85f11d29d8deb39b21dd1c8239f55

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
182KB

MD5
8a3e1feb7beeafcebb6456129a1101dd

SHA1
102ebd043add671824d2441ac46016c3387e9cc9

SHA256
80c8a33c8ac8de0dc4caf48f77f466f1220682d65e692086a7e2eb3ee72d2d56

SHA512
2b84d9b6fcce09b98ad43e6f57c6086810cafabf26c2e2a0023b6cda94fa80720e1d2cbada828fc18aed962869fc19f2a971b4595dcc63b5ec999dc0c4395c7c

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
182KB

MD5
7b1f8325d5a1b3067f5140d5368d9c9c

SHA1
76f3ea3777f921b6ea23d9e67ed1f5688a6a3918

SHA256
335cb6ea9a7f5580db3d5b38721fe93a09dc13cc811cdc15cadc7b92974715f4

SHA512
8b71bd0573ef7e9ee9ae6648eb9058904656c806ba4a10377e49bd843dd705a77c505e760283947319c7ca20bedc70da311952346d7a13a0189c1d5008e8324f

Download Submit
memory/432-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/540-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/588-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/684-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-750-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/840-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1084-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1228-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1428-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1748-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2016-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2336-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2352-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2388-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2440-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2872-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3128-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3268-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3292-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3296-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3432-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3508-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3572-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3956-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4104-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4128-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4252-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4256-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-579-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-599-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-585-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4664-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4884-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4920-433-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4956-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads