berbew | b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe
Size

96KB
MD5

4b13149121d048e3cdd98a4db0d84e00
SHA1

a22ea2dec7c3cdccdf4e4d59a8b2a02ba5db7ef2
SHA256

b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d
SHA512

9c108b4b5c80963dfe52ad2323057f4e7d81cdd891768b6a9086c9c24f5f455d4bcbe392f9371db5704b28d951e44c700a8cb48338e11d3ef94d3043dfabe412
SSDEEP

1536:5ZWWtGeHv0t3I7/NvwTS0KhAF1VdTz3QfhZQDduV9jojTIvjrH:WWtfv0t3qeTxKheVdTz3QDQDd69jc0vf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3940	Mibpda32.exe
2580	Mlampmdo.exe
1700	Mdhdajea.exe
4072	Miemjaci.exe
1144	Mpoefk32.exe
748	Mgimcebb.exe
2640	Mlefklpj.exe
2736	Mdmnlj32.exe
1168	Menjdbgj.exe
1416	Mlhbal32.exe
2416	Ndokbi32.exe
2192	Ncbknfed.exe
3968	Nepgjaeg.exe
4340	Npfkgjdn.exe
2196	Nebdoa32.exe
4424	Nlmllkja.exe
4804	Ncfdie32.exe
2820	Njqmepik.exe
3464	Ngdmod32.exe
1648	Nlaegk32.exe
3832	Nggjdc32.exe
1488	Olcbmj32.exe
3236	Ocnjidkf.exe
4920	Ojgbfocc.exe
1152	Olfobjbg.exe
452	Ofnckp32.exe
4996	Oneklm32.exe
4260	Olhlhjpd.exe
4956	Opdghh32.exe
1876	Ocbddc32.exe
220	Ognpebpj.exe
1444	Ofqpqo32.exe
3524	Ojllan32.exe
2016	Onhhamgg.exe
4432	Oqfdnhfk.exe
2136	Odapnf32.exe
2624	Ocdqjceo.exe
3948	Ojoign32.exe
3488	Onjegled.exe
1892	Oqhacgdh.exe
4592	Ofeilobp.exe
4172	Pqknig32.exe
3628	Pgefeajb.exe
2724	Pfhfan32.exe
3076	Pnonbk32.exe
2080	Pdifoehl.exe
4216	Pggbkagp.exe
2368	Pjeoglgc.exe
4496	Pcncpbmd.exe
1128	Pjhlml32.exe
1764	Pqbdjfln.exe
3640	Pgllfp32.exe
4388	Pmidog32.exe
708	Pcbmka32.exe
736	Qceiaa32.exe
2024	Qfcfml32.exe
4252	Qmmnjfnl.exe
5024	Qffbbldm.exe
548	Ampkof32.exe
4532	Aqkgpedc.exe
3848	Ageolo32.exe
2256	Aqncedbp.exe
2796	Agglboim.exe
2700	Aqppkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aihbcp32.dll	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Codqon32.dll	Nepgjaeg.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Neimdg32.dll	b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Gijlad32.dll	Mibpda32.exe
File opened for modification	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Ngdmod32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Ofeilobp.exe
File opened for modification	C:\Windows\SysWOW64\Mlefklpj.exe	Mgimcebb.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ncbknfed.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ngdmod32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Mibpda32.exe	b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Menjdbgj.exe	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Ngdmod32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Miemjaci.exe	Mdhdajea.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bchdhnom.dll	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Knkkfojb.dll	Ndokbi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5256	904	WerFault.exe	186

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlefklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlampmdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npfkgjdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Menjdbgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nebdoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjiccacq.dll"	Mgimcebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll"	b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchdhnom.dll"	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfenmm32.dll"	Miemjaci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpoefk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 3940	4444	b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe	83
PID 4444 wrote to memory of 3940	4444	b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe	83
PID 4444 wrote to memory of 3940	4444	b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe	83
PID 3940 wrote to memory of 2580	3940	Mibpda32.exe	84
PID 3940 wrote to memory of 2580	3940	Mibpda32.exe	84
PID 3940 wrote to memory of 2580	3940	Mibpda32.exe	84
PID 2580 wrote to memory of 1700	2580	Mlampmdo.exe	85
PID 2580 wrote to memory of 1700	2580	Mlampmdo.exe	85
PID 2580 wrote to memory of 1700	2580	Mlampmdo.exe	85
PID 1700 wrote to memory of 4072	1700	Mdhdajea.exe	86
PID 1700 wrote to memory of 4072	1700	Mdhdajea.exe	86
PID 1700 wrote to memory of 4072	1700	Mdhdajea.exe	86
PID 4072 wrote to memory of 1144	4072	Miemjaci.exe	87
PID 4072 wrote to memory of 1144	4072	Miemjaci.exe	87
PID 4072 wrote to memory of 1144	4072	Miemjaci.exe	87
PID 1144 wrote to memory of 748	1144	Mpoefk32.exe	88
PID 1144 wrote to memory of 748	1144	Mpoefk32.exe	88
PID 1144 wrote to memory of 748	1144	Mpoefk32.exe	88
PID 748 wrote to memory of 2640	748	Mgimcebb.exe	89
PID 748 wrote to memory of 2640	748	Mgimcebb.exe	89
PID 748 wrote to memory of 2640	748	Mgimcebb.exe	89
PID 2640 wrote to memory of 2736	2640	Mlefklpj.exe	90
PID 2640 wrote to memory of 2736	2640	Mlefklpj.exe	90
PID 2640 wrote to memory of 2736	2640	Mlefklpj.exe	90
PID 2736 wrote to memory of 1168	2736	Mdmnlj32.exe	91
PID 2736 wrote to memory of 1168	2736	Mdmnlj32.exe	91
PID 2736 wrote to memory of 1168	2736	Mdmnlj32.exe	91
PID 1168 wrote to memory of 1416	1168	Menjdbgj.exe	92
PID 1168 wrote to memory of 1416	1168	Menjdbgj.exe	92
PID 1168 wrote to memory of 1416	1168	Menjdbgj.exe	92
PID 1416 wrote to memory of 2416	1416	Mlhbal32.exe	93
PID 1416 wrote to memory of 2416	1416	Mlhbal32.exe	93
PID 1416 wrote to memory of 2416	1416	Mlhbal32.exe	93
PID 2416 wrote to memory of 2192	2416	Ndokbi32.exe	94
PID 2416 wrote to memory of 2192	2416	Ndokbi32.exe	94
PID 2416 wrote to memory of 2192	2416	Ndokbi32.exe	94
PID 2192 wrote to memory of 3968	2192	Ncbknfed.exe	95
PID 2192 wrote to memory of 3968	2192	Ncbknfed.exe	95
PID 2192 wrote to memory of 3968	2192	Ncbknfed.exe	95
PID 3968 wrote to memory of 4340	3968	Nepgjaeg.exe	96
PID 3968 wrote to memory of 4340	3968	Nepgjaeg.exe	96
PID 3968 wrote to memory of 4340	3968	Nepgjaeg.exe	96
PID 4340 wrote to memory of 2196	4340	Npfkgjdn.exe	97
PID 4340 wrote to memory of 2196	4340	Npfkgjdn.exe	97
PID 4340 wrote to memory of 2196	4340	Npfkgjdn.exe	97
PID 2196 wrote to memory of 4424	2196	Nebdoa32.exe	98
PID 2196 wrote to memory of 4424	2196	Nebdoa32.exe	98
PID 2196 wrote to memory of 4424	2196	Nebdoa32.exe	98
PID 4424 wrote to memory of 4804	4424	Nlmllkja.exe	99
PID 4424 wrote to memory of 4804	4424	Nlmllkja.exe	99
PID 4424 wrote to memory of 4804	4424	Nlmllkja.exe	99
PID 4804 wrote to memory of 2820	4804	Ncfdie32.exe	100
PID 4804 wrote to memory of 2820	4804	Ncfdie32.exe	100
PID 4804 wrote to memory of 2820	4804	Ncfdie32.exe	100
PID 2820 wrote to memory of 3464	2820	Njqmepik.exe	101
PID 2820 wrote to memory of 3464	2820	Njqmepik.exe	101
PID 2820 wrote to memory of 3464	2820	Njqmepik.exe	101
PID 3464 wrote to memory of 1648	3464	Ngdmod32.exe	102
PID 3464 wrote to memory of 1648	3464	Ngdmod32.exe	102
PID 3464 wrote to memory of 1648	3464	Ngdmod32.exe	102
PID 1648 wrote to memory of 3832	1648	Nlaegk32.exe	103
PID 1648 wrote to memory of 3832	1648	Nlaegk32.exe	103
PID 1648 wrote to memory of 3832	1648	Nlaegk32.exe	103
PID 3832 wrote to memory of 1488	3832	Nggjdc32.exe	104

C:\Users\Admin\AppData\Local\Temp\b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe
"C:\Users\Admin\AppData\Local\Temp\b026ac172caeb065595bbd5d697f9d017c36a22e6de17819870c99dd8d3bfe4d.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\SysWOW64\Mibpda32.exe
  C:\Windows\system32\Mibpda32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\SysWOW64\Mlampmdo.exe
    C:\Windows\system32\Mlampmdo.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\Mdhdajea.exe
      C:\Windows\system32\Mdhdajea.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Mlefklpj.exe
        
        C:\Windows\system32\Mlefklpj.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Menjdbgj.exe
        
        C:\Windows\system32\Menjdbgj.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ncbknfed.exe
        
        C:\Windows\system32\Ncbknfed.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        29⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        34⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4788
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        71⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        72⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        73⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        81⤵
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3252
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2740
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4156
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        90⤵
        
        PID:532
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        95⤵
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:740
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4728
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 416
        105⤵
        Program crash
        
        PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 904 -ip 904
1⤵
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
d784bdb03c74ac451a5f253534f2ca68

SHA1
f655894ec75b5916aa02f45d3c5fe7aa1d0e2718

SHA256
cf25f7b0df89b492a9e362974066d2c2ad97ab5de6b8b5dfa281ef1e88ea5a87

SHA512
13bcf8110142bdaf2233bef1a70d0f051e8ad71cbc5dd088c31cc190f736cc0ae97d67642d90b6a635266f3e6357a9ff920db2a2f508ed4031f6f289f33f6672

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
785c1ab0f856a98a65f7db2a19bcd011

SHA1
85d3ee40cd70f2602dda657141cc5a4f27ca7b24

SHA256
c912132e0bbd211d7bcc53c2304a527c41c44bb1c1e4205355ec3961a553a156

SHA512
2fb41dc42181ea77191efd2e59748dcb3e6df35d36d4e7bee7fbe27dee164f11fd724ca8de38971f7d45e5ebed7c037e1710534a5340ec535055747d129a2b9f

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
96KB

MD5
47156d4158f22792436238eeee181240

SHA1
9042fe6cb86e20a2be321e8a4c19a9260bba9757

SHA256
b73941ea061c5bc56400a91c3f88f6a23e73caa7111fcfb3462efb56fd65714b

SHA512
c307fb8839563817efba0a11d196b9158e27fd295d6f0ae37aef1a4b5e72694cd32d929256cb28c752ca682815decb49a721e231af542fa1e10cee01f47cf10f

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
568254c50b9fb852460ee22a65f3e08c

SHA1
c3eb2a05f4a21f948d99bc24453220cf9ab1276a

SHA256
9da8b7840ae8c0a65e27db9467897bf26d5a26f534311909163c3d5d1fe3598d

SHA512
4a94f230f89493fe10fc650da60776fbbc88bf42df4587d6fde283f74ef4479f16c3519e8cd86ab0d116aa6ce445268549f8c4cc6be27457dcd8a2f99abe905a

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
96KB

MD5
2a2a8a62a614a629b47e0c3d6899c000

SHA1
c14189c053ff4ce5e0f15f9c8eb9acaa2cba7294

SHA256
4995bebd5be724f62e02b9ba8a84dce38ab2969dbff3c96e9c4d52fbf4d10da1

SHA512
84412a124aea045dd096591d1e7e91e4a80246f514abd213e41e53241dab6844c5ff262a46d0a2aacaef2e47d20f747e1e96e470deeda64125da85966be4ff66

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
96KB

MD5
1866b2b32ffd3480087a163d4f83f94b

SHA1
6cf47e9700c7c4dbcb1347cf658a1faeda827376

SHA256
7c1b5ea68cbaaf1e3683de612c109281d1affce2f3c29154854e5e07269acd35

SHA512
314e9bf65a78855faaf79a9a808686ade9eb828814b0c47d24b1a07e868f8675cc7e10d4df1a2db2c194e2b3b2c3aa6a6e288e580027198dcdf4f29144d34b94

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
4f1f8a4085cceeeef8e688c7fce82fd4

SHA1
b1f45aacd8f1e8b5855ba479f1c666f3dfd977ea

SHA256
9ec5fc60e7aaa9d368a648f4f80a49a4dab5c8abf47247ac300eba3429735922

SHA512
b71227c74824b451180e1a6309a3ecc5a677b99135e3a87873ff1cfffcde009f6127efaed3299b13a0da30c63f55afec886918c7928f8ace6626263663342534

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
96KB

MD5
ec7b1570e9d6d42705929700cf131c01

SHA1
88765e47de5b0576a35c20b83745d6796265d975

SHA256
bc36ea4f1e7f0bb0448ad7cc0390d600b51230859d611975c05d91480b2a04fb

SHA512
f6cef19865afb3dd18d99ee3f067a54d95aeed986c5c920446a7bac535a4cb5e13601f0ebfe33e46e913cf92919264c6d8275cd652d3c22607164a34d4f8b485

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
d609dc448590506b8c5c3f3f31803efc

SHA1
b2e0369b74dccc2c6580167e15bc700a10950991

SHA256
8152613ccf5e9cfc6394fddd2c7bf8b7ec9a880274ca0336a455ce86242e6bb8

SHA512
88f1f5d71c4db7f3f0fcf255385f85a8305e85789d8a0a6338ff1b88fe61b19455cb0b1b27cb71a14af23c4afe7f5c8a7337657f0d15925414c51dba2ad45ce4

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
96KB

MD5
df807128762cb2e7838986c6d2ec0cac

SHA1
bc4557a7bb5612cd6fad35b7e64074b53b0ccac8

SHA256
1a3a03977383b8dd78dd660994ed1b5f3ca805735af506cac8b44f5a3060733d

SHA512
5b5217b8117297646d6d25a35768f525d84cf8e52891d47a9558e8a6ab1e37d359d06dc177f0b0bb841840399e53e2e92221cb56adeb8b1c430e43b60a8ae408

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
96KB

MD5
c0159b4f91fbebc309fbcbb2b5a2bae8

SHA1
40b0830fc9e39d9f348622a00544981da3e0c69e

SHA256
d4171987ed78e5c99604c008be0e13a458fd9f82c1203bd7f20e3c0bb94fd67c

SHA512
a7a57051a344664ac0651639a4d5cfd72d21a102453b0dd31d214743a4284eb111f3d9ad10f49942620f09b340732f8b836dd36a9e7c77ecf4e812c5d5bfa2b0

Download Submit
C:\Windows\SysWOW64\Jfenmm32.dll

Filesize
7KB

MD5
cb71c4a9f1d34ca3e8e274f66443d4a1

SHA1
0a4fda8c8372b3f38c966d5701877dec70350fef

SHA256
1272e5165f2205e58de5598e0414ff92876ab0ed6d1295c2e36ce23128e74b8f

SHA512
3760954f365ecb8815e16eb8ac14749eee518afc9c3d83ef9e06e8c638aaf5c169887629d4c50e6811ea468a37f54b13e0ac741f62cb648107df2edb66b32bd8

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
96KB

MD5
05cd4b8c62abb65bedb6f9409678af37

SHA1
bb70893ba9af189d394100fd6165516aa0a1591e

SHA256
fecea1471b9e2fd2ad3a50062ec71c6b56327d6d8d38342c06a66fde079a9caf

SHA512
42cb922785f3174ca7dcbc7a6b375f65dab3b70ed1505f8050d64b2be6194fe4263902d1cde769ef916ad80c4cf239fdc3d902d8d927d2d9217ed9a0a3d97f53

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
96KB

MD5
839276d2ac77223ae503774873314917

SHA1
114d7535f32326e353c277217d8f6eb8c4d8748e

SHA256
9e35da8caa0709ca6a1cfa0a121bd3ec6ff013e2d25799eba7e31dbf5f1d37b6

SHA512
ecf8953b28a9db4b6f3e6623e404146abc9d68b4eb70a4f01a3a5daa95ae72fa11388259455d8771c4745248c65527121a04e9263614c17051fb67b7a901ad85

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
96KB

MD5
9ae23f37ba514ecb8587dc930fc3f241

SHA1
d8ece07dfeac7b2b189665cf33ccb9f0c5b62828

SHA256
5b1c2d0c5a7b29c9dc350939443853306e0471a4c6de62cf15dcbd8384980dd6

SHA512
141290a4a019f7108290483fadd42433ae1ef473eddd4260cf4be160292ae376f548399499bb725a212d552219fd17ccbb8597fcc9b8b460594775f932e1bb78

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
96KB

MD5
6fa10d36c887f55d0c7d994e4e0b1b7c

SHA1
1e8c230b87d1c2ec6be5ecbe8103401f47668a35

SHA256
2f4f684b950e70f25b933032448b8799ccdab2f6e9d8f8241e290d3053946b70

SHA512
ef27ac4aa0462c8b5d57e8afe46d0a41840d76a783d422f4a89ce88f92ca8a8ae28f65fd1933fd36158d19bb695da5bd4f377f6678cafafbe17bcccf09a292cc

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
96KB

MD5
ccc4fd856b966a5aab69d46f02e7fa97

SHA1
c5972bcabc5e39073d41b9287f3ef6580198988a

SHA256
6b4ed0a90552dcb35df7d9b624b88d19bd49105a8ee8c711eb7c8a2a390b24e5

SHA512
29818c81c86c81da0707ac67273ebda7c005f05ba74628399c40db52d6b6c34e529b49777f285a4b8f317222efd88af7bb062f15fbb06a8a02f3baa2648d37b7

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
96KB

MD5
1ca66c128bdb4fffaab249d132c8e5e1

SHA1
c77b9de427d2b57ec14cf9e606c3a3c2cea30edb

SHA256
16b6372232fc203211d8d76d1421e471358f62c1a9f95e6bc8fbb481c0c176dc

SHA512
49b8df6621fbdbe6c325c735dd2591dd7c09a758b07ab7ef22cf6d5cf7c1704862e2275eba267856f14814f61f6bf65a51b937497b6958ff7486c3b6b7e3c9ae

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
96KB

MD5
2e12ddac98954477e3628bbd98296c2e

SHA1
5c7ccd4679f2ca6cf2df3ae636ca127c87ab84ea

SHA256
8b8b3ff7d4f41c05277f4186ecfec205c8428b7e30b869916cc0cf27cabed8de

SHA512
37a90b88578b7163faa88d3262876047c5f6af2ec7138eead8f37e46eb2b88fdfb3cd0078d836af70a22409bd6025ced215762ec142b23291781d266a27234ce

Download Submit
C:\Windows\SysWOW64\Mlefklpj.exe

Filesize
96KB

MD5
2c40bba1bdf83a2a9dad563660cbe5df

SHA1
0440ae9ed48230e0ae0e173f8b9e8be1718730fd

SHA256
04cfcc1404861a465faf6891a8665bf03a91b6da74c3dcd6936fbddb0c1c1ca1

SHA512
fa17ecdba37f412393a06bc6c4ed487255b17c512934bbc4fa5af6f1172cc0faf8d57007e99f1b014b9ab3d35162e1bf0ee0e456deac8f7fbc28e2ee3598507b

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
96KB

MD5
9482012c763ef6682624cee38b1c023d

SHA1
c0dc182dde7e7139a69a524d9a4d7c8a2f45f5d4

SHA256
17b8201316fab68a62be6509d95be5f4a37dc670c368fc74dece726e843325bf

SHA512
f3e800178f38039510fa3f281642dc58e4a62e75017959f1c764638ee9173c002468324876b0684dcfd9a0e3b15ebbb5c28004f4c363232ab494ee560d5e551f

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
96KB

MD5
807932ecf953d16f887b670128baca2d

SHA1
8412c908c59e444fd407e49fac8bd678c36fdd75

SHA256
efcde335616cb791d700dd2cdfd936afaa10b2930de20c03abacae40aece6093

SHA512
77d438ae9ac97cc89a8ffe2a1cd1ba2a5357d4cae207c8b0822a10d23a9da620aa2c718453be8af608d6b839207c16625c3c774bcec125926511cc5189137834

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
96KB

MD5
1cb9ccc808e03728fd0a3ea05086e2a6

SHA1
7ff962f8506400636da85b1869b693a6416ec1a5

SHA256
fd20a89b2df0f9de7672b91e959b8ab664f5043002f50d7145ac3cf114935f19

SHA512
908150f92c671a2ada6ae55df3857c69258eda300d3beab3d64b6c04c5be9a68faa8d22ec5dc37a320f59d5390cfb3403a6edcaa4c778cb178f25ead5af0ea2d

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
96KB

MD5
470751c7ee3c90f28abb40833e79c7e6

SHA1
073f41cd60ef5924e0d38216d71c6934934f82be

SHA256
28117ead8f6d3e1a6e108d70a4cc3b70e55a6ed0339e98e8c6f811bb766a0810

SHA512
bec804093f6671b116b1a92e050325312c9f8905a3907a87dfbb7d580cacd75d4853dab3daa4cadf8dce3cd2e98923e36f0d3ffe6677527feea724ad37939b3c

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
4e49bcb9d6da5123b8d6a361ba647c77

SHA1
f956ec142ad8a435f4b7d4a268f2522f089ef4d8

SHA256
2eb60c51c537086b1f11d72f64625b2807dab5579583d234005124b46f4ba53b

SHA512
32c0b699e18f6cb9675fa0d36b85d3566534440a50fe1c3012222b4b9acdc5dd4a5afecc7a893cee1b1c3beb2f728782814f46cc6cd317b4f56f2ab675f9c12b

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
96KB

MD5
46f5721cbc9ade9daad9bdaa93c35586

SHA1
1b9a543e6797c048e0b83be4ab63fb272c39e48e

SHA256
e37bcfd3f929d589f3ca305453b39a89dd04cf913b8ffd81b42269caaaa2791a

SHA512
e1e4e1ba62f8c410ec6a84b5c51dd9f091efa10266d2e4e50b47ade518586a0a4c066e62ce5e75170fb2bf85cc9557e86ea1fd081e1de4790cb98c6cc1fa86de

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
96KB

MD5
117bd8ca6eda0f7aacd1b41958a24482

SHA1
51595acad62f0b70600268d0691a8d2bc913a9b1

SHA256
65b8c4931b9a33a09afcf32fd30c335954fb9a95f4ef2b36a3f5230806b84131

SHA512
3dfc98f9f8003bf1dedea03a6973355f05adab16a04413e2c7b0561cc6fcc96c37698b5ce3ab1482225fd4cb68c34af4990b252359738c5e67572fe38df1bfe7

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
96KB

MD5
93d6a35af7da63ccaf57f6caeb0edfa5

SHA1
5a3bd6a3d2e3cfee8493d5519425d9116b81475a

SHA256
3aa621607668af44cbf58f3b3bd818b5e575b69834ac364d3cbaf12609431d62

SHA512
ef281108f92b945bc1b99a5aae18514d04854ce289dcd2c8119d7fb03c0cbda18ec2d043a802e5cf38a26ef531eb7b6037ede76fddbc0487e934dd337f3bfc80

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
96KB

MD5
05a8dc114dbe2fe8346bc4c77bf919b5

SHA1
6fd959737e7178f7e948dd2a419477310ce5405b

SHA256
3d2c88d18748ab94076c467b9e5f3b589024aa10b54ff597bea57d4d31671206

SHA512
02aa5ec9502e86a560c68877f202ef28d09fb53a194cfb7d5a9efbcc2b84e8ef916741ae5171c400a798247ca212168669bcd8590c8e8c0bb29650d745db454c

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
96KB

MD5
f6b0f59885f5c890ade3f0a4e201c27c

SHA1
e3464920a1191eb5abcca927e93c1abcfb4ceb8d

SHA256
a177b1f4e9c007c0d65ba5add957f5302ba8fcfe49f6c098de9559bf406a7a47

SHA512
aef5a06025d0dd0a7dcb2494a0e5a000f7ff32bb4c2df9f7a6c94b1ae23e0255d985eb02aa1adb00efddf5d158c834e21b35ab71710fc70c92d27140361c12ed

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
96KB

MD5
b83fe2889be1c2d2efd9b4d913f0ebbb

SHA1
44e5dec4d7d2a390c35d77c0ad65b43f57775a8f

SHA256
1f77b290faf3c587a0e8c1e3f30a9de42cb60560d5555611d5e2d276a3bc04cf

SHA512
c5c5a3826a2b8c1cd27993f00a112758291609978f3bc637079f8b5c4f812ed07ffe2baa697299b08c53d135fdc3594e178935819cd3f48463b45162bc037272

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
96KB

MD5
550c2c6507c9263a839056bd98a4a2af

SHA1
8742e2ce87f3372b33de80370389a7b265116777

SHA256
ccae356be56b96b6db8be6bb5cb7a588ff2b451ebc931a7bd8e66b1c77feb3b0

SHA512
6897eaedb90afe047aed0bd9494f7fc311d8b28faa98cb0b8af602f3e4c27dade433812402097a520c947a9723cf8886a8cd33ad739876c5841afe497ef79dce

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
96KB

MD5
1791adb87f2ee5b07d708071515124ba

SHA1
0b5121f4848e9ec7aa202ed65839366f4576b022

SHA256
8f8e5b24c195c42d6f1519b7fe1e7d7b971e8133b5643ce47eda4952e78fb88e

SHA512
7feebf3b2f499d85b474c171c2569abc1efbc2b11143bd41b84fdbbb939a8c605f03f65a160647db43a1e205afefaa97b59fd38f2a7cea1f35f0f561eb9a5715

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
96KB

MD5
656783094a96fee0c780d78e92e37254

SHA1
894fb25c06793650a2136215d0cbaa1101648a7a

SHA256
a1716849e6a04ca0f1a7babbf3e6a71530d5c5d048ce07104cc568ccce69e81d

SHA512
5c77fc0f5d401a60bec17151836696599bc8dd2ee656bb8fad1b7fffc499799dab490a033988cc7b738fdd1e6f73dcab655f3528b4739f11058d4e96a06357b4

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
4074c6b5329808d6cccb07879b565219

SHA1
5dc55f05e80904816c4c184df0b90e0a3277078a

SHA256
57e5ddf344ace00a55f320cc9e8e15fb4665154b5cfd82813a436cc0a5340b0e

SHA512
eaee08df4bddef35f0ce9599d8fa48f45413e1913c50242f2fff3915c3a66792a1ad37173e0e7f2fe4951739efb6550f0fb2d50137238e13f47e4247a03c0936

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
96KB

MD5
cbc07b6681c33162d6a5a34bf01d21c9

SHA1
21ec40c69d714297970c37573eb7a6699e7ba304

SHA256
1020a4039653eecc2ac05855a1186737f579bb41fdd85dfaff729c253e35afdd

SHA512
54ecae77ec272a261fe592fdc380255c4ad405116e80f3a711b0fa4a294ee236d27d9db617492203dee723498ba8eec27d04df52e339e35b9c896899fe4652a3

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
96KB

MD5
1474ed2f40f7f84b3440227648d33664

SHA1
972280621cd1a7c389937c9556c4570b06c793c0

SHA256
d021f387badeff8cb83eb11e371cef6d6d06112132bf1d8810ae361bbe205e16

SHA512
bb5711a470eea95d410ae57345f6fa5d6a82ad133faad0c7d408f001f9359195606d98a7570ee40730adf350fbbd136d7a526cb8f5a11f59e411a9f9689ef07d

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
96KB

MD5
82e5ae3ab5cf6c267bc8bdda06ae8f5f

SHA1
5b891c0aa05b250f38ceb4138142649f4acc27fb

SHA256
d6de772dea88394c26fd9627f1721d60a397149c07e1c791d1e639e7764a4906

SHA512
908f691798bc0fdbdcda019275a8fe500c536ea33e4406ff500d3672559ece40125095cdffa4089169df897c326ad4f180d2b702fb75f43ebcec42189765d723

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
96KB

MD5
f7eacac30882753c34d51253307b51b7

SHA1
5ab04de6059a302cd4f3cccfb388bb3390471244

SHA256
caded22eda89fdc4debaa892220ba1438161386e2a4e6f15a62f351abc619c12

SHA512
d661d811d9d68cc4504b136a7de677e1eba3618333f7e9d7801d8d415c4e4b478938014347a2d177f98f14c4de57e2613d106a94cffaa953249a77ec7596e70c

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
96KB

MD5
f0f64e2dfd8a9eee8279772c785a7d70

SHA1
f58182e86117880377eada92c47bd83da7c230c9

SHA256
06d3d5bc52cb3c86266516cedaab7c285cc076c5fe0c2eafedf400e0fa73c188

SHA512
7a4c5f7362278c8ecd7f0be78562b41f0b438b5b5fc352a678c43cf5732e249bab394e404a9f2aa9f39adce8a6775218f5f7e693b11337e7bf93c1861fa8f70d

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
9f5393a67a20f823b5d6469b3c1237e6

SHA1
ab07e4de715a39ab85d14b8c10445e444091daad

SHA256
6f876e24b3a5cb6c7ed0cf072544aa21daed21db49a776f07e7f79f834266620

SHA512
1bb762a610f9acbd0890d64bcaf539bde24a1b479e9356630193552a0dc349ca1505f01bee2d567432d7e312b599b47fc5b1b648db3d127881676e23dd48d610

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
96KB

MD5
16edabb003cd910ea3d3f26d8353590d

SHA1
b9c198239afde89a1200312302ad23f1c1b7a3c8

SHA256
b8a4317987f69db7c7af381b55bf885e192854ad25d3f3d72917191f8ae32e82

SHA512
333fa97695754b702fdac0aa94b26b9809c3000b47395bd1f3011bdd4d32ff92edf2539dd35e3f5907ef5b93f32dbe1450717c131f90a9f3b66131eec63329fb

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
96KB

MD5
1012d984f68d9ab0a2ca4305b46640f8

SHA1
e10375bc417248ff9c78fc073b906fb55498c022

SHA256
5d28690d27981acf4930d8314bb0c6b1a387e3ec88c55dd906f84aab86e23893

SHA512
b7e6a98518785f1df31e5a2bd3d2b81b272897488d58d1c7d7b1eb63306f2736dc8599d8bacc21bebb356a499f940c7843c14ab99c5bf91af32acd80c7daf50d

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
34460d3168be160cdef83ade2ab2df80

SHA1
ee1a354392f14a2ec76c68a581a5ba864b4cbce0

SHA256
4f27c5ca95286fdb619b476ef242649979dded708d291e7a952a703a49be1b10

SHA512
f6da14665d4aee83a50275a5a1499311c59626a263458d0dedbc1d613f1fd34c6760e2e07d9d55ec8edf45cb9afe3babb9bb6cec86a739764d6ff501347a1bec

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
96KB

MD5
eea892ffbd4c96907d2fa373c295e84e

SHA1
2c381b28254f6e4c521acafd0941e4e62456d652

SHA256
f23ed11b698d578357a552f23d577bbfba31cc9e049824e668c4a3dd4e0361be

SHA512
625943b0df3998df574d580630f889ab0b0de12b714661d1e85523129fed955c3474bb4652da7e0ae7d19c85f5238b254e1624d7011cc14667bce4f0ff7017f0

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
75a6b3c84a6736c29bfb72b4521004c0

SHA1
926ccf04b53e1091994bdb0772ba46d72f8668ff

SHA256
812859b2dd92612e22fb41c1c190626d0eeb776f642e24365e5863aa8c0f5f3e

SHA512
428f62ca5471be46d9caed1b91a36755453f8623501051a254e60cc68b5ee80d4714cab21366fe6516cc827ef91e10648c89c66d5b57f63c0d72807731b0f46a

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
96KB

MD5
ebd1047cb2f00ce8000bbe00bf82bfc5

SHA1
794ef5b131df4456d066f721edeb8cfff3bc600d

SHA256
c0d147603d567290735c974b08d0e548f2a6d695f6e0445fc07b8abbd2013a16

SHA512
d03c4cdd537f49398154f1645c5a6b73e5f0dcf07af336d5e63ec4b060a4fe9b9ffd8b7ec3e8f5bef203723da86d92e3dff7765a35246c2ddad0d1fcb313a170

Download Submit
memory/220-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/232-527-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/380-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/452-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/548-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/708-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/736-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/748-581-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/748-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1040-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-574-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1168-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1260-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1416-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1444-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1648-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1700-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1700-560-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1764-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1868-533-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1876-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1892-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2024-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2136-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2192-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2196-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2256-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2368-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2416-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-553-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2624-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-588-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2640-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2736-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-582-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2768-554-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2820-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3076-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3252-547-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3464-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3488-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3524-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3628-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3640-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3752-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3832-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3848-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3940-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3940-546-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3948-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3968-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4072-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4072-567-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4104-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-589-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4172-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4216-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4252-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4260-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4264-568-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4388-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-539-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4496-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4592-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4792-561-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4796-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4840-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4888-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4920-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4940-575-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4956-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4996-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads