berbew | 40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838

Analysis

max time kernel
92s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838.exe
Size

704KB
MD5

cdf0b0a4333ba59f3ff484d79b05ec26
SHA1

572a1ef397f2ab9cc212d88202ea7ed988079923
SHA256

40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838
SHA512

4aa429c8f45595b1d0508629f1b7a5cb5675244957f84904f1cde71b178ebcaf50d6f55776dfdb96be08ed6f5ab1f56137153a0fb3f09461d4bf4c966d814964
SSDEEP

12288:VYbxJ7PbWGRdA6sQlFh2kkkkK4kXkkkkkkkkl888888888888888888nusMH0Qiw:VAxVHFh2kkkkK4kXkkkkkkkkhLX3a20v

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjhlpgpk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aefbcogf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmdmdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefkpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npabof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfpgmmpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbdgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicdncn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqihhbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegljmid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medgan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anedfffb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmpmpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfpgmmpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdhfbacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aefbcogf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Minglmdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlqlch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmimhpoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccfej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njifhljn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenakl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogfjgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afcfph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceihplga.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgageace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfbdblnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccfej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegljmid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anedfffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmfqcqql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doicia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiaibap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndagjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjagmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dffdcccb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anhaledo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnopcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beklnn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicdncn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lefkpq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mboeddad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlllof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anhaledo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgageace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pddmga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhfbacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afebeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmimhpoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcolh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
548	Lefkpq32.exe
4684	Lffhjcmb.exe
3608	Lbmhod32.exe
3448	Lmbmlmbl.exe
976	Lpqihhbp.exe
4008	Mboeddad.exe
928	Minglmdk.exe
3508	Mgageace.exe
736	Medgan32.exe
1596	Mchhjbii.exe
4724	Mlqlch32.exe
1420	Ndhdde32.exe
4576	Ngfqqa32.exe
876	Npabof32.exe
4200	Njifhljn.exe
396	Nfpgmmpb.exe
5044	Ndagjd32.exe
1984	Nfbdblnp.exe
2136	Nlllof32.exe
4020	Odcdpd32.exe
2752	Ogfjgo32.exe
5080	Oqonpdgn.exe
3964	Ogkcbn32.exe
404	Pcbdgo32.exe
3960	Pgplnmib.exe
2724	Pddmga32.exe
2948	Pdfjla32.exe
2432	Pdhfbacf.exe
2640	Qjhlpgpk.exe
4184	Anedfffb.exe
1832	Anhaledo.exe
472	Afcfph32.exe
3892	Afebeg32.exe
3932	Aefbcogf.exe
5008	Ambgha32.exe
2596	Agglej32.exe
4052	Beklnn32.exe
3056	Bfmhff32.exe
2852	Babmco32.exe
1132	Bfoelf32.exe
1112	Bmimhpoj.exe
1976	Bccfej32.exe
3120	Bjmnbd32.exe
2208	Bebbom32.exe
2548	Bjokgd32.exe
3712	Baicdncn.exe
2324	Bhckqh32.exe
4932	Cjagmd32.exe
5100	Cegljmid.exe
4000	Cfhhbe32.exe
2384	Cnopcb32.exe
4304	Ceihplga.exe
3316	Cjfqhcei.exe
4336	Cmdmdo32.exe
3672	Chjaag32.exe
3424	Cmgjjn32.exe
1404	Cenakl32.exe
2140	Cjkjcb32.exe
2192	Cdcolh32.exe
1560	Doicia32.exe
1512	Deckfkof.exe
2308	Dokpoq32.exe
3500	Dffdcccb.exe
4440	Dmpmpm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdcolh32.exe	Cjkjcb32.exe
File created	C:\Windows\SysWOW64\Fageamqg.dll	Cdcolh32.exe
File created	C:\Windows\SysWOW64\Ndagjd32.exe	Nfpgmmpb.exe
File opened for modification	C:\Windows\SysWOW64\Nlllof32.exe	Nfbdblnp.exe
File created	C:\Windows\SysWOW64\Ljbonmno.dll	Anhaledo.exe
File created	C:\Windows\SysWOW64\Cmgjjn32.exe	Chjaag32.exe
File created	C:\Windows\SysWOW64\Cenakl32.exe	Cmgjjn32.exe
File created	C:\Windows\SysWOW64\Hnichmjj.dll	Mchhjbii.exe
File opened for modification	C:\Windows\SysWOW64\Odcdpd32.exe	Nlllof32.exe
File opened for modification	C:\Windows\SysWOW64\Pdhfbacf.exe	Pdfjla32.exe
File created	C:\Windows\SysWOW64\Nekogclj.dll	Bmfqcqql.exe
File created	C:\Windows\SysWOW64\Doicia32.exe	Cdcolh32.exe
File created	C:\Windows\SysWOW64\Pjnjhf32.dll	Ngfqqa32.exe
File created	C:\Windows\SysWOW64\Hoblolle.dll	Pgplnmib.exe
File opened for modification	C:\Windows\SysWOW64\Chjaag32.exe	Cmdmdo32.exe
File created	C:\Windows\SysWOW64\Bjokgd32.exe	Bebbom32.exe
File created	C:\Windows\SysWOW64\Caicdcpj.dll	Bebbom32.exe
File opened for modification	C:\Windows\SysWOW64\Cjagmd32.exe	Bhckqh32.exe
File opened for modification	C:\Windows\SysWOW64\Minglmdk.exe	Mboeddad.exe
File created	C:\Windows\SysWOW64\Falobd32.dll	Minglmdk.exe
File created	C:\Windows\SysWOW64\Ejbnnpll.dll	Pdhfbacf.exe
File created	C:\Windows\SysWOW64\Momljmek.dll	Anedfffb.exe
File opened for modification	C:\Windows\SysWOW64\Bfmhff32.exe	Beklnn32.exe
File created	C:\Windows\SysWOW64\Bhckqh32.exe	Baicdncn.exe
File created	C:\Windows\SysWOW64\Jbhfcmeh.dll	Cegljmid.exe
File created	C:\Windows\SysWOW64\Qhigml32.dll	Doicia32.exe
File created	C:\Windows\SysWOW64\Minglmdk.exe	Mboeddad.exe
File created	C:\Windows\SysWOW64\Oqonpdgn.exe	Ogfjgo32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdgo32.exe	Ogkcbn32.exe
File created	C:\Windows\SysWOW64\Ibdllp32.dll	Pcbdgo32.exe
File created	C:\Windows\SysWOW64\Bfoelf32.exe	Babmco32.exe
File created	C:\Windows\SysWOW64\Dmpmpm32.exe	Dffdcccb.exe
File created	C:\Windows\SysWOW64\Khpkgglb.dll	Dmpmpm32.exe
File opened for modification	C:\Windows\SysWOW64\Danefkqe.exe	Dfiaibap.exe
File opened for modification	C:\Windows\SysWOW64\Dokpoq32.exe	Deckfkof.exe
File created	C:\Windows\SysWOW64\Mboeddad.exe	Lpqihhbp.exe
File created	C:\Windows\SysWOW64\Ndhdde32.exe	Mlqlch32.exe
File created	C:\Windows\SysWOW64\Cmegcdno.dll	Nlllof32.exe
File created	C:\Windows\SysWOW64\Anedfffb.exe	Qjhlpgpk.exe
File created	C:\Windows\SysWOW64\Cfhhbe32.exe	Cegljmid.exe
File created	C:\Windows\SysWOW64\Lmbmlmbl.exe	Lbmhod32.exe
File opened for modification	C:\Windows\SysWOW64\Mboeddad.exe	Lpqihhbp.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjjn32.exe	Chjaag32.exe
File created	C:\Windows\SysWOW64\Dfiaibap.exe	Ddjemgal.exe
File created	C:\Windows\SysWOW64\Kpjbip32.dll	Ddjemgal.exe
File opened for modification	C:\Windows\SysWOW64\Mgageace.exe	Minglmdk.exe
File opened for modification	C:\Windows\SysWOW64\Medgan32.exe	Mgageace.exe
File opened for modification	C:\Windows\SysWOW64\Ogfjgo32.exe	Odcdpd32.exe
File opened for modification	C:\Windows\SysWOW64\Oqonpdgn.exe	Ogfjgo32.exe
File created	C:\Windows\SysWOW64\Jjflhj32.dll	Ambgha32.exe
File created	C:\Windows\SysWOW64\Cnopcb32.exe	Cfhhbe32.exe
File created	C:\Windows\SysWOW64\Cmdmdo32.exe	Cjfqhcei.exe
File created	C:\Windows\SysWOW64\Chjaag32.exe	Cmdmdo32.exe
File created	C:\Windows\SysWOW64\Pkpbmggk.dll	Mboeddad.exe
File opened for modification	C:\Windows\SysWOW64\Ndagjd32.exe	Nfpgmmpb.exe
File created	C:\Windows\SysWOW64\Ogkcbn32.exe	Oqonpdgn.exe
File created	C:\Windows\SysWOW64\Ecpakh32.dll	Afebeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bccfej32.exe	Bmimhpoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfiaibap.exe	Ddjemgal.exe
File created	C:\Windows\SysWOW64\Odcdpd32.exe	Nlllof32.exe
File created	C:\Windows\SysWOW64\Ndnleh32.dll	Cjkjcb32.exe
File created	C:\Windows\SysWOW64\Jhphlj32.dll	Deckfkof.exe
File created	C:\Windows\SysWOW64\Enfamfpn.dll	Ogkcbn32.exe
File created	C:\Windows\SysWOW64\Ejlqadpo.dll	Babmco32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3044	4424	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfqqa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anhaledo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njifhljn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhfbacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mboeddad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babmco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimhpoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccfej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhckqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lffhjcmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgplnmib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjhlpgpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfpgmmpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlqlch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anedfffb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aefbcogf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnopcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minglmdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmpmpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afcfph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beklnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfoelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndagjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmhod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlllof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmfqcqql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceihplga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcolh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deckfkof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefkpq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhdde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npabof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogfjgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pddmga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebbom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenakl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danefkqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgageace.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afebeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmbmlmbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmhff32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dokpoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dffdcccb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjemgal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiaibap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfbdblnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicdncn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odcdpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjagmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqihhbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfqhcei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doicia32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndagjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odcdpd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqonpdgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oelfff32.dll"	Oqonpdgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdhfbacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdhfbacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgokd32.dll"	Njifhljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljijhmcc.dll"	Dffdcccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlibenih.dll"	Ceihplga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfpgmmpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfpgmmpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqjdll32.dll"	Nfbdblnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbdgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pddmga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnopcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnneah32.dll"	Mgageace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlqlch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afebeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afebeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkhpc32.dll"	Baicdncn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhckqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhckqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjcb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpkgglb.dll"	Dmpmpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doicia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lefkpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npabof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogfjgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpakh32.dll"	Afebeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aefbcogf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijcoe32.dll"	Lefkpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojjnf32.dll"	Cnopcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caicdcpj.dll"	Bebbom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnleh32.dll"	Cjkjcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhigml32.dll"	Doicia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiaibap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keqnmjbl.dll"	Ndhdde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjhlpgpk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjhlpgpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anedfffb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beklnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dffdcccb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mchhjbii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgageace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmodcn32.dll"	Npabof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbheqgmg.dll"	Qjhlpgpk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beklnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmdmdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfnfooo.dll"	Cmgjjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngpja32.dll"	Lmbmlmbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfbdblnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Babmco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebbom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpbmggk.dll"	Mboeddad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnopcb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 548	4088	40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838.exe	81
PID 4088 wrote to memory of 548	4088	40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838.exe	81
PID 4088 wrote to memory of 548	4088	40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838.exe	81
PID 548 wrote to memory of 4684	548	Lefkpq32.exe	82
PID 548 wrote to memory of 4684	548	Lefkpq32.exe	82
PID 548 wrote to memory of 4684	548	Lefkpq32.exe	82
PID 4684 wrote to memory of 3608	4684	Lffhjcmb.exe	83
PID 4684 wrote to memory of 3608	4684	Lffhjcmb.exe	83
PID 4684 wrote to memory of 3608	4684	Lffhjcmb.exe	83
PID 3608 wrote to memory of 3448	3608	Lbmhod32.exe	84
PID 3608 wrote to memory of 3448	3608	Lbmhod32.exe	84
PID 3608 wrote to memory of 3448	3608	Lbmhod32.exe	84
PID 3448 wrote to memory of 976	3448	Lmbmlmbl.exe	85
PID 3448 wrote to memory of 976	3448	Lmbmlmbl.exe	85
PID 3448 wrote to memory of 976	3448	Lmbmlmbl.exe	85
PID 976 wrote to memory of 4008	976	Lpqihhbp.exe	86
PID 976 wrote to memory of 4008	976	Lpqihhbp.exe	86
PID 976 wrote to memory of 4008	976	Lpqihhbp.exe	86
PID 4008 wrote to memory of 928	4008	Mboeddad.exe	87
PID 4008 wrote to memory of 928	4008	Mboeddad.exe	87
PID 4008 wrote to memory of 928	4008	Mboeddad.exe	87
PID 928 wrote to memory of 3508	928	Minglmdk.exe	88
PID 928 wrote to memory of 3508	928	Minglmdk.exe	88
PID 928 wrote to memory of 3508	928	Minglmdk.exe	88
PID 3508 wrote to memory of 736	3508	Mgageace.exe	89
PID 3508 wrote to memory of 736	3508	Mgageace.exe	89
PID 3508 wrote to memory of 736	3508	Mgageace.exe	89
PID 736 wrote to memory of 1596	736	Medgan32.exe	90
PID 736 wrote to memory of 1596	736	Medgan32.exe	90
PID 736 wrote to memory of 1596	736	Medgan32.exe	90
PID 1596 wrote to memory of 4724	1596	Mchhjbii.exe	91
PID 1596 wrote to memory of 4724	1596	Mchhjbii.exe	91
PID 1596 wrote to memory of 4724	1596	Mchhjbii.exe	91
PID 4724 wrote to memory of 1420	4724	Mlqlch32.exe	92
PID 4724 wrote to memory of 1420	4724	Mlqlch32.exe	92
PID 4724 wrote to memory of 1420	4724	Mlqlch32.exe	92
PID 1420 wrote to memory of 4576	1420	Ndhdde32.exe	93
PID 1420 wrote to memory of 4576	1420	Ndhdde32.exe	93
PID 1420 wrote to memory of 4576	1420	Ndhdde32.exe	93
PID 4576 wrote to memory of 876	4576	Ngfqqa32.exe	94
PID 4576 wrote to memory of 876	4576	Ngfqqa32.exe	94
PID 4576 wrote to memory of 876	4576	Ngfqqa32.exe	94
PID 876 wrote to memory of 4200	876	Npabof32.exe	95
PID 876 wrote to memory of 4200	876	Npabof32.exe	95
PID 876 wrote to memory of 4200	876	Npabof32.exe	95
PID 4200 wrote to memory of 396	4200	Njifhljn.exe	96
PID 4200 wrote to memory of 396	4200	Njifhljn.exe	96
PID 4200 wrote to memory of 396	4200	Njifhljn.exe	96
PID 396 wrote to memory of 5044	396	Nfpgmmpb.exe	97
PID 396 wrote to memory of 5044	396	Nfpgmmpb.exe	97
PID 396 wrote to memory of 5044	396	Nfpgmmpb.exe	97
PID 5044 wrote to memory of 1984	5044	Ndagjd32.exe	98
PID 5044 wrote to memory of 1984	5044	Ndagjd32.exe	98
PID 5044 wrote to memory of 1984	5044	Ndagjd32.exe	98
PID 1984 wrote to memory of 2136	1984	Nfbdblnp.exe	99
PID 1984 wrote to memory of 2136	1984	Nfbdblnp.exe	99
PID 1984 wrote to memory of 2136	1984	Nfbdblnp.exe	99
PID 2136 wrote to memory of 4020	2136	Nlllof32.exe	100
PID 2136 wrote to memory of 4020	2136	Nlllof32.exe	100
PID 2136 wrote to memory of 4020	2136	Nlllof32.exe	100
PID 4020 wrote to memory of 2752	4020	Odcdpd32.exe	101
PID 4020 wrote to memory of 2752	4020	Odcdpd32.exe	101
PID 4020 wrote to memory of 2752	4020	Odcdpd32.exe	101
PID 2752 wrote to memory of 5080	2752	Ogfjgo32.exe	102

C:\Users\Admin\AppData\Local\Temp\40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838.exe
"C:\Users\Admin\AppData\Local\Temp\40730a3ef515880fe894389e9ca1ab27cea1bb72f01e342ced9c7805d94ff838.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\SysWOW64\Lefkpq32.exe
  C:\Windows\system32\Lefkpq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\Lffhjcmb.exe
    C:\Windows\system32\Lffhjcmb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\SysWOW64\Lbmhod32.exe
      C:\Windows\system32\Lbmhod32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Windows\SysWOW64\Lmbmlmbl.exe
        
        C:\Windows\system32\Lmbmlmbl.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\SysWOW64\Lpqihhbp.exe
        
        C:\Windows\system32\Lpqihhbp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Mboeddad.exe
        
        C:\Windows\system32\Mboeddad.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Minglmdk.exe
        
        C:\Windows\system32\Minglmdk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Mgageace.exe
        
        C:\Windows\system32\Mgageace.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Medgan32.exe
        
        C:\Windows\system32\Medgan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Mchhjbii.exe
        
        C:\Windows\system32\Mchhjbii.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Mlqlch32.exe
        
        C:\Windows\system32\Mlqlch32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Ndhdde32.exe
        
        C:\Windows\system32\Ndhdde32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Ngfqqa32.exe
        
        C:\Windows\system32\Ngfqqa32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Npabof32.exe
        
        C:\Windows\system32\Npabof32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Njifhljn.exe
        
        C:\Windows\system32\Njifhljn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Nfpgmmpb.exe
        
        C:\Windows\system32\Nfpgmmpb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ndagjd32.exe
        
        C:\Windows\system32\Ndagjd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Nfbdblnp.exe
        
        C:\Windows\system32\Nfbdblnp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Nlllof32.exe
        
        C:\Windows\system32\Nlllof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Odcdpd32.exe
        
        C:\Windows\system32\Odcdpd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Ogfjgo32.exe
        
        C:\Windows\system32\Ogfjgo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Oqonpdgn.exe
        
        C:\Windows\system32\Oqonpdgn.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ogkcbn32.exe
        
        C:\Windows\system32\Ogkcbn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\Pcbdgo32.exe
        
        C:\Windows\system32\Pcbdgo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Pgplnmib.exe
        
        C:\Windows\system32\Pgplnmib.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\Pddmga32.exe
        
        C:\Windows\system32\Pddmga32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Pdfjla32.exe
        
        C:\Windows\system32\Pdfjla32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Pdhfbacf.exe
        
        C:\Windows\system32\Pdhfbacf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Qjhlpgpk.exe
        
        C:\Windows\system32\Qjhlpgpk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Anedfffb.exe
        
        C:\Windows\system32\Anedfffb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Anhaledo.exe
        
        C:\Windows\system32\Anhaledo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\Afcfph32.exe
        
        C:\Windows\system32\Afcfph32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Windows\SysWOW64\Afebeg32.exe
        
        C:\Windows\system32\Afebeg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Aefbcogf.exe
        
        C:\Windows\system32\Aefbcogf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Ambgha32.exe
        
        C:\Windows\system32\Ambgha32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Agglej32.exe
        
        C:\Windows\system32\Agglej32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Beklnn32.exe
        
        C:\Windows\system32\Beklnn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Bfmhff32.exe
        
        C:\Windows\system32\Bfmhff32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Bmfqcqql.exe
        
        C:\Windows\system32\Bmfqcqql.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Babmco32.exe
        
        C:\Windows\system32\Babmco32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Bfoelf32.exe
        
        C:\Windows\system32\Bfoelf32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Bmimhpoj.exe
        
        C:\Windows\system32\Bmimhpoj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\Bccfej32.exe
        
        C:\Windows\system32\Bccfej32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\Bjmnbd32.exe
        
        C:\Windows\system32\Bjmnbd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Bebbom32.exe
        
        C:\Windows\system32\Bebbom32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Bjokgd32.exe
        
        C:\Windows\system32\Bjokgd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Baicdncn.exe
        
        C:\Windows\system32\Baicdncn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Bhckqh32.exe
        
        C:\Windows\system32\Bhckqh32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Cjagmd32.exe
        
        C:\Windows\system32\Cjagmd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Cegljmid.exe
        
        C:\Windows\system32\Cegljmid.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Cfhhbe32.exe
        
        C:\Windows\system32\Cfhhbe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Cnopcb32.exe
        
        C:\Windows\system32\Cnopcb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ceihplga.exe
        
        C:\Windows\system32\Ceihplga.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Cjfqhcei.exe
        
        C:\Windows\system32\Cjfqhcei.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Cmdmdo32.exe
        
        C:\Windows\system32\Cmdmdo32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Chjaag32.exe
        
        C:\Windows\system32\Chjaag32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Cmgjjn32.exe
        
        C:\Windows\system32\Cmgjjn32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Cenakl32.exe
        
        C:\Windows\system32\Cenakl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Cjkjcb32.exe
        
        C:\Windows\system32\Cjkjcb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Cdcolh32.exe
        
        C:\Windows\system32\Cdcolh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Doicia32.exe
        
        C:\Windows\system32\Doicia32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Deckfkof.exe
        
        C:\Windows\system32\Deckfkof.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\Dokpoq32.exe
        
        C:\Windows\system32\Dokpoq32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\Dffdcccb.exe
        
        C:\Windows\system32\Dffdcccb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Dmpmpm32.exe
        
        C:\Windows\system32\Dmpmpm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Ddjemgal.exe
        
        C:\Windows\system32\Ddjemgal.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Dfiaibap.exe
        
        C:\Windows\system32\Dfiaibap.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Danefkqe.exe
        
        C:\Windows\system32\Danefkqe.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 400
        70⤵
        Program crash
        
        PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4424 -ip 4424
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afcfph32.exe

Filesize
704KB

MD5
312868732253e3479de242ca9e2c5958

SHA1
6afb313d82f9c61807df05c59603cb1e6d0edbe2

SHA256
77efc8ef2315de023de41c0446139f5862b6aaca9c1aa0c4e8ec2f07e48b9711

SHA512
756f5753c17de5e892373899dd7f3ea93e948cc5d3d2616f124b68cb93bb8ace5e8cc37981de90602535d5656f0ba6ef0db6a026822dca4b6ab3cb76d0d15fef

Download Submit
C:\Windows\SysWOW64\Agglej32.exe

Filesize
704KB

MD5
028b59f4aacabbbb33291229126660a7

SHA1
0dc9ad7785f3ad1a183b34282f2c2f68ac7b2c0f

SHA256
e87444514b7464271b81c8cbd6af112c3d21c01b3640b01c6ec0f2141f759d24

SHA512
b5fb0d2407f8eaf57956ac7b8a47b9e84712b71ff3d9e1b82b317b0a7df07479090755ec90bc8494bcdde26f56f435182e075abc5ed437674210c99df834bdbd

Download Submit
C:\Windows\SysWOW64\Anedfffb.exe

Filesize
704KB

MD5
9de711fc6ac3167fcf096a3dd1fe811e

SHA1
3b9081d3e6a58b57e4088f3bc91f3f66da8f7fe3

SHA256
42fa36b3cac1fc9b15b4bf8573e76897cedb4e2a5fc58ae72381e0c505dbe042

SHA512
bb7e89178cd114097ad440f4d410acc364549a267cec3d7d1daba53f86f96a2f676f6a81b67e06011332fdbf4621d117c2b4dda1eb302a5e22fe9bd1a6dcef9d

Download Submit
C:\Windows\SysWOW64\Anhaledo.exe

Filesize
704KB

MD5
d610255dc4acfaf44a3e3a498104cd14

SHA1
11fbd1a14a483e8a66aa77a5d02ca02caad9e87d

SHA256
736d6d8d0418b7ef25240a59f1de5b50cef9363a27eb1698ff4a3171c0ab2a63

SHA512
fd410390ba6eada166a07b4beec9ac8729b0d405c82d87917f2cd57359346444cfa5a73705b838faceaedb419bba50c14004cd0d8321ce3fb2ebade86d284223

Download Submit
C:\Windows\SysWOW64\Bccfej32.exe

Filesize
704KB

MD5
2b1d5abf5ae8d2ad0aeb144924e06479

SHA1
ed03b5f70944f71ce05f1b4ce6f4e1bdabdf55d7

SHA256
086a756caee2a48ccf8f1953996fb753200174332a98eff2d5641349a12c8007

SHA512
5430780b98cfef463b8fac75cc6e44d16886487fc135b3479c7aa1765afde8171b8b80b4e892ec245da60877bf93831a43f09c612fa2cc347698fb4924ee6851

Download Submit
C:\Windows\SysWOW64\Bebbom32.exe

Filesize
576KB

MD5
ab567b523647a8ceab7de9cbd235e3bc

SHA1
c02e1da2c3586535fe683bf134bc78b9336c2c42

SHA256
a1962dae04f95eaf94b64e481215a93f6d4bd581e0a652f926a592f4ddbe92b2

SHA512
6a6feff2bfd453377a598bb580b7cd323eb075358171d732f1ce8b098fe10dc0a235d78e3003708ea1be822bc6ff473cc285bb9474b55b60ea21059ecc40f253

Download Submit
C:\Windows\SysWOW64\Cdcolh32.exe

Filesize
704KB

MD5
095c0ac6009227e579ef8d00ac498786

SHA1
a4d03423c3cbf301491a2b024bb6139e01a4d9fb

SHA256
93d226d9a85279033752fea1d70165c8df14867c9f6562c7b53c01eb3a729a7d

SHA512
aa34aa75af099294fed23f9dff2cc9a2cdb56ff0784340b2ba81c76822a1b508a5453df55a90c445e6eeee7e644d79b9b74162b2d2f882c2756ec9175aa57872

Download Submit
C:\Windows\SysWOW64\Cegljmid.exe

Filesize
704KB

MD5
0ce86c56139c31dd5c700c96af1effa0

SHA1
297e7988eed82f81762754f519e1ed6e59f07b9c

SHA256
48855e45ecb647bee3ba2b3b2987e782cd86e56c9a5777aff83a217154178863

SHA512
d6d0cfe45534ae311c0b4d68d37b6729da3627fb578659d77f46adfc4d79771f5d1e650c2f2940e195b936b980a8bd045f1fb04fba40718dd718b977c6befd86

Download Submit
C:\Windows\SysWOW64\Ceihplga.exe

Filesize
704KB

MD5
909003c22ef950c9a50c9cd58df3a500

SHA1
87b5501ba6feacf5a98fd1cd0710f8225a83aa49

SHA256
7a561561b7d74d8185220a8fa69d31b94329c20a3c27098d523e6516bb9ea303

SHA512
da882872492bf6a3c3e7aa158993e9ba2a4444e0623e6764e3ca6a808a0c742e43d65f816a22118e9fbe4b6660f2040aab91b64457fee22e3a0086894a558e06

Download Submit
C:\Windows\SysWOW64\Chjaag32.exe

Filesize
704KB

MD5
fc7c53417b1abfdd3584265447777fbb

SHA1
04c969e730f056409ecb1f7653d7eff4ec73a532

SHA256
4213c69cd891953bd2b2a9f1f20aba04d83cdcd4dd3ff739f86cba792314e071

SHA512
cef8d8bf159743120414d802e2ea153bdc170339e30abf0a4c28403a69d36d140f8be59a7882b1b2bf5e763e94d2bb80ec107cfd46b6ae7b6f2c265d105bceb6

Download Submit
C:\Windows\SysWOW64\Cjkjcb32.exe

Filesize
704KB

MD5
d188c9028fd43a3db732530168feb0ae

SHA1
0c7873526722853ab236e035d03931db8f9d3c46

SHA256
3d0120cd3a16e4a81336f78539892ad6d8a8835c72bacaef754cd62b063af384

SHA512
de4fec9a7776cabfadf145a159950cd660a709776d1b2500ab6434372e77fcd9233cfb5248c64b280b91c632ca2a1979cc5dbeeba536291328a795d00a44b423

Download Submit
C:\Windows\SysWOW64\Danefkqe.exe

Filesize
704KB

MD5
91fe90d5d3be09015b25e5504898f46a

SHA1
68ec3c51d0d2b0d99185d2242b318c27a50502f6

SHA256
e98c975f6fe89337bcb94db92510321d4efa815d33d4ec229f0b1ed3e6435a71

SHA512
d17b34a533caed110da4b19ad27fdf25f1551ba5f36cf4b2e4e44fe505f43211a46b1fb0d1f001f1cf0c415d2b9de33816a4f61addc8e1597dca4607fe5910a8

Download Submit
C:\Windows\SysWOW64\Deckfkof.exe

Filesize
704KB

MD5
7d916a55c3cd7eb954e52a307b8094ab

SHA1
04a1ec55d9210cb28061d0897efe643bcb6bdb51

SHA256
4c017a190794df041c8d49c224a062a35d452c7ee4d73f78433bfe76dddc329e

SHA512
c5e087f74241a0c625a99ff004f91b418062b3b1c96660afe7d545beb145e6184d938c5c4ce1e5300a6a71802ca09e713d1d8eec3d72451abda18b36eb14f89f

Download Submit
C:\Windows\SysWOW64\Dmpmpm32.exe

Filesize
192KB

MD5
fd9689f2c8a8b351ac9a10bc6eb09b9a

SHA1
331da8d3690a38b8312c471e23419a53c78f2c88

SHA256
ce5498bcead5288d17d93661811d61e5ba0c99565fdabd1f5a09fd9eef382b93

SHA512
c586ae8c940a3659cfbec7756a68c892c4f471bd62ed6a687aa088d0465545948ee2f69982e53d53b4e6eb8ac9606745e5cb2f6529c34fcbe93b33eaa7465f96

Download Submit
C:\Windows\SysWOW64\Lbmhod32.exe

Filesize
704KB

MD5
597f3466e0b3dccbbeeb6fabe82020ab

SHA1
47bf6acc93d194548e66514efd6c7f13fad50e42

SHA256
1f94d0425c423d78f515a931141f935a4514fdc7db09adb5fe025ac0987de711

SHA512
6c56229bc24d0e8bce3502e413701265abd279e68df8557c043cac1414a73867dd3778900ee1a44eb031c5a1debb70f8173188caf05a0160a50e9e8a78cad5a3

Download Submit
C:\Windows\SysWOW64\Lefkpq32.exe

Filesize
704KB

MD5
074cd11cbebbf4ebe53a7df526a34e76

SHA1
b600a3248750763a3e619a17771d1175e8034c4f

SHA256
beb10508d3997d496f63affd9dd86b1249ff2d059386fcd17f5254b11d4a1218

SHA512
f8ed668a2c16b0f943eeade8c0fc03e86d4978829ea6ed1e2b6adb5647dc2ffef0e631bee39fe08a24d075abadf6757d99fdf4c90347fb5259e241ebbaae9791

Download Submit
C:\Windows\SysWOW64\Lffhjcmb.exe

Filesize
704KB

MD5
a9b13bbfd6dfbc21b658e46cc844f689

SHA1
f55740bd23b3dfb993c65b386e89eece1d7de9c9

SHA256
a9e175fbe655b8ba8a1c633f37a759eee4419d96b4dd2fe3ae27edb3354c67b9

SHA512
18a126156c6c35c9ad5921a15b2904522990a33abadeb09928323efa0c66fc998d0c550b5dd41aa31be1043af151472070a0d1734046deabbf1eaefede3e474a

Download Submit
C:\Windows\SysWOW64\Lmbmlmbl.exe

Filesize
704KB

MD5
650cef9912d929110be6b0f5fe54bf70

SHA1
1133ae525d9aa2282c5eacfa7d6813682022282c

SHA256
fd5ca00809e0596968274ee75dc9a1c031fe41b9416adb2426121ee33e86bed4

SHA512
42c4bab17b8de2ce008424199b4e07abe8b357a309f1010da4d4b76b8932043a4999dd6855f7e38ce51af2cf6971521f0d61fc642b48cbf8f3e94bcd534ae669

Download Submit
C:\Windows\SysWOW64\Lpqihhbp.exe

Filesize
704KB

MD5
507669cba4290eb9e07b286871bf691d

SHA1
52a4ecd001c90303f4565d435fb30cf7f0336591

SHA256
3de3996dde570675d10038685270bf2addc96b443b13934f62c54eab4b203de5

SHA512
b2152cbc7d68f09dd03e1557687b92f3a9e85d017d57944a67753998c6b4c3910483121440da77ecd0f7aa931076d3905e800ef969bb66f6abcee3e6094d1a2e

Download Submit
C:\Windows\SysWOW64\Mboeddad.exe

Filesize
704KB

MD5
9c0fc9ea94ea993bbe61bfe556dd17d3

SHA1
22ffdbd92af9656562360bff03a5f615285b03c8

SHA256
f9c07337241c107a18bed1630b7ec0e25557e379af2ee68b58b8083e871c1dc9

SHA512
a00ca65263c6b301a840157464973d0f8994bd1e50dde8b3b82e9878e287ce402b9b40c7ce9e66273e831208dedbb01df50074b756449a1a35c7d2384c19b13c

Download Submit
C:\Windows\SysWOW64\Mchhjbii.exe

Filesize
704KB

MD5
2762fc258c3ea2c6be4c368869432641

SHA1
b9b9b91ceba9e3b75d68e90fe11328168c02457f

SHA256
d186fb5978ecaaba2b87fb2081494bb92e45a30201b7fca05b615b9b300bd2c6

SHA512
5760362e79025856b3184cf57973d845f3e3ae78a5083cd4f9667a4fb107742471d63576e27458c359bf2b2448a982f9daf6062cd669e99918d679b190c274ed

Download Submit
C:\Windows\SysWOW64\Medgan32.exe

Filesize
704KB

MD5
b8a5a8129c95ea68e47735aa613f5389

SHA1
bc1f79f420c66b25d8a92d5a0e5b7d22c6eaf6e7

SHA256
112ea8e10a2fc41b55143b17943fda84da12a68dddadca24a068024cf031cb36

SHA512
60f10241b14de440c98b08030526fd37bf1e36933bbb97827c6ffd9a00ec70c41cbe099a7373b247b36989424be4d44e62f317e7a3bedd317a759c7150ca3081

Download Submit
C:\Windows\SysWOW64\Mgageace.exe

Filesize
704KB

MD5
79c80d92430593ea5348d1bb1c22a395

SHA1
681183728e5f64b0fd38c878552043e35a824158

SHA256
0f8476b957a281b637773dacb407a47ab238cc5e65552abe908e6e2507e59d52

SHA512
93c90b8462402164b7c773232a7689c96b1b5a7f0681e781382e4662a5c747c7e1fea2d60eba3dde7efbb28da3176b6814ef1649f3b47b83d906b770c2bdb3f9

Download Submit
C:\Windows\SysWOW64\Minglmdk.exe

Filesize
704KB

MD5
5597a004c6becfb624da49ac203c179e

SHA1
3d5ef51c3cd8d59cf182c85faec4dfb7bd5bce09

SHA256
b4428fb5e5599756d53da76a3da5eaba4c45f5803457482d78f0b2686470ee50

SHA512
08167ee93d38815046b51989d6c755e0cf11cf76d6dfef8082f083fed7436df031e5ddd0c3a363e6193d03eff1db1579804609cc505249a096ea3995fdfea5fa

Download Submit
C:\Windows\SysWOW64\Mlqlch32.exe

Filesize
704KB

MD5
2a1219f83c146b69719f4351f00136ea

SHA1
6fe61b5bc13df1428c1a556ad62c4a9dae12e477

SHA256
0075c83f25077dbf9164f973f89b6cbbaa7878f1c382cb17d8be6bc922f4b2e8

SHA512
43f63778c48a80fed6f477a50f27320c3551c6ed498ee262b07fc112138efa76b3bf481ad6c23a5303c4795c7733cc19db09ae0cc03a3df8c664204d7fd6a8ca

Download Submit
C:\Windows\SysWOW64\Ndagjd32.exe

Filesize
704KB

MD5
f5c88d79195e780b941aeefac82b77ee

SHA1
f07b5d7da769bc40beeb24ce060980cc13a86137

SHA256
121a28e41c9bfa12afd96e47613cd24dd7b43e11ed35f7db21bea2f132140ccc

SHA512
b0a0a0f52437d84b7100fce7fcf257c98684e149300a260cb5907a78b706c5c5527e8d8fea9fcf192b12fe24de405e3cb9a5b4a4b5be26c524dcafe90e0c25ef

Download Submit
C:\Windows\SysWOW64\Ndhdde32.exe

Filesize
704KB

MD5
8b09f33b0d17c679dcd10b16945b51ec

SHA1
ec1edc670e66ecb9d9c8a465bdd19d648d85b225

SHA256
c6f335f6fc0bbb17dca5a8661cdfa6e1cece6e32c66c4f9b14e4a4d5a51b224a

SHA512
e933e083a54957255ee8834331ae30d463c046b31f0b8eb3787d97ea3ceae6822a32b2d3e79d844d9a32ffdf5344605ed4b4f8d26ad6f51774b5e7b67bd1a8dd

Download Submit
C:\Windows\SysWOW64\Nfbdblnp.exe

Filesize
704KB

MD5
1ac979ce771ab3b4fee6d7248904e0cb

SHA1
8c9021e264897543fce287878c9420557a0220c6

SHA256
25f12dbdfe69e36ca0f207a9d46e77379ca793f8231d9ff219d7f88ad491c312

SHA512
986e39255b27d609656b4af5806dbc1eb530c0f2594c25093f405fa4c24e708ba94ff535829e3c57af2d613b931d03b36d66ec09fea43e1d843b05789a126b4a

Download Submit
C:\Windows\SysWOW64\Nfpgmmpb.exe

Filesize
704KB

MD5
303f0f195ba2206dfa11268ff3d46601

SHA1
8ffc6d4d5491b5a9efb6bae33b1e826849f8aac9

SHA256
4a7c4d6cdb9425409351d3167b590fbebaaf0a295c3cca6aa002620bf7ec62a5

SHA512
c9b0f99f3cd45c274d5d245da3516df1256bbec4f66264a2198f7988e13594903c440478bb1158aed8c51b9782e7717acbb446394a1b96e5358e79b004466222

Download Submit
C:\Windows\SysWOW64\Ngfqqa32.exe

Filesize
704KB

MD5
e77fae7bc29343138672442d94a4c2c9

SHA1
89db3b669ddf19b66490f0213fd81512dc8d786f

SHA256
70ba017ab4076d7c16a3e51b2898f186f60e4d230a2ad5148fe8253da807d7f7

SHA512
b231ab958e4ee99f7acda798e9f48dd308797515a38a6d86d92c5e656ea7b22e2ec54929c64f375c5647bfc2a95e755cc5b5e7020d0951e0cd3129624713aff2

Download Submit
C:\Windows\SysWOW64\Njifhljn.exe

Filesize
704KB

MD5
8ababb72f81dad6c8d50a9f9a099e39e

SHA1
bc27db664bd34ca20a88ec6dc6c82c73ac8de8cc

SHA256
9175a3f003be270ef37ba7261d2d745fbd3997365bde72b30a41ffc98247f8b3

SHA512
8617bf67198631a0cf3c09f52657c5ca2a9e19f32062fa72052dc0abbab447b4c5ad3591d18ff2e9ba1a6041a4902ab53e69d712026056b91ad1ec31d519542e

Download Submit
C:\Windows\SysWOW64\Nlllof32.exe

Filesize
704KB

MD5
cdec6517f7f9e2b86b3e9ff5fdddbe25

SHA1
281c321d46580436894ac14609396e4bb9fa9afa

SHA256
08fa1bebf10837b7638b787ab375a361e79289e07476dd6519ea575a943f76d7

SHA512
b751998e31472799d18754dec3d4da533e7f6fe957fcbdc511e448630a8764e913e8b15b370c7e4ce98e8d27453bdc1f55640b1e1df06e37284210da0b63cd11

Download Submit
C:\Windows\SysWOW64\Npabof32.exe

Filesize
704KB

MD5
c77a8f32211dd73d404f9b32662353d2

SHA1
312de2dda42fdf7a972c3d5d5568b22f17a75fcd

SHA256
be58c528af0b765b4c1c9772148f3bd36f8773582e59f0f0c4caf1c14fbb1366

SHA512
9eb6df324b06a3cd7149ce49f912c2eb461a4341ebcf45da02a054a32dfc3a1069817cd32ef046e5e4028b4e4fcccfebe5dc6b7b20c3513d309a1702441874a8

Download Submit
C:\Windows\SysWOW64\Odcdpd32.exe

Filesize
704KB

MD5
45cb6e1ffca3f845f1fc9a490be12edb

SHA1
cc949b078f88cc9d687fa7e9227d8da35b6fa5c9

SHA256
9ede0c5c1c1d3ae47f28c0c068889f8d314f88eb17f97767fe2d9f341cb24a07

SHA512
b7e6c242204bd0c7e6ee97139bf0d4cc771622fb6a74d2823fb8f5870cd2302cf86748d67cf185fd743dbc58201b2c5fd226421ccede0eab860489264514b06e

Download Submit
C:\Windows\SysWOW64\Ogfjgo32.exe

Filesize
704KB

MD5
ac85859232ab3d4bc6756aee2776993e

SHA1
e36a2d7575af9be6240edf79685c7cc77df55206

SHA256
d6619d779654d8f91c2edf137f20c60469797576212c6a7ba34b92b0f8bd1f94

SHA512
280d2ed025551b2b5f96e857fe1ef036de8f3ba5aef903302e9cbea84b27c90e5d8405af569d405b6d164de9b11d2d8b66ca89869244cd06b4088641d5935cb0

Download Submit
C:\Windows\SysWOW64\Ogkcbn32.exe

Filesize
704KB

MD5
4251b9e33dc6b76a3897e5001fa01084

SHA1
cb6d837552e952977af3efe84a3e943725d0e0d0

SHA256
569ed5c92069c9f4c026c634713f6b7625da9af19621957abb60b1a3d1feb600

SHA512
e65bbc8b9bb09c59e119d1a1fa1b730a5ef02c1117d7b7c85f5a8dcd090bf9e2f5aded9fbe2d1c1100a90c0462a820310ffed4451e4905ba035d1efea7e75893

Download Submit
C:\Windows\SysWOW64\Oqonpdgn.exe

Filesize
704KB

MD5
c0839838a3259e5055d4068d05901268

SHA1
163480f70e3b55682b2efec472cd11ee88e1bdff

SHA256
ad7c9a7fa5daf88fbca9dd2b4d6a98f25d2bc6d6ba656fcfff51f6a4c3a7a7f7

SHA512
132c36a25f5da5f593995e007eb688172fd90721ee23481adac5ef1103b6a1ec2892af09abb3db9f91721f58245466d691798fcee42687e7b069b759d294d92f

Download Submit
C:\Windows\SysWOW64\Pcbdgo32.exe

Filesize
704KB

MD5
1e009327db7bd6a66092c01edefc66ad

SHA1
d17bfbb16fc9169d1b8634106ef2548b2827381b

SHA256
0805e0822e450ff4ba1e3ba60304552d01be318ee397fc878bed062cd057ec64

SHA512
015f484d5d6aaa3ae69b25efefa079d1d199b0e541ac230e0236940538ee0848590888ba77ec5d169713332b515bad4d08caf193bb98befc1d7ef92eb5b1e335

Download Submit
C:\Windows\SysWOW64\Pddmga32.exe

Filesize
704KB

MD5
2f38a3331479b8236ff19f5214354225

SHA1
d27526fda1e0e6e65b7d896c37e13db754260d82

SHA256
892178786596d750decd8eb6dbf2804c0328c23c44f2c5aa12aa7f33e427eb5c

SHA512
bd3153c381a656016257f2e220e7f728bc1373e1b6d6ad06522d200672dbe11c0301d5376ad4dd70b390d74acb5ab0b4decf70dd3271d6a4ce77d35f9f9cf45a

Download Submit
C:\Windows\SysWOW64\Pdfjla32.exe

Filesize
704KB

MD5
66f19b930f9e5f5fbec102ab92dad3d5

SHA1
0239e65951f7d86660121e0ecd4bcdacdfee4694

SHA256
f6fd259ade443364099bb43f3524e8fae929ebdb7fa081817cb08b9db1de0d30

SHA512
20a741b27f6bc24a07470e2ce2e0f87d5626b27772099ff3e42375a01077c895889a4f75c2da587f45c1ff3f19e98d39a0af7ef50d65804f04ea5ad2b324cdd2

Download Submit
C:\Windows\SysWOW64\Pdhfbacf.exe

Filesize
704KB

MD5
51dce0b274581feebcc0eeb7a8866280

SHA1
0bde2765ffbc29663103f3a4279bb6985d3ff882

SHA256
f565121c920833a9fce9d84dde9bc67684c26ca60d0474767b85d4b7c0034eee

SHA512
8843d435b4f377a2505d13eecfd977fa9812ead6af7222a7be143053e5762cd63dd25001d02ca67a6c6c61d6c145152e2a5a4625a5b20d44fa189ed4143bdfd1

Download Submit
C:\Windows\SysWOW64\Pgplnmib.exe

Filesize
704KB

MD5
f9837c4d3af849810e8c2b2e04ddfe29

SHA1
98b8aa57498bed858f5de5a5505784a895ca2c28

SHA256
38df659deac8bde64f8a157f9c176b21e9c9f4ee5bf735a35408111494650e83

SHA512
4837ac5e88c5df35d0e7c57dfd694d5d5994ac905057978e4afefeb16a7dde15fc58f73a2437b46856e0947d9cb17a31a15ef5f5602b4ece1c721e36c9a3b9ee

Download Submit
C:\Windows\SysWOW64\Qjhlpgpk.exe

Filesize
704KB

MD5
ee1af8d5c5f82ae03f68059b31ad232a

SHA1
af4e6d34c7b4f508eef4e36bfc6cf5023d7a9119

SHA256
209a226fa6c6652a7430a05c79e07c0005afa63777a5bd6fd4df172d47d52c36

SHA512
b4c9eec7e9dbeeecb4d9f7f68a90057e1cc6ba5ebbc2c24eda1795a73d4aa5c125e39134674ad2f5333c1a54e202f5a67dcd2e2021b0525d335681ed0c9cc4d1

Download Submit
memory/396-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/472-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1596-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2548-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4184-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads