berbew | 6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe
Size

96KB
MD5

5898197ec67476f9d4228c66009fc385
SHA1

3119d911d5f2cb8bfef2c850940b741ebe14851a
SHA256

6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82
SHA512

3fdd0e6ac13b6eddc8ffc224c230b05869f273b4667ad469d46c0c7a9dc50acb17a8e35c53f510814d11ac98dfa2e58efc57c60c2719838bd201210bffcea86e
SSDEEP

1536:1S9eVGepiDH0qW8DYdLSW/duD7rQgYHFSA9D2nfC8VXOsOn/BOmXCMy0QiLiizH9:o9Vep4H0CUdLSWVuD7rDYlSAF2nf3cse

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Migjoaaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migjoaaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcmabg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndokbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcifmbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3268	Mmnldp32.exe
4284	Mckemg32.exe
2200	Meiaib32.exe
4796	Mlcifmbl.exe
1924	Mcmabg32.exe
2368	Migjoaaf.exe
2904	Mpablkhc.exe
1128	Mgkjhe32.exe
3652	Mlhbal32.exe
1860	Ndokbi32.exe
2156	Nepgjaeg.exe
3476	Ngpccdlj.exe
752	Nnjlpo32.exe
3100	Ncfdie32.exe
3292	Neeqea32.exe
2920	Nnneknob.exe
5068	Ndhmhh32.exe
4736	Olcbmj32.exe
4008	Oflgep32.exe
1500	Ocpgod32.exe
3424	Oneklm32.exe
3592	Ognpebpj.exe
3608	Onhhamgg.exe
3552	Odapnf32.exe
4916	Ocgmpccl.exe
3244	Pcijeb32.exe
4468	Pnonbk32.exe
1280	Pclgkb32.exe
1508	Pmdkch32.exe
396	Pcncpbmd.exe
3396	Pjhlml32.exe
4972	Pdmpje32.exe
3168	Pjjhbl32.exe
4296	Pdpmpdbd.exe
3668	Pfaigm32.exe
4668	Qqfmde32.exe
3004	Qgqeappe.exe
1460	Qnjnnj32.exe
220	Qcgffqei.exe
4260	Anmjcieo.exe
4784	Acjclpcf.exe
2220	Anogiicl.exe
1892	Aqncedbp.exe
1452	Afjlnk32.exe
1164	Aeklkchg.exe
2912	Afmhck32.exe
2604	Amgapeea.exe
2516	Aglemn32.exe
2436	Anfmjhmd.exe
5004	Accfbokl.exe
3180	Bjmnoi32.exe
2812	Bagflcje.exe
3976	Bganhm32.exe
412	Bnkgeg32.exe
1076	Baicac32.exe
968	Bchomn32.exe
3856	Bjagjhnc.exe
4860	Bmpcfdmg.exe
1760	Beglgani.exe
2396	Bgehcmmm.exe
4212	Bnpppgdj.exe
3780	Banllbdn.exe
3184	Bclhhnca.exe
4544	Bjfaeh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nnneknob.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Mpablkhc.exe	Migjoaaf.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gfhkicbi.dll	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Migjoaaf.exe	Mcmabg32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Mckemg32.exe	Mmnldp32.exe
File created	C:\Windows\SysWOW64\Pnjknp32.dll	Ndokbi32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Mgkjhe32.exe	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Neeqea32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1648	4880	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgkjhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcmabg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migjoaaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mckemg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmnldp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meiaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgkjhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjlic32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodfmh32.dll"	Mckemg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	Ndokbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cihmlb32.dll"	Nnjlpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lplhdc32.dll"	Mcmabg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmdkch32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3268	3508	6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe	82
PID 3508 wrote to memory of 3268	3508	6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe	82
PID 3508 wrote to memory of 3268	3508	6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe	82
PID 3268 wrote to memory of 4284	3268	Mmnldp32.exe	83
PID 3268 wrote to memory of 4284	3268	Mmnldp32.exe	83
PID 3268 wrote to memory of 4284	3268	Mmnldp32.exe	83
PID 4284 wrote to memory of 2200	4284	Mckemg32.exe	84
PID 4284 wrote to memory of 2200	4284	Mckemg32.exe	84
PID 4284 wrote to memory of 2200	4284	Mckemg32.exe	84
PID 2200 wrote to memory of 4796	2200	Meiaib32.exe	85
PID 2200 wrote to memory of 4796	2200	Meiaib32.exe	85
PID 2200 wrote to memory of 4796	2200	Meiaib32.exe	85
PID 4796 wrote to memory of 1924	4796	Mlcifmbl.exe	86
PID 4796 wrote to memory of 1924	4796	Mlcifmbl.exe	86
PID 4796 wrote to memory of 1924	4796	Mlcifmbl.exe	86
PID 1924 wrote to memory of 2368	1924	Mcmabg32.exe	87
PID 1924 wrote to memory of 2368	1924	Mcmabg32.exe	87
PID 1924 wrote to memory of 2368	1924	Mcmabg32.exe	87
PID 2368 wrote to memory of 2904	2368	Migjoaaf.exe	88
PID 2368 wrote to memory of 2904	2368	Migjoaaf.exe	88
PID 2368 wrote to memory of 2904	2368	Migjoaaf.exe	88
PID 2904 wrote to memory of 1128	2904	Mpablkhc.exe	89
PID 2904 wrote to memory of 1128	2904	Mpablkhc.exe	89
PID 2904 wrote to memory of 1128	2904	Mpablkhc.exe	89
PID 1128 wrote to memory of 3652	1128	Mgkjhe32.exe	90
PID 1128 wrote to memory of 3652	1128	Mgkjhe32.exe	90
PID 1128 wrote to memory of 3652	1128	Mgkjhe32.exe	90
PID 3652 wrote to memory of 1860	3652	Mlhbal32.exe	91
PID 3652 wrote to memory of 1860	3652	Mlhbal32.exe	91
PID 3652 wrote to memory of 1860	3652	Mlhbal32.exe	91
PID 1860 wrote to memory of 2156	1860	Ndokbi32.exe	92
PID 1860 wrote to memory of 2156	1860	Ndokbi32.exe	92
PID 1860 wrote to memory of 2156	1860	Ndokbi32.exe	92
PID 2156 wrote to memory of 3476	2156	Nepgjaeg.exe	93
PID 2156 wrote to memory of 3476	2156	Nepgjaeg.exe	93
PID 2156 wrote to memory of 3476	2156	Nepgjaeg.exe	93
PID 3476 wrote to memory of 752	3476	Ngpccdlj.exe	94
PID 3476 wrote to memory of 752	3476	Ngpccdlj.exe	94
PID 3476 wrote to memory of 752	3476	Ngpccdlj.exe	94
PID 752 wrote to memory of 3100	752	Nnjlpo32.exe	95
PID 752 wrote to memory of 3100	752	Nnjlpo32.exe	95
PID 752 wrote to memory of 3100	752	Nnjlpo32.exe	95
PID 3100 wrote to memory of 3292	3100	Ncfdie32.exe	96
PID 3100 wrote to memory of 3292	3100	Ncfdie32.exe	96
PID 3100 wrote to memory of 3292	3100	Ncfdie32.exe	96
PID 3292 wrote to memory of 2920	3292	Neeqea32.exe	97
PID 3292 wrote to memory of 2920	3292	Neeqea32.exe	97
PID 3292 wrote to memory of 2920	3292	Neeqea32.exe	97
PID 2920 wrote to memory of 5068	2920	Nnneknob.exe	98
PID 2920 wrote to memory of 5068	2920	Nnneknob.exe	98
PID 2920 wrote to memory of 5068	2920	Nnneknob.exe	98
PID 5068 wrote to memory of 4736	5068	Ndhmhh32.exe	99
PID 5068 wrote to memory of 4736	5068	Ndhmhh32.exe	99
PID 5068 wrote to memory of 4736	5068	Ndhmhh32.exe	99
PID 4736 wrote to memory of 4008	4736	Olcbmj32.exe	100
PID 4736 wrote to memory of 4008	4736	Olcbmj32.exe	100
PID 4736 wrote to memory of 4008	4736	Olcbmj32.exe	100
PID 4008 wrote to memory of 1500	4008	Oflgep32.exe	101
PID 4008 wrote to memory of 1500	4008	Oflgep32.exe	101
PID 4008 wrote to memory of 1500	4008	Oflgep32.exe	101
PID 1500 wrote to memory of 3424	1500	Ocpgod32.exe	102
PID 1500 wrote to memory of 3424	1500	Ocpgod32.exe	102
PID 1500 wrote to memory of 3424	1500	Ocpgod32.exe	102
PID 3424 wrote to memory of 3592	3424	Oneklm32.exe	103

C:\Users\Admin\AppData\Local\Temp\6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe
"C:\Users\Admin\AppData\Local\Temp\6d1188b06de0d5c1082c08a9b8cd7a91f9c328035b24517509344a830519ce82.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\SysWOW64\Mmnldp32.exe
  C:\Windows\system32\Mmnldp32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\SysWOW64\Mckemg32.exe
    C:\Windows\system32\Mckemg32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\SysWOW64\Meiaib32.exe
      C:\Windows\system32\Meiaib32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\SysWOW64\Mlcifmbl.exe
        
        C:\Windows\system32\Mlcifmbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4796
      - C:\Windows\SysWOW64\Mcmabg32.exe
        
        C:\Windows\system32\Mcmabg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Migjoaaf.exe
        
        C:\Windows\system32\Migjoaaf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Mgkjhe32.exe
        
        C:\Windows\system32\Mgkjhe32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Mlhbal32.exe
        
        C:\Windows\system32\Mlhbal32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ndokbi32.exe
        
        C:\Windows\system32\Ndokbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Nepgjaeg.exe
        
        C:\Windows\system32\Nepgjaeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\SysWOW64\Neeqea32.exe
        
        C:\Windows\system32\Neeqea32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        67⤵
        Drops file in System32 directory
        
        PID:328
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        72⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        74⤵
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        76⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        83⤵
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:556
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        91⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 216
        100⤵
        Program crash
        
        PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4880 -ip 4880
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
98507a6975631a3fa0ad8567e181fd75

SHA1
81d4f100cd3c52d684d38df285c7b9a5b746c403

SHA256
ca9881646f714fcb8cd9185404eaad8cbd6c20456da26ce4d55ff9e2a21a8a2e

SHA512
7e8ef3999819531debc571c9b06ae84339afdb686ebe302f9958cc8be3bd8c491e87f06c63dec5d361807fe2eae9c5b1f090f46fbcc511d3f01d932cefa6d64e

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
96KB

MD5
28ab9d9539fe7bf59f37565a8a1a71c5

SHA1
d3dd574d47e9aabb2859787e185245c53322d020

SHA256
f3120b430779ce6a0474f65cc8ceea87f8b722e804ade592d58fd23ea8c24114

SHA512
4ef70e087c35bddb8402a4d2dc4cdc65cb666a2073a0a9e11334f4b635fa4d946b4219c3b3c0de06924affb0544ba2f7535151bd817ce605918482c1e96a44b8

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
42c71dc2335744f845017c76961f7f5f

SHA1
9c8a160acb3b3c8ea6d192118efab0295f77859f

SHA256
1827db3ef26fd31b885a911b4131003feba77851bc55d6ca598162fb2b46a4d5

SHA512
47b29acf12220a313517eb654fbc7f24a7552d14274fefe5aa3a2e9f869077dc2221536098c0aada7cdf279f277697e966465d0f28e55800a262d9fc9d871ffe

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
64KB

MD5
697c5d9bf4d5d4fd859b44b52550047b

SHA1
92537967b095d088355b9f166d0e0dc20608f5c4

SHA256
4fc0a6ef27a40e951051c54b9435880e8f672b358b4a4ed60c1b8a53345b54c0

SHA512
4161537e4b126171157cbb7a34571bb8b374a4192e12b0a756580a7d2b2a0f286653e16ed269d37fef00135a6270bf47dbe50255dcadb07e5cbede4ae717cc7b

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
96KB

MD5
f114571a15345e3eb3d2b2cbcb871d1a

SHA1
f98be94f0703a826ab146ea9e148b39359c8c29d

SHA256
ba1c814b209a98696764989163f54f032db0a09171832b9232e37247b7b39ba4

SHA512
787c1faac7fd53cbb2683517d99ebdeb5a3f3d569780e7d75962360e0f5016099c44fe05218c99491969a421318c684f44b69ede25dcf8db7d139fc7a3a982b0

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
11631ae2c0b0b630b5c54e97c3d0a49a

SHA1
4d664238d7ee806751aae9e66d730b27ede6f48b

SHA256
7c0745a71496bea43197b3508821af9e5642e11bb8a6641e28248d252eeced54

SHA512
4a5ce8af63eeec1cef2d3304982fcc013a1dd53c10da4bd23a8acdd628f6c2d8793eaadacb5dd66a8f92073c33306cf0d682b7e519d219b88d28a75aaa76a23e

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
f5abe49671d29881e94ef0267f64dedc

SHA1
f1f51d37c47a9a07a0662b104a38bec2696e06ca

SHA256
4524ae777900b40d1e7e97c3d56e6d686e85aaceac12a2621e08eb71cb636e91

SHA512
03cbe06034b3895945057e68cf267759e94d6c574473305a6431832868afb009ce56708955ca0a18bbee03f0ffbfeda9f6132a10b684d93774ee5fdfee4fa06f

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
4d6fd551e554a3cc550249a58e5e30ef

SHA1
9f07d8797d51a3d26142718176d7825f4771649a

SHA256
a4706e76c8fae51cdf4af276740a0a400f8580fa8f3c60e455dbad0d6541803f

SHA512
ee7f0e273bce0bc624df1e79bfcf0ca6e07307048b61604152a3eca6cdddeedcd89f78df0b1dde79ed7b12db23d4b4137c0e272ce26f43e3e7c36ce9070aafd3

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
96KB

MD5
339b4ccd9947992dd91e076e632db1b2

SHA1
8794884772a00cca2c4c2da0303b4bb59e69b59e

SHA256
fd39b8e1330db4b355ff3e8030abeaffdb78ab9f66e490d874becf82be334f48

SHA512
f4299f89a53be63ae3a6d4f89138e63a5d41bc187ac37120f5059b1b1335ea18e8647e68b5e8d8a4ce2db2290905b6fa3df0562e3bcf9df0e8071757b0aefc08

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
96KB

MD5
dac4cfbece2b55a5129a39dc4c6fbcb0

SHA1
922dcc7cdfa13bdf24798414b8139923aaae7140

SHA256
038db68097f9a2165f8328d056117665edbbdffe512f333e8710ecc9806ecfa4

SHA512
016fc5c7855693636647d77fbd25d7208770c1f910f13729eda0768d35544becf8cca8784403c7388879a805a778a1b88eb31d2dd3c1f03ab67caa6bc38b6356

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
96KB

MD5
59badf8d188df1b20f84e356ad6e2b53

SHA1
416790358986879ae0fe5343dafe2782bdb405e8

SHA256
2b0267e963bc600e478827a2881cbcea8d5c4bfd9afa2f7bff0e616210855a45

SHA512
3dce2f1ff9f98edf75ccd0722b947d2931ce4d02e9eb488425837028d3e1024460966be7e534569644bb009765218bff176002d04975b2f5403c489b9d039e7b

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
96KB

MD5
95c24d4069e962a44210b5327df9b6a8

SHA1
a5c2ffcafaae5851f47a56ed37444c7df5b44f72

SHA256
bfc9373a64ae486c8508505bf97f4330256e09314e382a1981791f5d7887aa44

SHA512
9d2db1e88da65d09034416b8ae6f9f8c801cb6d46ea3e354130e0a991bb63d94a90e4f59fd1d111b552f9fdce2e210c93688c0277c9d5a5c9b8da3dbfabae396

Download Submit
C:\Windows\SysWOW64\Mchqfb32.dll

Filesize
7KB

MD5
03cfc5e06d84064fc9d293a1dca4fe59

SHA1
1c7dd26567f8a5de31f0d4a792504e7489a6ceb3

SHA256
d30ac36c67c8ae6834a63acf73047828632470d7f9d51360e6ef53aece8eb0d4

SHA512
9e46219eef880c1f6c22f9e78bca65c275a89b53b2b60d7ec6fae26af96ea4377d19faf19911e2f2fd806b1347ac501a8826aa7fe69c19ea099150ff65c87149

Download Submit
C:\Windows\SysWOW64\Mckemg32.exe

Filesize
96KB

MD5
62b2fb4dd35100a614a27c2201f0d647

SHA1
88accf96c2df91e852719d441d8dc286836af8f6

SHA256
afeaee7c830b160e401173536925ced2d58e9a3f3c5a504917c202a7d508cb8a

SHA512
9facd5e038cb24e4b83fe5be7dcc22cf9861a255d8f4a8ed769008c4a95e534b8ceb1e60352e21088a9adae897d70fa4fc8895435ff5cc0ad90f5bb94fb1d3a3

Download Submit
C:\Windows\SysWOW64\Mcmabg32.exe

Filesize
96KB

MD5
84ac91e94067cafa8f6cf145b0e57482

SHA1
5439be34817805659fa0a98f141098a52f11fa65

SHA256
52d10830fd60dab3b7347d8e744f23262deac0b94b11a820e2ae70e50b886862

SHA512
10b9b0eba4ebf832cad2c9e326c6212134ce084be51185bc4084064d429e530d7d2e665f6b9633c1528388fcf50de56e9df7afdd6edc392a769aa59b8e76b226

Download Submit
C:\Windows\SysWOW64\Meiaib32.exe

Filesize
96KB

MD5
3368a685c1a58fad5ccc1fc3c21d811f

SHA1
f2d0d3193a9c206ddfc8422af2c6237be093ee27

SHA256
fa8400ea1ba3423c34b5106fac884505d5b4abd42eeb57c0f24e0753aef5ad68

SHA512
fde3fdb1780f7bc478c6722fa68094b69d9024a8fbb84ff78b351aec8862554b76097508dac380814c35b6bb1021d860a2cdebec13c8779d5a109a70da19aebe

Download Submit
C:\Windows\SysWOW64\Mgkjhe32.exe

Filesize
96KB

MD5
af446b2b0acf727cdf4bd58586ea6cf7

SHA1
6b5700bd8441824999642fbde50ab29fd7a19f5b

SHA256
ab5125d148d6be1374f9c51a7e9d53c81cd33a015ffee50937d270afb053b535

SHA512
765294cb605d7b2a408f9a9c1832ac3432cfe5f69ee468464ea67de3e1bafe3d902822fb3b208f3d6294b490ba4b9ad4a081fbb27191e3fffe8e14144a7f848c

Download Submit
C:\Windows\SysWOW64\Migjoaaf.exe

Filesize
96KB

MD5
da6faae29bdd6fc11e1797fd8036fcc9

SHA1
fd8b3c33b3b44d91565810dc663772a58385fcc2

SHA256
69165663ee3aa1306a0996fcf4a374015d895f671da19d2df3f80cdc815dfee9

SHA512
ebcf173108c1ee84f7935a9cad145b62935596da1d3c599904fd1bdca0e52b7ad1b42b6b1a1c7a1d61e49b48c037b45a5eae611f1381177b8f0ed7e3bbaec562

Download Submit
C:\Windows\SysWOW64\Mlcifmbl.exe

Filesize
96KB

MD5
b8b04596896060ac05acc2216f033975

SHA1
7a673a77326b02e7e1dc8a65a164a6752f4bb297

SHA256
241519dbaeba76e25482af31319c7fb7d0bbeb5fe741b295b88b16ef80f0923a

SHA512
ae5c3f0bc38be17a708b11d77f8f92f73ca3683920292af88ad54613da38ae52782e8061b0c5abcace230d9bac23804d24bf5d18a0b3945d2d2526ed6e10a18a

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
96KB

MD5
2a0792421bc0034d50fc51aa2a86c75e

SHA1
57578c86a331de07e9603a8b960a676dd4c2b53a

SHA256
d26b761ac4f74aaa6aee794d61d13cb7dcc7c348caa11a71c7a1ba7b15f09702

SHA512
3968c26b6091ceb849745369adf92ead43d37a3e60612056235ce68bc77ac55831224bcf7fe978605cbebc0d28683188e12a081f167231e4d25beacca2719797

Download Submit
C:\Windows\SysWOW64\Mmnldp32.exe

Filesize
96KB

MD5
08d68fd01daa4f8bbcbd057a78bd8490

SHA1
2a9c30201b2041c9a296d674ca078712f957f957

SHA256
e925abad49ba7e65a6a91954e69bd0c36b79d2034a2dae49e9941966d765c79b

SHA512
3bb1ceebbd84c0df263a7ecd3cde573ac14d6c3f3cbdb115dde4d90de738c25dbd9cd6ae43320868bd605b4c4e9455d90e4b58640597e7458a61f44158a31a3e

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
96KB

MD5
372ce264d1d805a16cfda82751667d45

SHA1
88c79b137b41ef030a9714e7930ab12809774f98

SHA256
704138cbb82ebc0478b9bbf50a13ac3571df769d95fa6e695323dcda1ab1e06f

SHA512
46023ed83a58631383a3ca4bd10d8615f79cbefe51772ac673831faf54c46ddec70e7a3ae9a337df58838f883bf7cdd7af417a5716e65d479b1a585f61cbc1d6

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
96KB

MD5
2c135c7c644e4c2a0bb09122fad91945

SHA1
0bfb3ce0efd0ac706dc67f5cc82f64509d3ab14e

SHA256
e8f62c15fffa7af369c681b44f9fd8f9e656fb993520a04baecda0cb00e40d53

SHA512
05f5622a13b67ac387f9f84c3610b05d4693d9e3c34fe104ba6671be5601159b1e2b35e82a26cde8cb3db645c721a05a1b0caf59f93be830fe4698312a09f7cc

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
96KB

MD5
4dcc93fe5d35f84662ebaee0fe6f802e

SHA1
7dd02696d9cc064fb2f8fffe038751b83ab72743

SHA256
0efd38c9b488718bf9c15f4e97bbd30cdde9b994287de938d17ef6fa5c1188ed

SHA512
471e327c866a0e656e017856d3181ad9a2e7a89a8bba28b3d0d5725906a9f5c8aabaf3c360cecabca0b875e9a98f785957d5f185536668e2da58e5cbc4f63364

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
96KB

MD5
b541e3747ee31752982e4b15dc92fb9e

SHA1
bf55b3d9afe919fcf89332eced3d737a43c7b4a2

SHA256
fb2794fe19d1277472a307508419f0ae7bc8f7291a64d3623623117fb1f4ec28

SHA512
01b265c2cc6e6d002b5576cb8890285505e94971e50d167dc4dbf209ab1379e8c5bf6e5c1df45d0cd9e498ed727211a61425a9248f1c2fdb069764b0c8603386

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
96KB

MD5
80f9261246914b9c55e0e2866b0920d3

SHA1
479037a4135f28f05fb65962124597f6b0475b9d

SHA256
8c91f979089339669f04843ea483ec4079176039e48674a8bcffde50bd30ac9d

SHA512
8f71c5cdc57026c00ac1d9c24511d8c2b843a832a4c6d1ebd7a8d1d04c4615f766046bb4b003e4325998a83894366fe1c902b55aff8cd1d13f4a07e5dea50b9c

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
96KB

MD5
393c8a0d2a1c90adc4ce55fa31807888

SHA1
a65020f570f2e9711ed37878bde71cfaced59bff

SHA256
1458994c13a3e3816bfb948360614afa38a95963f7252d134e56a7ec6c8a052f

SHA512
64a2c5581a228490615a4a35364b8c905e64c536587236873c7b1d9f9498ea74c1aa45617e1984fb52a74ede47c120eb4ae87eecf532afcbde806a6626a55240

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
96KB

MD5
a49541a577210fe2912e4fcce99fe184

SHA1
8ce1e6e6895b0385c6cda4c0c14fef1c5d985734

SHA256
9d7ae0c758c3307763c40be2a138c20119af45613f7bbafc69cb97cf442c4865

SHA512
2d0ac03913b7f7399c0c548ab306ab5752d10cea901740a7a1b4c3aff301edd788456536d57c1a55032105dcbb5b5622c7100ce48cf9c48fb8ca2c695fc99b34

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
96KB

MD5
1f33b412aa94021d4542efa485fa72e1

SHA1
967754eb833192f3f794ba21bb9d01228edbe606

SHA256
598c11ba0b1f1d3f27761fa1b0d834bce416aecc61d8210b3a915374b482bfa4

SHA512
0fdd8dae4911f4dbd1502008a1c940bb296c1c6f7006354b031fea3b5eadd6446a4d1787f0598f2e869792ac840b4b6338a6614eecb9922523a6e6821793939a

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
96KB

MD5
068ba7f3c2d461595c7a8efa6fa3ca7b

SHA1
5e837de580cd134ac77c53f98e25d70f79ae1e93

SHA256
538b5421a0707b24bbced66ce16d9f57854820b3c3a1a2aca9536945d952cf88

SHA512
c97ff8e4431b13ec0887960077af0bd3ec1484671b2a46eccb233c526f773840944c090dc66349a80a72692285b5dc24b2216c7cc6fced1291b7653db3c5814a

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
0b2115c1a5b8b1061a03b556e0bb4a77

SHA1
8891303f6e5c8a5334aedb77c3681acb1031cf7c

SHA256
e243a680a41f139ac66385ff007af2d56407ead0347ef61b54e3644d2ab0a5fd

SHA512
76fb52b0885944f90c06fa07b618d61c55e2aa6cd9bc702407150aad7d153ee574567ce0c26643509cdbfc33779634fb25024e44c6e4461460e0568f6158f1e9

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
f6a4a17b06ab520f7d93d30ad04184f8

SHA1
a93b454266a652db9f5df66aef21051cf6a79601

SHA256
bb3e4b2a0be16995d6f9f1e3c250ef9da6f2fb23839019a07f5821c5a2b7f623

SHA512
7062a8a95a3efd4e880ac3beaa02d546688a5d1d5e0f94405525ad32d8042f335b4f35e71ec1598acb9ac7ed9bf24aaf51b90d428f51c0ea89c2670696abdc8d

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
d1437cfd5bf22eb1379e904291e22ade

SHA1
6ae80cb8ffc88e73b54520253310217f763823e8

SHA256
bac2728788a521290aa0f204df008f0de3225136009495b50d5f37633fbec5d9

SHA512
afa92e31fe58345eefb973529743cf7fede16d919c62aa18038df4386108a857c5ab142f416e5274fcf6e515fc5af8744fa0dd64532485f9f0d3e6a8dc54d1d1

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
96KB

MD5
7a3f9aa80732e41832a1de92f993ead2

SHA1
d18e93ea3f80482c4cbab825eb761ae5251408cc

SHA256
30671cc5dba14a7ca63b16c69c3ce03a4302883237fed58da1e4f20390188042

SHA512
27a16de0d2b2fd39d6402a27680824f73cf933f92b0beab951c16d469fd7126b4b4e2ee7e3fb80035e541dfa34327a280a8fc1646fcd675c3acc44867778b37e

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
96KB

MD5
8e057895bc538d95be719c7d185713cf

SHA1
1099a3f730d7a481a2066a96912ceca78890c988

SHA256
de1c570131efc35572d4bea901e021347f99b646c23e83cc52927ea1d29d32c4

SHA512
0091d59bb9a0c200b98752a854bf9a11873b69aff420a6ef342f315119d71e249dfe212a13d4518e3e02c8f6cac262a6db5465202e77bee7e2e10e047c23dbb2

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
01d1d20c5da910782eec9087316f0f88

SHA1
d03c4245f3c2d1cfcbc6c6b27a33870ecc384ea1

SHA256
39162704e962a6c41c7d8c950377c9d470121edff4a12a5bef1bb33fb9be509b

SHA512
c4b0ae258de26174ea98c2031606591ea6cabb574d7f6b6fe23fe198742ec718d0f12ac591310df61e0ee0bff93d4ad088fd0e837825eee4f81bc98fb1e0aaf6

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
cebd8c1ae7163b58677bb55d0c2a3d4b

SHA1
2b16bfe91176b2d0dbe2d9cedc5df5a2231b24ae

SHA256
54951c58d9b5bd1104eb8eb4a2eaced7f9e689eac432d176e0931cc06c7cf7ce

SHA512
824d5f7bc4e5181ef8e2eb5884b0f85e53f951f8d24e6e81ba536b557f648c5fa7ea0b49b1b50719fbf2eee620f9fc9893223f6498df6509c7c0d819bfcf3a95

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
96KB

MD5
4d6c655205da0c4c94776564ebd83738

SHA1
f1a4679f4619cf417ce13495051dd7ef0e2b6279

SHA256
bb520c39dd7f75792f651ca3eceff67d629bf5e530af6c8e2f2caaf2c7ab526a

SHA512
af46edfd4a3fdb2d983846f9cae341bd4eba693acfc9d93be4d37d2008f2c934a97c1257e34febfdd4a941c80e16928a2112f210590a7c59eab209b10445f00e

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
96KB

MD5
9abd7d7f80b0f1860751c134e602f3b9

SHA1
adde29e2f27ff3890c28b2935711975e19b9d233

SHA256
a668291be0819779f69e21acfa25d61e14a24a0eb5ece7caad3a2fac016d03be

SHA512
3752d869af0cf26e5393191226b0b656d2d5fb9bf55f21970c6d3f164afd188d15dac5464cfe0e9c00f15b5c48c1d3f462efc155299463230a7085f5a08fb70e

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
96KB

MD5
66114aa2f3fa7aef86a50d374ad9920a

SHA1
4162383d1aa07f737b29d17cac452b88b778ba27

SHA256
bbd579a089fd66c59c7ec86cc6d44842dce20d63a7a36fe04ad8de7e2f952b58

SHA512
1f3304681b90f3c0e8627d2ae30fa49783aa1fb33f0bea44736d2548b9983078c4b43c9e7a5f7f1f632fcc5970b7287b4042fb871024ff4fb0dc387152819bc2

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
568583aae610777cc55ba5a483297257

SHA1
b7452c447d246b76054a692c3ad073ec74a4e5e0

SHA256
3025a195b562dccbb2a444d3e7e10d3ee9dc0deed1f8defccc50db91fe59d7ee

SHA512
67a9a9e4dc1134b519ca32d89f96910471bb13a3222af83421546e1def8828395dd44277a109563b6e02b440e43dd1cfd058cb669a983ab906e1159af00028a1

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
93e1cf353966574581e53a9b4b2fbc45

SHA1
2ad13bcc4502de1b86b50a052f39d3a9d5bd8edf

SHA256
9ca0b9eadb6068a2df0836a832ae7562f8b23a1a59d0d269778bea86350d74b3

SHA512
3984497c5e017a39ef05ddcc84ef5b51c1747bc17266ef8d94efa1b10be5df2f088e66ea7837ff6e0a4e6592192db8a5c903b6a8fdef65388f5274a897bb3cb1

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
96KB

MD5
31e602ccb86e0823c7598c8769bc15c0

SHA1
0e2b47ad45f47029225c424f6b350888033649ee

SHA256
514065473a59e279e2230d10359d45debc700c4d3a5a06d66464e77a8d54322f

SHA512
86f71f1b76293f122487b4ae1bcbcb3d1387fef943fb34c92e710f826b7ef6c31f15f4add7425c15a8dfcfb3d4271a702d755ede8afb975647f1398c1e4fb55d

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
e05ca70e451453188e70a4d708e569c8

SHA1
f7150076cdc9229cf13981ccd1645b0130c66b3e

SHA256
b5b9d9e82a9042197168b860ebe717e23c2d01517e8271f8e1b0a0d3fffe97ec

SHA512
7d91731746c65b6a3449280e7942c4ca3a38986fe84367b1b6d32050d63e8aff925ca820ca7b30cb4b0d9cad4f504c29a24ba6c446a6807d1aa11e6193346928

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
96KB

MD5
341a8a46d0bde317772fc9ac34045cd1

SHA1
f02cd6018f4c699b982cecd248487ed49fb63358

SHA256
1f0523941864309567e49ce09bb721bb1f203f6e7a4b1cde3f4878d6a5ff114f

SHA512
331330d124361050a3f44ee7e1b6c7181f7c8c4284bff55c24482c14db816499c59005901501a1666f2dabd4362ee320d810aff01923741bf8ef2fe047e92f7e

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
96KB

MD5
c214a47fb74b5e7a4fcfd5cbd9ef71ab

SHA1
3c4388992bf671790897e1ffb94574a8065804a4

SHA256
f18f5e4d8ddd84e65f3985031f801459201df71e4e06fa0cda706d12c4afe821

SHA512
497862b2ddff5e55f3af01e2c8be564a5cd9e26491136a19e41f64cf334f95dcf7babb702649a2b1aeda8250a763501330803ccb3417550560e553f5196e983f

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
4285a4173cde5266b1cdd85c6fe010d2

SHA1
d241b39fd76464c0c66e249aaf255a5162e74476

SHA256
c3b348c8e514674df71ad4f921292a5d423bbf547b931d7a8f17883982dc2ad9

SHA512
2e3f221a37de9f955ed0a860933455979ea7aada23c96fa355db4236a2616cdcce4a362f60a0b93078df5644e3e5ff73b120f89fa310e01936a9696b71205506

Download Submit
memory/220-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/220-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/396-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/396-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/752-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/752-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1128-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1164-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1280-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1280-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1452-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-389-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-258-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1508-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1508-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1860-85-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1892-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1892-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1924-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1924-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2156-177-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2156-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2368-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2368-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2436-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2516-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2812-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2904-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2912-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2920-222-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3168-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3168-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3180-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3244-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3244-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3268-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3268-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3292-213-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3292-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3396-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3396-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3424-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3424-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3476-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3476-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3508-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3508-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-291-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3592-276-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3608-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3608-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3668-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3668-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4008-249-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4008-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4260-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4260-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4284-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4468-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4468-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4668-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4668-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4736-240-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4796-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4796-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4916-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4972-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads