berbew | e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb.exe
Size

92KB
MD5

70c8214737c46f9b3aff25b952caae53
SHA1

ed4c86fc501005eccf8ccb065df4f10b4a44d29e
SHA256

e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb
SHA512

20e45f2b1b36a04e78d99bd24b8a4d2e9236b1100aea96861082478c660cebd94de8632a7d4e89d40891ecdd641fd0c16679de95adfc736874de2ccefa4a96eb
SSDEEP

1536:laPUwlLGvUx95LbBHiGrVSBhtGvyUeXChqWlxvwUJQZ91eQLnnUNN3imnunGP+2:lFpvU75nBwhayUcChq4IfZ9kLNVbe4+2

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdehlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nepgjaeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlampmdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgimcebb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngdmod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmnlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpoefk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmnlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nloiakho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mplhql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Miemjaci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3960	Mdehlk32.exe
2816	Mibpda32.exe
3600	Mlampmdo.exe
4892	Mplhql32.exe
4568	Miemjaci.exe
4832	Mpoefk32.exe
4448	Mgimcebb.exe
1892	Mmbfpp32.exe
3136	Mdmnlj32.exe
1280	Mgkjhe32.exe
364	Mnebeogl.exe
4016	Ndokbi32.exe
4348	Nepgjaeg.exe
3432	Ncdgcf32.exe
3676	Nnjlpo32.exe
1600	Ncfdie32.exe
4872	Njqmepik.exe
2568	Nloiakho.exe
2524	Ngdmod32.exe
2428	Nfgmjqop.exe
1872	Nckndeni.exe
1012	Njefqo32.exe
4124	Oponmilc.exe
1212	Ogifjcdp.exe
3664	Oncofm32.exe
2852	Odmgcgbi.exe
4940	Ogkcpbam.exe
380	Ojjolnaq.exe
4008	Opdghh32.exe
1632	Ognpebpj.exe
4504	Olkhmi32.exe
3088	Ocdqjceo.exe
4360	Ogpmjb32.exe
3976	Ofcmfodb.exe
3456	Olmeci32.exe
4500	Ofeilobp.exe
2004	Pnlaml32.exe
3836	Pdfjifjo.exe
2640	Pnonbk32.exe
1132	Pclgkb32.exe
3864	Pmdkch32.exe
3108	Pdkcde32.exe
4508	Pgioqq32.exe
4280	Pmfhig32.exe
4824	Pgllfp32.exe
2344	Pmidog32.exe
3636	Pcbmka32.exe
4292	Qdbiedpa.exe
436	Qgqeappe.exe
2448	Qnjnnj32.exe
4792	Qcgffqei.exe
3236	Anmjcieo.exe
444	Acjclpcf.exe
3612	Ajckij32.exe
736	Aqncedbp.exe
1776	Aclpap32.exe
1216	Afjlnk32.exe
4248	Aqppkd32.exe
5000	Aeklkchg.exe
4432	Afmhck32.exe
4924	Amgapeea.exe
4524	Aeniabfd.exe
1108	Aglemn32.exe
3752	Ajkaii32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cihmlb32.dll	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Miemjaci.exe	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mgimcebb.exe	Mpoefk32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmnlj32.exe	Mmbfpp32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Fpkknm32.dll	Nloiakho.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Lffnijnj.dll	Mdmnlj32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Mplhql32.exe	Mlampmdo.exe
File created	C:\Windows\SysWOW64\Jholncde.dll	Mplhql32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Nloiakho.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5452	5320	WerFault.exe	190

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mplhql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpoefk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdmod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nloiakho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgimcebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmnlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdehlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mibpda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blleba32.dll"	e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mplhql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neimdg32.dll"	Mdehlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nloiakho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mibpda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmbfpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3960	4468	e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb.exe	83
PID 4468 wrote to memory of 3960	4468	e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb.exe	83
PID 4468 wrote to memory of 3960	4468	e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb.exe	83
PID 3960 wrote to memory of 2816	3960	Mdehlk32.exe	84
PID 3960 wrote to memory of 2816	3960	Mdehlk32.exe	84
PID 3960 wrote to memory of 2816	3960	Mdehlk32.exe	84
PID 2816 wrote to memory of 3600	2816	Mibpda32.exe	85
PID 2816 wrote to memory of 3600	2816	Mibpda32.exe	85
PID 2816 wrote to memory of 3600	2816	Mibpda32.exe	85
PID 3600 wrote to memory of 4892	3600	Mlampmdo.exe	86
PID 3600 wrote to memory of 4892	3600	Mlampmdo.exe	86
PID 3600 wrote to memory of 4892	3600	Mlampmdo.exe	86
PID 4892 wrote to memory of 4568	4892	Mplhql32.exe	87
PID 4892 wrote to memory of 4568	4892	Mplhql32.exe	87
PID 4892 wrote to memory of 4568	4892	Mplhql32.exe	87
PID 4568 wrote to memory of 4832	4568	Miemjaci.exe	88
PID 4568 wrote to memory of 4832	4568	Miemjaci.exe	88
PID 4568 wrote to memory of 4832	4568	Miemjaci.exe	88
PID 4832 wrote to memory of 4448	4832	Mpoefk32.exe	89
PID 4832 wrote to memory of 4448	4832	Mpoefk32.exe	89
PID 4832 wrote to memory of 4448	4832	Mpoefk32.exe	89
PID 4448 wrote to memory of 1892	4448	Mgimcebb.exe	90
PID 4448 wrote to memory of 1892	4448	Mgimcebb.exe	90
PID 4448 wrote to memory of 1892	4448	Mgimcebb.exe	90
PID 1892 wrote to memory of 3136	1892	Mmbfpp32.exe	91
PID 1892 wrote to memory of 3136	1892	Mmbfpp32.exe	91
PID 1892 wrote to memory of 3136	1892	Mmbfpp32.exe	91
PID 3136 wrote to memory of 1280	3136	Mdmnlj32.exe	92
PID 3136 wrote to memory of 1280	3136	Mdmnlj32.exe	92
PID 3136 wrote to memory of 1280	3136	Mdmnlj32.exe	92
PID 1280 wrote to memory of 364	1280	Mgkjhe32.exe	93
PID 1280 wrote to memory of 364	1280	Mgkjhe32.exe	93
PID 1280 wrote to memory of 364	1280	Mgkjhe32.exe	93
PID 364 wrote to memory of 4016	364	Mnebeogl.exe	94
PID 364 wrote to memory of 4016	364	Mnebeogl.exe	94
PID 364 wrote to memory of 4016	364	Mnebeogl.exe	94
PID 4016 wrote to memory of 4348	4016	Ndokbi32.exe	95
PID 4016 wrote to memory of 4348	4016	Ndokbi32.exe	95
PID 4016 wrote to memory of 4348	4016	Ndokbi32.exe	95
PID 4348 wrote to memory of 3432	4348	Nepgjaeg.exe	96
PID 4348 wrote to memory of 3432	4348	Nepgjaeg.exe	96
PID 4348 wrote to memory of 3432	4348	Nepgjaeg.exe	96
PID 3432 wrote to memory of 3676	3432	Ncdgcf32.exe	97
PID 3432 wrote to memory of 3676	3432	Ncdgcf32.exe	97
PID 3432 wrote to memory of 3676	3432	Ncdgcf32.exe	97
PID 3676 wrote to memory of 1600	3676	Nnjlpo32.exe	98
PID 3676 wrote to memory of 1600	3676	Nnjlpo32.exe	98
PID 3676 wrote to memory of 1600	3676	Nnjlpo32.exe	98
PID 1600 wrote to memory of 4872	1600	Ncfdie32.exe	99
PID 1600 wrote to memory of 4872	1600	Ncfdie32.exe	99
PID 1600 wrote to memory of 4872	1600	Ncfdie32.exe	99
PID 4872 wrote to memory of 2568	4872	Njqmepik.exe	100
PID 4872 wrote to memory of 2568	4872	Njqmepik.exe	100
PID 4872 wrote to memory of 2568	4872	Njqmepik.exe	100
PID 2568 wrote to memory of 2524	2568	Nloiakho.exe	101
PID 2568 wrote to memory of 2524	2568	Nloiakho.exe	101
PID 2568 wrote to memory of 2524	2568	Nloiakho.exe	101
PID 2524 wrote to memory of 2428	2524	Ngdmod32.exe	102
PID 2524 wrote to memory of 2428	2524	Ngdmod32.exe	102
PID 2524 wrote to memory of 2428	2524	Ngdmod32.exe	102
PID 2428 wrote to memory of 1872	2428	Nfgmjqop.exe	103
PID 2428 wrote to memory of 1872	2428	Nfgmjqop.exe	103
PID 2428 wrote to memory of 1872	2428	Nfgmjqop.exe	103
PID 1872 wrote to memory of 1012	1872	Nckndeni.exe	104

C:\Users\Admin\AppData\Local\Temp\e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb.exe
"C:\Users\Admin\AppData\Local\Temp\e5756dc46d662def86cc3d4e4abcbbef818341ae1317b1bc970f14799d39a2fb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\Mdehlk32.exe
  C:\Windows\system32\Mdehlk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\Mibpda32.exe
    C:\Windows\system32\Mibpda32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\Mlampmdo.exe
      C:\Windows\system32\Mlampmdo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\SysWOW64\Mplhql32.exe
        
        C:\Windows\system32\Mplhql32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\SysWOW64\Miemjaci.exe
        
        C:\Windows\system32\Miemjaci.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Mpoefk32.exe
        
        C:\Windows\system32\Mpoefk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Mgimcebb.exe
        
        C:\Windows\system32\Mgimcebb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Mmbfpp32.exe
        
        C:\Windows\system32\Mmbfpp32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Mdmnlj32.exe
        
        C:\Windows\system32\Mdmnlj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Mnebeogl.exe
        
        C:\Windows\system32\Mnebeogl.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Nloiakho.exe
        
        C:\Windows\system32\Nloiakho.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        35⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        37⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4508
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        53⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        68⤵
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        76⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        78⤵
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        81⤵
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        92⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        94⤵
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2624
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        101⤵
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        102⤵
        
        PID:388
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        108⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 420
        109⤵
        Program crash
        
        PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5320 -ip 5320
1⤵
PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
92KB

MD5
61669dd12969704b1e93ae5db777879c

SHA1
753bc11f5f32b7394b81b6d00f8dff44c58e1ab2

SHA256
b7128e1136cefcde4872d23c4940a6f8559f77a56dfaccfd0632ab02fd566bbf

SHA512
cf57f00e7c181f57bd278a73ff5bdf157ca90443fe5edbebfce2f23c6e6ea515f6c2a32bb7d96ae22b01356eb4e428e998467715dfc6aa6fd12d8f2215c1a4b4

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
92KB

MD5
ff17d7e52a194cedc14400a99ee2be27

SHA1
18d5d7f0b5f375b54a2262f01225f698e322ea78

SHA256
5ec64a4da7e63fc8c84b544468b29e8fcaf55f7391db17fa510dd75ff2b9e28a

SHA512
b1cda69008f83fcdf59b6bc6044833e98215f2ed080067dffe6ece1b149a34c9c939150920b2994fbc6a34ea89604897c50aded0af94412fc03bb2f744fd201d

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
92KB

MD5
de159b2bc5adce9a81a9df6668a453b0

SHA1
d8f9f86ae89d0f230b12f7aaff57c899babb9781

SHA256
0833b9fc0d02137f5807d5cb652f7d49fc97c0e63b2dc0a85217d3fee099de6c

SHA512
c73188eda8f07c4f281d91a587ef2ce121ae4dd9a3117fc32822012858b11ce4306328382e1ad54c4b49e1d43f057ef867161f3abcdf9a2d430463f14652a123

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
92KB

MD5
2a6f29fe4159862a5d2ddddb7613b387

SHA1
210de1db7147f81f7ee51fbd1b3652579e5929b6

SHA256
a41edd34446e1d7e90ad4689110047bbcf4df6c0b2f18be00ba0038fb57e686e

SHA512
b899d83d6d254490a14247e403b5e387d4d111e07ede523bf817fa3448124dfba2e42fee5c7afc49eea6c96018b1054dd3764428ca4ce825585852bd07b73086

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
92KB

MD5
231aec9f3c2b280d2162917d60d7f7df

SHA1
c3e38286ca7d7aea1dce7952faa484c26378226c

SHA256
d375f87501f59bb59afd6c534d2e4d5001fbbb9e1c4023207f3ec2d41c612abb

SHA512
a4adbee3b3b20f2ca955663431f0b9a81417b85059d6248e79decdea099ae6694150b3efb4a03fd9ec60e757315c39c915955ab394a9f1c36b335ae855d2a320

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
92KB

MD5
cb5122f6512b7d677756de209e550ee9

SHA1
6277c6d9284e99a4349f07ab47406a7d3cda3c6a

SHA256
b1dc75a6c5e88e515a36c7f97eb17e50f75f45fbc1613ff7903eaece2ea4369f

SHA512
648a268dbf406c884e2a4ac935846c570449ace06d748c5bc2257dae7ef8d65aa312cfeea0c9ca400c678f266531a1446229af350b3d72a234e33b69f2a4a7ed

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
92KB

MD5
8440706b3f86b86389c491e543158658

SHA1
b9b816fa4a2caa55c64258aa7451e8f34ed70395

SHA256
9d5e42d546af6c74c5196c3598f71aa3eac5091f7dd144ca189366b278227d51

SHA512
53300388e895717ae101f72e20a312e5af8c3c9b323614048e35051934b9b1e2b45020cf9a1d445dc8aeb44fb49e714b6bdf190b3cc774764a6140103c7ae473

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
92KB

MD5
1cd5d41752ca523424f50ab7bd760695

SHA1
ab4d561e6acd243d4bb28130ba39a17d99d797de

SHA256
977365e39963555448f916f9ebd1c993b02c9013ed7e975fcc808ec07b8603bd

SHA512
30e906ee472a7dc4054d5c6b93d5ea677e6114be20a2695d9db0a04bdf4bdb9829239ce058b8437c35e60a42779a879dc0e90cb2c931cd3ea4f6b3d5aa3c86c7

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
92KB

MD5
77c03eb3e9792bd7ce43bb916af34a4b

SHA1
c6d2c2a149ec9c5dd57b449c6d20d0c04628e032

SHA256
b674c7f5003fcec98d893e82f2a66e72ffbe89c708202bbc104bb62504e5a1d2

SHA512
0ba89c046694ac24948f8612faf4769846120f5bf5f4529ef49ac713f2cfdb697aa4c34d0e032d3f28609654059f32617a22b049e4dd865e7a07ae7fc22c4e2b

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
92KB

MD5
6b3f9962430cad3861ec8b17bc0e3bc6

SHA1
87865dad0b3f8df4498490a8065e7d686202a8b3

SHA256
276c8a3712fbc7fd07a1cbe286e7da17dbce6c93cfd0e5cc74dce98fec0cb553

SHA512
974dc950a4d6f4f9a965180838d00c5297af1596e8296742f244253b09d67d1ddab604a2f4608feb229b2f74ebe9422d22e77e0268c3166c1d18114566e4ab49

Download Submit
C:\Windows\SysWOW64\Jholncde.dll

Filesize
7KB

MD5
ed4692f2d1f8843c95d4cbad62698bfa

SHA1
aa3d6d3ca10b65a0abca0fe81184de81c0fc57dd

SHA256
1324b2e6bf646f62521105a9bb8022de8048e62e9541d3bff822277aedc3755c

SHA512
6c67639c706b4ab4924c8c69d971d09756d812eb1fe4ae7b2b78b537e2bffe114dc796476e3a5fc084360ae718264f06fcf947fb700f2bbc7cc8ed39941779f7

Download Submit
C:\Windows\SysWOW64\Mdehlk32.exe

Filesize
92KB

MD5
be1b1e5984a026c296da4fa2d77f0dd1

SHA1
9a6d813a9e56c3612966e93517be65ebf9636bbe

SHA256
334836970027db3c70c21f62329968216571fcdfefcee06cfae93c7e08cf7c46

SHA512
94f3de5372f555752c145c34014c93507dd3c1284c5bb5dfbe043c914c6e1188bf99dc942481199f15bde12ba28dad846f05a11a1b0806cb1629e61e49aa3cf2

Download Submit
C:\Windows\SysWOW64\Mdmnlj32.exe

Filesize
92KB

MD5
bd1d5f58a8a0eb972b6cbc13a6a48f16

SHA1
96a2ce8964a71e45db3483af0912efab404691db

SHA256
cf4832f434ca21052f428427f31f78a65468333e4628ef6d769f07bf45d57c07

SHA512
1560c4c70d38f9dbb2772d65dd0774ce7d38072ea0773eb6d88f68a3c870804cb0752eeb5bd9f4b751d04a242439eac0bed544458363d727a289b6009067cc43

Download Submit
C:\Windows\SysWOW64\Mgimcebb.exe

Filesize
92KB

MD5
24bd98845dbf1e198174b1acaa9b0b41

SHA1
028a038db53df11da02109b600756f22e6b0c40d

SHA256
54c2b0cdece3a600d5f58f02da3fb52fdaad588509f09eb16086c5a6bfd50255

SHA512
ee1d981b33edbc765a6d4698333e62c70ba3d7fde6bcbba5ab409f71042daee27592d9dc7b67273d71b9bdd3c704b2e3b02f6ef85d13c45aa8816d051262062d

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
92KB

MD5
89322404e795a9ef2d2d7f5200e27bb2

SHA1
b8dd0da2074354906dc5e0f16001091517e95e18

SHA256
edd7633820cf8fba82b840ad2efcd8b1a393edbdd2b130ab01c8dbc02126916e

SHA512
c3ac37af73028740368de41c20bff50d7ff3c5031a23b72884bd5c011431bea4a566bd53e90ac98137a1c2f0e3e92a3b871d93857cb09f13e18253acd423d547

Download Submit
C:\Windows\SysWOW64\Mibpda32.exe

Filesize
92KB

MD5
6586b7d568d24e04c2d09e5ae49b8ae6

SHA1
afb9760950327b98c55187ced3494e8d98553c0e

SHA256
13ab062a641cad9e392b094be34b03b7a313d902d2b2b76a7533035278be9916

SHA512
f9210ed8acfaabc4fa3e8adac160aa92a822e276085234e4213dd5afd211846e64a51976b55f4cc9cf3acfc4e55a12caa01f8d28a642e7978c83b66f11c644bf

Download Submit
C:\Windows\SysWOW64\Miemjaci.exe

Filesize
92KB

MD5
4db82f05bb2cb5bc5f8e668d0c1cab62

SHA1
ee09c4723e1adabfcce66944e16a1a8f04cfda9d

SHA256
953a9ca2a19b897341ec3307140d3ccda6b04f4010786b68812cd75a9a827e39

SHA512
72f1de81a39ccbf83820b313c068000c9f1c8e061604abbc0da05ada995eca2636d84e60bc66c39b0e5385a16e43d2e642f9d1287f7d5098cc0dda8909f9cf88

Download Submit
C:\Windows\SysWOW64\Mlampmdo.exe

Filesize
92KB

MD5
5e5dacbc092d90cdc32ef39c4de4e8f3

SHA1
59b327bc8fe48f8c810f8826808439010901f3f5

SHA256
b5323d4d668247b94a93ff8c60c2ebb4a62b8754a699de513fb291464f1322b1

SHA512
3ab3d83701fa4c97c52487a6963ff84420ba84c383e9874182ec68fddb035da8df911b6c7d0d5234500d4dbc5f10e757b2eb4fafb49633e95863ca614ec6a539

Download Submit
C:\Windows\SysWOW64\Mmbfpp32.exe

Filesize
92KB

MD5
371de5c2ed54db2f17c6ce908107b9fe

SHA1
49b701a50fcf100773faeb90e4e7f33195fb9dbe

SHA256
fdd4f0274f2337c0f7d98746b85018b7b3c43142ecf77c06d1a8435c9ba6e1fd

SHA512
6023a32b3c0c84a4e6c85ccff6501f737d4740a0cb1d3a2170358ce270c7fec46f6586a9fa1dcc4d0de916e0a9d4b50257443daec306c9e715af785f821a77c1

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
92KB

MD5
312195df0693d410fa8f29f9cf2b705e

SHA1
93cdb610185c12ec666f9bae9d471f936b1c8124

SHA256
70336081e1ec44921c223ac2c717bded6dc9b768bd3409574ae6b8d673f86a6d

SHA512
6b43a1d038543b8c44eb55a5e5e51d00f5b747568227cdc2532d08e3e79fe102f172a0364527d171a4824307be29682b0349abe5a30037616cef88ce3144c738

Download Submit
C:\Windows\SysWOW64\Mplhql32.exe

Filesize
92KB

MD5
e5b34a7968bc5838b75fe9db71410b63

SHA1
385990ec114962b04641a57e48117c2fa5ec8c86

SHA256
0fab3b222f5dcbffb3a9623070f75824fe3f5bef50e76f3e35a061897061e983

SHA512
4d78ba17698d4de0e72a7b921625fd8196a96d2c6e6a1492904caf5d3ec74b24dae9d9e4ad70a18f3f6a822960de87dec02cd785b7b6a4adf90e76d913fda8d2

Download Submit
C:\Windows\SysWOW64\Mpoefk32.exe

Filesize
92KB

MD5
f571f21f79054a1dbcf6dfa095894358

SHA1
c4b79bcae9e993677ab1a67d654600a68a374829

SHA256
3b69920ece75fb624563a6868e6f28a378bb081c345937b6266b89546acdcf50

SHA512
686ac79f805332b13487f2525bce73bf867bdde74e6393749eafc93cbb828f4193a74d822b50b8fc4f4d53ff46ca98e8a77e3a7150e8c3747e5b59dd2910aee8

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
92KB

MD5
137570e9eab9c8cc85fbb411d4ad4598

SHA1
5fdc220cc4a279d01ab051e500a49ab637571d54

SHA256
0de99ca3feb4a1cb8a5d5fab75d26348d3b07318c694eb693b37703300c7dd0b

SHA512
258d0fd193c064d6a4cc676de2be1d7ad0a0a2cc7c01fba40117e5cf9bf51219c2449cfa81a9510713172870a75b09ef69b5e32c4f7ddfd4849186621f6fe0fd

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
92KB

MD5
fa334c5b7153f4fea1a24b4246f55a6e

SHA1
caff9c415f84a8d09695e803fce6eba534468dba

SHA256
4e0b593150b186efe1c77a0da5e6c66edfb11d811510da96d17802ebf9978d76

SHA512
b70f1ca7ff7b75d519408b30772f4c46c309ee16ceda370f3333380a2d3bc22a02b0d27eaf4a6f23392f5d9492acee94ba05f15eab0bf6b0832a7fcda821f152

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
92KB

MD5
e8abe99cf8fddffb7622832074787bcc

SHA1
5dbd67507ea4efd40c3f269eff752cfd90902f48

SHA256
3f86bd913d95e088822dde659dee338ae7af37a6d7ed608b39f4af30611139d6

SHA512
97a43d2e19395351eb5c076f86b14428ba23cdaedbd161429204a0cada5cd5aff952c94e3ec724584bae061ee510e26d5bc61ad3758a47af134f0c05cdac6b82

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
92KB

MD5
b63a391375725886c8e97bdfaf7729cf

SHA1
e94bb1a0d40383ce685b99e2a383410ff2d2a0b7

SHA256
00479e88a613e1f9bb70ba9f7c3887689027d92a1903cabe74b282b4a6daf8a9

SHA512
819ea950f320faeea93978d639422dd28378fc3c367eb3e4d1daa9d86f33aa3c01203a089c7b4617ac923894bd371f5696fcb2522dd0939361e926d6137e93cf

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
92KB

MD5
5003b5b74388ac76d57e3ee960cd2eb5

SHA1
e19c2ec5d7525ad06b051b2f1da96a966bc3d3f7

SHA256
2d76fe4741cbe9126f9c9428c9e0302996b7ebdd157e86d0fa517bd96cfd704c

SHA512
a0fa0c139973cf889b195237358713f32d3f11b011449d740df410d1223b08616f6042caed6c461c221e5fb624f623c173b2667a090bbee9e4532ef3e2ccd613

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
92KB

MD5
e02a6dc189232972a1b0341efd2ffb99

SHA1
e9683e70b32c6a1985cece19fd26c31b6976c962

SHA256
cc05c81b7a446b491ef063f271ab1c266965bbd53235f4bbd3d85f250d11aa2a

SHA512
2361f3fe44ce645f4da1bfff02067a89d491a58ce5833f57e68aa3965abc0028a702b1daf2842fde2fdfa0b1c0fb68881d745108580ffe4b5fd59aa8cee1d815

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
92KB

MD5
6d9b738a7ac37fc2a2a8573e84348348

SHA1
9f75deba44690bc062f5abd934d637b7d96d38bc

SHA256
b38d28ed54f201b4191ca12369a26445aa37e0460213e452a6d44adb9bbfd076

SHA512
376f6e5afa7f79451f21d4fa4c4a4d9b661e5c6c971e6a98b62d132a3e7ec53b469bf69acb682a8919e5e1fc8cc99ed1ef6abd53d2fa354e42d14d9d3f28df7a

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
92KB

MD5
da180bc990bd962eef3106ea674dc892

SHA1
9cbd05bfeabc5e81ce83dd4669351ed35fe7eed0

SHA256
749674d454e5ff053d34980a3411e6393dd227004be9f03b3595c6d29b130dc8

SHA512
e0c28704af7e76c081ea5004b96d4b6aadb5e89d36c42f0f62b23fc25e5cf5ae49feb3eb517e9edc679cb12ef4f8f8f2ab50f8ede805bb6a9561a990fd7337cc

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
92KB

MD5
c36f507e88039ffba864594a622eb066

SHA1
3f5e0ac1c254963572665c04699d56e4d3e2b5e1

SHA256
3d2cea58d4cd5a6dcaede1ba50850a5725e53371c4bcd0b7c9ae44d5f4113539

SHA512
9e071ae4c59468df22e3af6124536538849d3a2d1cdcc39b0eed8d3efcd626de4ec15dab9fd578d16b22a3842b5211028a4667d0478f11efdb59345079761fd2

Download Submit
C:\Windows\SysWOW64\Nloiakho.exe

Filesize
92KB

MD5
410cc576b95b84d5923aaa173084ef50

SHA1
24f16351246f3fce70de1b12dae0461fbafddae9

SHA256
619f2975f849a71ced74b62e8a95254f3d4f5b3c4ee608035fe4f881add4cb20

SHA512
fa97d8e10c3ad8ed8672fe1a23ff53f96ffb29586699c9d3c0449a8c4d49d61b7e4381cf6c75f115ab7a8b8ffe9e4ae9943f59ee193911ab13b37f28de79770a

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
92KB

MD5
c32866125615fe08b1aab9baa5fbb9ff

SHA1
8ed642230a05aa6d782068bf9a379ef90f30143c

SHA256
9f7e14d7346a16997ba18ed7a9694f29d8bbfa5b80225e6a6afa710fcb290fb2

SHA512
96b0480a4fcb8133beb4c89bf7a11ff3e968e4f47b912da382e0e92fb4ded0d8e8a07a30eb54e74b0ade1d55518f31d5e2da8e6f47235ed3a2d2051db823d3fa

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
92KB

MD5
870f4138bdbcceff31fc12455b46c073

SHA1
a43b4fe0fe56f4ca9c57139f46b934d99125e2f1

SHA256
1cf442d7840d00be0fae7104ce57294db79e8035f8c3232e5e87a55f0b01f553

SHA512
f83d01d0fec5d495a8216fe56dd3aff8286f54a24fed0654c8da144e3b34605530289200efc9979abfcabc8c7843e8d87698c35690eab20334b02f19f84588db

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
92KB

MD5
10d383c613278c8f6d12106ea87a22c6

SHA1
cfac0e76481d82a701548d005adbdffda9c19b06

SHA256
64539ec6171042f575cb8c5c8c652cc3b1b536d84c5a6c492bfeea0555ffe555

SHA512
2eddc1fd2279cd7d70ca27a3e1d4b208a6940d90454fa0d4e3b0b334fa85ce374490c28b7045ec94e181faaa7df2f2a91a623a74b185af152b663967999bec89

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
92KB

MD5
b646e37c0fdb8dfdbe2d64bbcd3fd871

SHA1
f3c00bc931d7183a01de13df3371507a255a432e

SHA256
ad42f24d09c22596053b9bf67eacdc1386eece4d9d952d6674c7281dcead51c6

SHA512
71b137035c6797675331050229fc2d12baff26707f4b1563ba6d761199576952cc9d6f39dc3a6a2efd17e2e04f204b71675561e4bcf4f37164e77f6147f797c6

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
92KB

MD5
a181e787cf5cfbb692ad63495e9da10b

SHA1
df135f50d5b6cba9e72a8f53be8165ba35fcefd5

SHA256
fe7decd08a54dc7eef802bcc7d9140dd5b597c85beb39b9414b911e029ce85e1

SHA512
ea249daf661ff24001509281a661ed6af39d2009f37d45d891bd9113c3a1c85339c51f3bd6af25f98d286e6bd2591eb40b429833d07884c1423dba1e96bf1ce0

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
92KB

MD5
d3774787f3a51d084f0312731037b8ea

SHA1
69a59d8a7df8c74a20ed30869f19554ded42f917

SHA256
20935802737aaa580f58cb4471c555539ebd3d15b7d58d44108d3bb2bb2dd9f9

SHA512
bf0f290ece42abd8e496054b3eced61c3468b25d60cdc1835b28b53da535c336c01508bc6339fb1f085092bb5161a74295799e761f9e9f7ff5bdd29a1821ab77

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
92KB

MD5
11ca46c97b3594452d11670c6c1cdd64

SHA1
ba4b1a098d6834aab96c705af8f7cf99d90f92dc

SHA256
3ed5d161eda96eb02c73330ad0b51062f1947b353c49f58b2ad9c00fcf960998

SHA512
a0b3353cd386ac920d9cf33d4792d1ef948d6d9580adf5558aeda069991d26b64009b6470c5169f304a6e24462de608801b53d2b7bdb2014b1b5431b6cad5cc0

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
92KB

MD5
c6d6ce320a778bbc2bb17d864d678259

SHA1
90c8d4913f8d277e0351cf2f8049cc6bae999253

SHA256
e070dbee6d0b12833d5a20a85ee13ecf0753ecedf3a95eccdcaed4de6a8cb315

SHA512
6dbf4b5ec63a15a27014b4398bf7cca7057af4e83771a62371b38824d308356181e635d5a9e062141027d50b2ed8c58b0c5b4c56480c795fcc6d3fa770b5be9c

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
92KB

MD5
ed7405728e884318cfae5573e8241b45

SHA1
07173f567b3adc2100965060d94dc504f51aec41

SHA256
88e6f72d82f8fcfeca6dc116c204fa3d66dd549a5e7f4faab86a923c1e50970c

SHA512
a69a903fc49183cc708903826a7f8efadeedd4abfc624a081e204a22ef95f26973c2545cdfbfee1c21eeb46ca3f08bc999033123294cc1b4325df5a5d536a465

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
92KB

MD5
89284978e23a219cacb8f8a24374768e

SHA1
b2c9b630c213097cbbb560074096236ed8466aa9

SHA256
25a70ace96b472600b96831354448d70dca63dc2c6d565904d927be62dffdc7c

SHA512
e574c02f078b58116304cc6173a90527bb42a78d36cb2af6c39b9dd8bcfd9287bd6b18181ec209cc1a2805479b5c7bad9837bea2bdd48932792e8d703e1bcd18

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
92KB

MD5
8e024e3cc07b9d8b9a91b1eca393d62f

SHA1
c08e32266800c1ce64d4ac664f2eb0a708e3c18a

SHA256
37bfe0eb8b87197a7e8ec0c1b6560bbdb20e26a624c8db81643cc98e5d6d797e

SHA512
0c72ff91edc5e8e1511cd1c8b870ad637e0ce88b6785285626bfbc9675878624846060f66ba6241d7a6004d091f5a0d28882e76d7cfe25173c694184d8a06de7

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
92KB

MD5
1ad0b4c1a7a70cb43c43e9b261ee1cde

SHA1
95521f952f4c51087619b31d1dce5b81ac78deee

SHA256
d31b991002232b2414d315549292dd635e74e418b2f7163735c47243786ce50d

SHA512
49f1f89efcce0720f645176f5ae704b724f5c20bb6a51df2059b6e02fec5de3d50c734a0ecd660b3d0a132ed3ae6b02932f7cf330ea01aea4c06f4d6ffffc535

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
92KB

MD5
f2dcb325a35e8df73b7e5f250a687ade

SHA1
d2b53af600fd02163d1d3e0420b9ca4f44d2e7dc

SHA256
56348819593e22d3c995c69abcd1a455ddd4990fddc3fff54ce82ecde0e36538

SHA512
58dd6cca16ea7bff64b7a96943a8601000db8259bcecc2c9a3640fa577712865363ef5cb63ef4ae10b9ec83f99bb4147cbb82cd1b23e535cc879d76848b2c151

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
92KB

MD5
43f35d95567429146942f20b282e6190

SHA1
274ecb4aa52a7ece62ef823893cae53fed4cbcac

SHA256
f3f09509a9fcebbee738955da9c6fccd29baff36330d0e8af29ef8f20f18c026

SHA512
9aa7c32d7ae0fb5801a7f944f9291bbd3efb3083c67853d8cc1fd3a34acf6b59fcc3768982dbfd4c2b94d48889a8d8d4dedcfbf00b5f3dead8de2a423355fe48

Download Submit
memory/232-532-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/364-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/380-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/436-358-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/444-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/736-394-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/812-577-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/992-478-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1012-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1108-442-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1132-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1168-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1212-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1216-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1280-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1488-484-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1600-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1632-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1748-566-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1776-400-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1872-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1892-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1904-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2004-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2016-591-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2024-580-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2164-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2344-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2428-159-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-364-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2524-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2568-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2640-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2768-564-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2816-558-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2852-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3108-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3136-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3232-594-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3356-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3416-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3432-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3448-530-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3456-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3600-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3600-565-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3612-388-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3636-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3664-199-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3676-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-448-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3836-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3864-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3960-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3960-551-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3976-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4000-466-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4008-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4016-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4124-183-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4128-508-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4248-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4280-328-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-352-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4348-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4360-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4424-552-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4428-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4432-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4448-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4448-593-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4468-544-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4468-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4500-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4504-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4508-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4524-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4568-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4568-579-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4608-514-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4704-545-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4728-496-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4792-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4824-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4832-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4832-586-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4872-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-572-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4924-430-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4940-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5000-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads