berbew | 0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe
Size

265KB
MD5

4a47a8c359267e987ed6c88095be0c5c
SHA1

946e1ff11b21ce172b6eaa7ffcff2f0608aa1626
SHA256

0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b
SHA512

b279ec5eed88734a82b03e98c9e09deb344084327dee37a09a2958634b2c298278848de3b85306ca76fccaaca7b2f76b9c0f9030d3f75ae7530dee36582faae2
SSDEEP

6144:NRz61+kTm9TLp103ETiZ0moGP/2dga1mcyw7Iq:NRz61fOpScXwuR1mK7P

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebdoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npfkgjdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npfkgjdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
5040	Mnebeogl.exe
2216	Npcoakfp.exe
732	Nngokoej.exe
2324	Npfkgjdn.exe
2128	Nebdoa32.exe
2716	Ncfdie32.exe
3504	Njqmepik.exe
4304	Npjebj32.exe
2932	Njciko32.exe
452	Nlaegk32.exe
1560	Nckndeni.exe
2340	Olcbmj32.exe
3248	Oflgep32.exe
5068	Odmgcgbi.exe
3400	Ocpgod32.exe
1304	Olhlhjpd.exe
456	Ognpebpj.exe
3384	Ofqpqo32.exe
1672	Ocdqjceo.exe
548	Ojoign32.exe
1120	Oqhacgdh.exe
436	Ocgmpccl.exe
1140	Ojaelm32.exe
4020	Pnlaml32.exe
1900	Pcijeb32.exe
3180	Pfhfan32.exe
3088	Pqmjog32.exe
2480	Pggbkagp.exe
772	Pfjcgn32.exe
1864	Pncgmkmj.exe
2148	Pcppfaka.exe
2928	Pnfdcjkg.exe
468	Pgnilpah.exe
4512	Qdbiedpa.exe
384	Qfcfml32.exe
3976	Qjoankoi.exe
1624	Qqijje32.exe
2896	Qcgffqei.exe
3652	Anmjcieo.exe
3728	Aqkgpedc.exe
3984	Afhohlbj.exe
4712	Aeiofcji.exe
3788	Afjlnk32.exe
2156	Aqppkd32.exe
1464	Acnlgp32.exe
3660	Andqdh32.exe
752	Acqimo32.exe
4104	Afoeiklb.exe
4708	Aminee32.exe
3568	Accfbokl.exe
848	Bfabnjjp.exe
5000	Bmkjkd32.exe
2768	Bganhm32.exe
1204	Bjokdipf.exe
5056	Beeoaapl.exe
3112	Bchomn32.exe
2472	Bjagjhnc.exe
4748	Bcjlcn32.exe
2096	Bjddphlq.exe
4956	Beihma32.exe
2176	Bhhdil32.exe
4340	Bnbmefbg.exe
2620	Bapiabak.exe
3956	Belebq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	Nlaegk32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mnebeogl.exe
File opened for modification	C:\Windows\SysWOW64\Nebdoa32.exe	Npfkgjdn.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Ncfdie32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Npcoakfp.exe	Mnebeogl.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1200	2384	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebdoa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfligghk.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemphdgj.dll"	0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codqon32.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjlibkf.dll"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 5040	440	0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe	82
PID 440 wrote to memory of 5040	440	0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe	82
PID 440 wrote to memory of 5040	440	0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe	82
PID 5040 wrote to memory of 2216	5040	Mnebeogl.exe	83
PID 5040 wrote to memory of 2216	5040	Mnebeogl.exe	83
PID 5040 wrote to memory of 2216	5040	Mnebeogl.exe	83
PID 2216 wrote to memory of 732	2216	Npcoakfp.exe	84
PID 2216 wrote to memory of 732	2216	Npcoakfp.exe	84
PID 2216 wrote to memory of 732	2216	Npcoakfp.exe	84
PID 732 wrote to memory of 2324	732	Nngokoej.exe	85
PID 732 wrote to memory of 2324	732	Nngokoej.exe	85
PID 732 wrote to memory of 2324	732	Nngokoej.exe	85
PID 2324 wrote to memory of 2128	2324	Npfkgjdn.exe	86
PID 2324 wrote to memory of 2128	2324	Npfkgjdn.exe	86
PID 2324 wrote to memory of 2128	2324	Npfkgjdn.exe	86
PID 2128 wrote to memory of 2716	2128	Nebdoa32.exe	87
PID 2128 wrote to memory of 2716	2128	Nebdoa32.exe	87
PID 2128 wrote to memory of 2716	2128	Nebdoa32.exe	87
PID 2716 wrote to memory of 3504	2716	Ncfdie32.exe	88
PID 2716 wrote to memory of 3504	2716	Ncfdie32.exe	88
PID 2716 wrote to memory of 3504	2716	Ncfdie32.exe	88
PID 3504 wrote to memory of 4304	3504	Njqmepik.exe	89
PID 3504 wrote to memory of 4304	3504	Njqmepik.exe	89
PID 3504 wrote to memory of 4304	3504	Njqmepik.exe	89
PID 4304 wrote to memory of 2932	4304	Npjebj32.exe	90
PID 4304 wrote to memory of 2932	4304	Npjebj32.exe	90
PID 4304 wrote to memory of 2932	4304	Npjebj32.exe	90
PID 2932 wrote to memory of 452	2932	Njciko32.exe	91
PID 2932 wrote to memory of 452	2932	Njciko32.exe	91
PID 2932 wrote to memory of 452	2932	Njciko32.exe	91
PID 452 wrote to memory of 1560	452	Nlaegk32.exe	92
PID 452 wrote to memory of 1560	452	Nlaegk32.exe	92
PID 452 wrote to memory of 1560	452	Nlaegk32.exe	92
PID 1560 wrote to memory of 2340	1560	Nckndeni.exe	93
PID 1560 wrote to memory of 2340	1560	Nckndeni.exe	93
PID 1560 wrote to memory of 2340	1560	Nckndeni.exe	93
PID 2340 wrote to memory of 3248	2340	Olcbmj32.exe	94
PID 2340 wrote to memory of 3248	2340	Olcbmj32.exe	94
PID 2340 wrote to memory of 3248	2340	Olcbmj32.exe	94
PID 3248 wrote to memory of 5068	3248	Oflgep32.exe	95
PID 3248 wrote to memory of 5068	3248	Oflgep32.exe	95
PID 3248 wrote to memory of 5068	3248	Oflgep32.exe	95
PID 5068 wrote to memory of 3400	5068	Odmgcgbi.exe	96
PID 5068 wrote to memory of 3400	5068	Odmgcgbi.exe	96
PID 5068 wrote to memory of 3400	5068	Odmgcgbi.exe	96
PID 3400 wrote to memory of 1304	3400	Ocpgod32.exe	97
PID 3400 wrote to memory of 1304	3400	Ocpgod32.exe	97
PID 3400 wrote to memory of 1304	3400	Ocpgod32.exe	97
PID 1304 wrote to memory of 456	1304	Olhlhjpd.exe	98
PID 1304 wrote to memory of 456	1304	Olhlhjpd.exe	98
PID 1304 wrote to memory of 456	1304	Olhlhjpd.exe	98
PID 456 wrote to memory of 3384	456	Ognpebpj.exe	99
PID 456 wrote to memory of 3384	456	Ognpebpj.exe	99
PID 456 wrote to memory of 3384	456	Ognpebpj.exe	99
PID 3384 wrote to memory of 1672	3384	Ofqpqo32.exe	100
PID 3384 wrote to memory of 1672	3384	Ofqpqo32.exe	100
PID 3384 wrote to memory of 1672	3384	Ofqpqo32.exe	100
PID 1672 wrote to memory of 548	1672	Ocdqjceo.exe	101
PID 1672 wrote to memory of 548	1672	Ocdqjceo.exe	101
PID 1672 wrote to memory of 548	1672	Ocdqjceo.exe	101
PID 548 wrote to memory of 1120	548	Ojoign32.exe	102
PID 548 wrote to memory of 1120	548	Ojoign32.exe	102
PID 548 wrote to memory of 1120	548	Ojoign32.exe	102
PID 1120 wrote to memory of 436	1120	Oqhacgdh.exe	103

C:\Users\Admin\AppData\Local\Temp\0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe
"C:\Users\Admin\AppData\Local\Temp\0178af8492ddb2a5055a1c6eecdb52c0b376449db5cd9d56bd19acaf3b78b05b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\SysWOW64\Mnebeogl.exe
  C:\Windows\system32\Mnebeogl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\Npcoakfp.exe
    C:\Windows\system32\Npcoakfp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\Nngokoej.exe
      C:\Windows\system32\Nngokoej.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Windows\SysWOW64\Npfkgjdn.exe
        
        C:\Windows\system32\Npfkgjdn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\Nebdoa32.exe
        
        C:\Windows\system32\Nebdoa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Ncfdie32.exe
        
        C:\Windows\system32\Ncfdie32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        66⤵
        Drops file in System32 directory
        
        PID:856
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        68⤵
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        69⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4964
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 408
        86⤵
        Program crash
        
        PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2384 -ip 2384
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
265KB

MD5
79ce8826e7a25a75b42a949baa549493

SHA1
d5a578e5fd4e463dbf47e2f2129dee4d4ee70ba9

SHA256
eaf4b65bd07fb4ad4dd16bfb46023e89f6e37bab469d388378acee2a9c36f61b

SHA512
6381833eea99f0db3b348f10838544bb543a5e3fb24d7736540794ce71cfbd0b568fad30609870a656a9b1f2966cdf6c6269b0f8bae3f910b1f43be6e55c3ff2

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
265KB

MD5
006652c33975891d0a3079d7354eacd3

SHA1
45696dfb2c7ac78a92d864577a284e11f81e92e5

SHA256
444cd534957106e39860b48a0fb2704e1dd6935426b53b2d638ba04d4cde54d1

SHA512
66c2de22c5b217173ca8294457dd508d6e3a572883c64ce06683bda8d59947b19724f9a7b79b47c9f564ae3b7a58c32c0a268e36309a68c17d5adb42c56b4001

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
265KB

MD5
680d835e02bb22ed02c3eb018f20aa7a

SHA1
ba20a9373c5aca39a40000151c3a3eea202cda9b

SHA256
77894f64c786ce50b78027042ff8485d90e1855d9afba2c62adbb84ed88c1c99

SHA512
0a625e1e86f6c9ea161369274987ec6edb44a0b60f95cf33c6fa3ac9e34a131812de5e6d98ab5b546d44c5566199af515304e424bc458894d3da20d9428445e7

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
265KB

MD5
a7479d683ee64b46e77504902583f807

SHA1
c2a588751c1f3d0174e784a033443036a5819f1d

SHA256
3ac4b298e6e1492bee60cd4e0620d297f67ac19c58c1cf43e427e97759521c90

SHA512
c6d797f801fd58cfafa9ba2b810782a26be39672ffffe64408a283952d488e6f3d2afdc628373673bd45dbc41478b8080b939af4450ae69ea7ded8015fca0ae0

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
265KB

MD5
a73d746001204122db0a7b3b8686341c

SHA1
32bcd73727ad9ef05bfcd1927567acfb9a0dc1dd

SHA256
a2d5d173d8a0d8eb89a5a0765191cae6c87da781311291da8e7a038b914174a6

SHA512
c53ab63e7a8a38215b2a4528410331d70ef00380bb170dc391ffdda092a0cdcc25a46dc1f3e284ea8539daaf8d54a65e3a2cf5cfde84cf88a4f4a4387c6262f2

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
265KB

MD5
0d307a1b8f57bb313b43aec173cc0f65

SHA1
e9e2f92fb1d568aca82df6f083a662365da67bf7

SHA256
ce8abf35e73ab9a10b6c22b906fb61f2935f4810957d0e29f1b9634978114904

SHA512
3962361146796c635a13dbd140619e254f9c13dc9d9e9b4ba8ef15548b5efb906703eac89084bcda2353fb5e28377c4ae0a6a0665a6cbdfbb93a39c1a50a8139

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
265KB

MD5
f3c9aecd18418ab9570271739e0fa7bf

SHA1
1330cde4e42a9655031687844b7d1c7638779a1c

SHA256
1369fd07d82c39bc59f95347476f7d0435477e7cfe9c7a2d6f4d7620aca3ac7a

SHA512
4fc14c610c2e2f3ad1d7d351c8c6e424f63869100a90e785c61444397a1e3a2ee415e48c24d05aa2ad0329b6e47144e6c0990b52fa786c4a2c8baf51a3a31e06

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
265KB

MD5
f5ab97ecdd9b661cccb177a47c946821

SHA1
25c8a54a70b0e25ecdd5b2b2dd73305cf525f606

SHA256
d3a34d02ab8a63e1bf051a66eb8b51b8f47756e0f7403979a861f16955c31db7

SHA512
01b9f9e9c1dd8653ca3aedfd3df0f140a355ee5e16ae612ac4421d48127344aad9fad36c50b6d14b101c6f85298af302e1a508eb0b97492d756a2b3392604d6a

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
265KB

MD5
6f1797966f36d15aad71be32200b495e

SHA1
cda4f7f58da6e95daeff9be6f82b2c89b2a7642e

SHA256
fec3fb4055ae095877bd553efdff7cee6b933b24b334971bc5ee23cb99c94218

SHA512
b50dc220f340f55072981cd49cdce4705a3602bf9f8c5a3e98b2df11bbc7385ac1db6fb16d88c2b7f9f752e163c6ea124cc9d5d5133014645f3d47d08801ea43

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
265KB

MD5
7c1e24b8e2b5fef4e3e711ac0a02ce9c

SHA1
0acff9f9106f78965cd306f73b6a81f491fb1dfe

SHA256
3a520cf7afc2d9abf461c3b4430d7584f9fdbf95f4c5db6f6421d910a1d413c6

SHA512
38833eeab3a7227a572a2dbd15c72be3e0c4e1af37b79ee88049684048cd493ca64ac0e29fb4899b122bab01479b71f34ba617e1ceade9a7c4a4477b49ea05b5

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
265KB

MD5
41275c650d22a123a768ae4b94ffafba

SHA1
fcd609bfa5229405320f2ca151332fb7e151301c

SHA256
32b11e148bf33ef9ba8a59b940685e33997443f29df4824b15d7fffa6f628bbf

SHA512
1054813bf6d5f1dde9f6ebfd6edcdd92d3b319f3ef3663a398176250103f0c76d7c332059ccfe4ed186dc079e9cf0a5555d8f4dbd6908bd37e8b5d89a65deb2e

Download Submit
C:\Windows\SysWOW64\Gfmccd32.dll

Filesize
7KB

MD5
21d0a469bdcb3f352ef1936d465dec27

SHA1
264aebcd92d980cfeb75fa59757eab236f3e4562

SHA256
2a1cc44ec47c4d85d1c1920e70f1f5b181a4a2373a2dd9d3cbc2fdfe1a0d119d

SHA512
f5214c2beba9287e8c41878a70e0da048b54e991dcca97ddbfc260fc311f58bda6a348fdd8d45df5540d1fe7059b17b1af59d40817f9b880922c8afac41b8023

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
265KB

MD5
3ea84bd4c5d4db66ba247cf5db924991

SHA1
4ba7151c311c301b8b71a852404e349ecc899ec2

SHA256
3b973753d8fb8de0107d4c0a47ff6625896d1a9b55abc64c5d47f81bc5ef029a

SHA512
243e2a5daeabf618ffb01b68fd595e768b27bd909575273d8c9847b905b9ccbb5d1a44cf450c54c9b45b42e5e0c3ac09a56960df17981064664ae19228d4249b

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
265KB

MD5
366695459b0280c35f1d5d215ded8516

SHA1
f1f408945ecd37319ceec641f9f26ec8b8aa7c22

SHA256
4712ad3ebc2d534535b02d593f8b11daa896da6cbd58357740ce49f23b24e77f

SHA512
6881f09f6502ac7586bed841bc2f46e59dbbbce280e58b94ff61d6ead34afcc8f2f01ec60aba3fb8d4a363653c89690e00fa613e15e655d86bc61697362b6bb4

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
265KB

MD5
f27f0bcff7c4f58c583b29bfaadb35a7

SHA1
f209e03e39c422a520d34b8bb2f783b09a51161b

SHA256
98bf55692858b3b2cfe3cb039b8486e70df12d5c331f77778131ae72e91bb5ea

SHA512
c571ce0315dbe414633a7412cad54fc484a062feda9329c9746ad7f74a26a71d07b823e9013ba348964ce7683d8fa38b7ca378b307d87a8fed0e0ed81f0d8582

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
265KB

MD5
d99171fa6ec319e9b271d4a3974e5f44

SHA1
453ed8227ecce5f30d933414a2cc798f84ad406d

SHA256
153384f2f568e4c6638212f0b0e3172be6a98f78c9dfba946820a9321965fbe5

SHA512
fe410e4d4435e562adc88b998a660a1e6a4941210b8a49e5d156bd081f1c5102972b1eeff06530094b7413bdae7b5d869256267073ec979ece91bdfb8e190a77

Download Submit
C:\Windows\SysWOW64\Nebdoa32.exe

Filesize
265KB

MD5
117491c361adfef10ff420528a01ef6d

SHA1
cabe220666f6db6c53a5782610d686e5c6cf9f79

SHA256
eea42a7e5352776fa16fed8005cf9a31c0fcb7508ad7df72d0b511c315dd869e

SHA512
ae0bd2bb4cd43a4dcd8940ce492e931cf9cba223947cd295282999c50466a7e9bbd376b9ac3de36222cf0dd6a3083ee2ec364cd5744788bcab7c05aa260eb7a0

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
265KB

MD5
71079b7e807220ee86d0a414073b6a5a

SHA1
5cf7296d35b814e25f20186a9168673727842650

SHA256
01a30c2a09c84b53a24fd740d76e1e25b3f4aac35df36878cbdc191f3842e498

SHA512
59c1cf8cc7036c4abdfff369704e7b2bb2de2a47c92ea32489bb3f4cf583dec148cee7d0a90caba8098e2283d1719faec93136d75f6f9e26c7a055d55da7274a

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
265KB

MD5
f9f6e781f87287a427644ed7a1fa6542

SHA1
026973172b73febbc07ac175918613b1c127b7e4

SHA256
5257810441f25c542dff141da6542aa37305057271890b74a9ca1c8e93c514e0

SHA512
4308beed69f51da6a3d11449f2e45c438bd6781a7c2d2e588ed27efd01fc10bdcf3212be058f501527ed17b2f0f67c8e2899f00c19f7cd545a8b9db52b85f5a9

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
265KB

MD5
afc9839d4be04454762c106afa1f208c

SHA1
0237b6f7cde689208e0c84c8a93a4fecd7984af4

SHA256
6ae1d844e22ea72a4d4e0a832c689a21e02abd82be42118ab6fd3fbd18274af5

SHA512
2d3cd58d938203345efa25250df51b06066a0f2565dc7013b9c0ffaade56a5e5bcb8e51a4e25168d1c7dd0ed34855c9e3bbc9eedf929a5c42f8a15a88b1cf54c

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
265KB

MD5
afaa99dcfa10cadfe277372025d249be

SHA1
5fde1b6446db66d0a2616df21016c8e4d3eafde1

SHA256
fa3f0f578ed2a510d6d7f3054fa94136e431929397bc77d2d9c43208cdda2710

SHA512
04408761eba55c758b41438693ab631d4130e38fb11f4b524b77627e2c4ef68923c066ffececc067f138ba854077b0b298013a49003fcd37c853d32d1951a8b4

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
265KB

MD5
740faef3c004283aa770d4bfebe09e3f

SHA1
23f885afe8cb53082479bbff6dd6d036ce7e90a6

SHA256
20fd22a5f8b50a9197b0fdc4f17908a9afb35a46f1121fa2514a2038ac529017

SHA512
f511c70008d941b37595cca1f22e86b5b8cf2b881f6334eba70ccb68a53314425230bfeb93ad8221d0d39c677cf9b744ef46d6824c9bdde1e5dd6089c945c2e1

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
265KB

MD5
db84518e3b2c8474691cc9f164bce94f

SHA1
553afc4430fef154ab7e1eca348276a6984ff113

SHA256
df441387e732252f14e641f76fb5f47a2d0c7ee587b794db800bc1ef1186ba57

SHA512
a1614fd131fd397d24c9699969d380315e2c365d634de2816f2de4c5969ec119e623dbfbe6ae1b80acfee310a604bb39bb62c86ff4ec3753da9895ecc064aa5d

Download Submit
C:\Windows\SysWOW64\Npfkgjdn.exe

Filesize
265KB

MD5
969538ad240b46a982a5b628ed40bc06

SHA1
a38a0fc7441dc999c069f694b1b46c647227bc52

SHA256
e0b5d0eb3e313afcad6bd5cccfc7d389b85d389ad1c7d594ee809f21092ea4e7

SHA512
1ceac9a5cded43f90c1f7fd0b75ff2694f2491a054bfedd1ee3223dfcc90ad82ab4cb14058bb720222feb75260c508f2d8e9417a0589b12409047c7b741ef93e

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
265KB

MD5
4d553932033d6ea321d43b0470faf6f5

SHA1
a8fa532032bf7e1f71353bf506ef1af80b1e4be3

SHA256
a2a011ddf7886eb89e1c079cc7a24b34f12d3a735b787aa126ba792b69dda9a5

SHA512
5918bbe61491f5dab28e810ebd9974d1694daa75c5e6ac8a29121a5a93225e06eb8595e605382747777acebc8681cc7c31c7982deafad58949e33ae54ad252e6

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
265KB

MD5
ffb173c1f6dcbfae80e1952e704506fb

SHA1
498f5b3d7a707b20fddcac186f4ed9c6f57cc74e

SHA256
0eedd88235efef1543743dfebe6d7c51c640e333e2f2027e206c9adfb2fd6b8a

SHA512
844950dd3bccd2c3b2442a9513673c66e4624d4aab23464dc1c012c9488f7e607377c1a89bc8669d630b0bb7b2c63320e97d068a5184a4bdf27a596467d7a1ab

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
265KB

MD5
bc05a345d9e2130f2a598785e059439e

SHA1
994a1dc66517892f2d393f469f248f2cb8ad4fe1

SHA256
cc8376a8ef7c3259863f1f60e8096d8fa2739e00f7df4ccbe13b7094072a79e9

SHA512
40425179fd07a8481d61ccbdaa138fd5ef5841cec7792869b9b9226cba1133aca4eb8a911c77986f3cff24dbcabd63be6c953d5a8f5d38c4a90772fb1e3e8769

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
265KB

MD5
1804e35407f57abc179af5a1d56b3040

SHA1
a03088d1a6617ec142229006dc0f954088b64210

SHA256
20845c507f14d176da1a9223f4c9eb3f96aae70bc99aec52fe774fbf8b2e96f3

SHA512
8dfb0f6c6a3cf2e6155d363e3cc9c559647b285b355feaa40cbd40f13576b15c3b3312886df0e8a4e76eabfaaae4fdaeec0fc90eeb6e60d80ad62c891ddc4eee

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
265KB

MD5
9dc7523642f73bf46cf97daaa65abfa2

SHA1
d023f91f0c19e5eaecdb03eb0442ddf9251b8520

SHA256
803262fe14aa275e25d9c7d3ce8ba96eea575562279855eed7921468d7b1c19e

SHA512
ff5b8816af4e10a709546733b67da816c10d93d42e2c6f8d082b9f3d50b37767d75c9facc8fc262708950182235d09d83eeae74bc5642154fd0c7ea99fb75952

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
265KB

MD5
170d6e14f53c2e4fb896f09a293ccb67

SHA1
fe006b231efe60495ec2520d36fd47fca353fda2

SHA256
a765a9a14616dc4d36c4f14da31cf8b7ce1ba14318822264c9f4f53802c46640

SHA512
9c1951bb586b2f43291c9cb999d992acef7d243fde20b66a221ffad84e686aa8717c3be8adcb38162e2fad211443ea209492cd541ac1457319a9fa597a8d9b45

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
265KB

MD5
2e1fb6514e75baafc93169f768aa6dc2

SHA1
854b8a922a2cb661e9dd2a9b7b1968558b90fc55

SHA256
c347c092fc38cdc19817fd0d9d63e61cce3cb13b790044d81a850d3377ce1e28

SHA512
898b56ba2dbc999a4b8a3d907b1e686681f492ae2fb4b0063d34077e2f862805241a03030dc788d841c64aa42c94f3bf7e878c2ab95e7458154251a055a3aa05

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
265KB

MD5
ef06dd79694fdff9eada2d9cd1192f21

SHA1
acfe65e18c486fcedd9012cce61dd2213967249d

SHA256
d98ad1ffdc82f084e9c7d4ebe4fa13d3ace9a7ee61dc711c4c44d214fddd76a7

SHA512
b30689097992b3e454a49b6c1aca0c1a58340ed88db6463dcce91e5c2b2c0c260b397fc732686a09715d75ec561206d7ef2c9b9c63c7235cc64a994221b44cf5

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
265KB

MD5
94f4071bbb855b502d9721b47c7bf56a

SHA1
b33b1b2a4e4e908e300693fe7ccc93b33d5440eb

SHA256
7aad5cbac8bdfc4b65958afcdf08dc9b0561112160f9f3934b458162cd7565bc

SHA512
b3697925d8e434c2d83f6b02bdab807259686af157dcd4b8900d1407458ab41ef5a17ff01c972c1723adbfcffd5acd7bd8b5651831c83ea71186cc104a91a185

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
265KB

MD5
a1a218b95d228f59df1a0ac759ea2ed5

SHA1
773452ecbd13927637d179f5195eb6e492f43a6e

SHA256
e26982db93d007d536f97ab739a4200bac7a39204330f0947fa74e3c64998494

SHA512
16db7fd62b02db6fcda671319686c09305df816b485bcb09fd22f0639ca92ad82982c7aea38a56adfc6c7ba5450bf359f308c8d7dcbdf72e1aea9f6a48cecbab

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
265KB

MD5
e9f5b28dba3dede56412a9e172d39c96

SHA1
9f6c336d92c0ad4932ec6f71c3f0e366231ba07f

SHA256
ace98750d9b488426a92ff36c9aaf1c0856ea3a167064ef52753a1f72645ea50

SHA512
5518d4b0af07ca5924849505af60136d9128961a094e3c19666ab7b370d687e334fc8836ad32478b802ce3a235622013a3515d15d5e86eb12d861d88a99e29a1

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
265KB

MD5
be4bfbfd88240c5532e869130226cd46

SHA1
6eb4e3c97282732d443d65e3576adb1462c84d77

SHA256
2f66a2414fc9148da3c4eb93ee87d1c6b14172e23cdfcfa83d4b76b9c4c0dfef

SHA512
64f5eb118c2d5bc4ad64513b046025b4cfb5382f34a2674e11e5f0aa1b9d0fc1aecf1c06a6bf0e999439e4f69af9a2e305728055f7abe2b9144122b56382d8a7

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
265KB

MD5
4bb011ad1f4896133710ebaeeb739dfa

SHA1
31c903a6e3f184c85330302b264b2f8350887524

SHA256
0bec07a799b48291ebee254aa35cfb1918f7d65c789ffd12cff6e0839af744ce

SHA512
e5f5004af32e56e12aae0995ec4b863500ee77e4ed9d0a8ef59d998c5c22490e2e9688b95b398f7b4a5a9e2c27989f5f5d5d9ccf290996b57496d8839c7ccb12

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
265KB

MD5
6ca7efbd2f7e5922ff6c087fa401b613

SHA1
3d93c37ff4d25e8626b1690d866d79507fa94f43

SHA256
f01d5202b5a2503ab6414ac7a4c6fbe4e79468479963fc6116a09a32b28fa6df

SHA512
ceffcf6b063e19af64122a8dae5b3110a6ee4a799fda4c6dec8d50bab88643c3e704f9ebdffa2f08d7abe2fec0b7a0fd1872eb5888ca5713b4f53ce2d0eb2301

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
265KB

MD5
6d1d1ec3ef1a975fa32c38c745f1758b

SHA1
264509652f11029e9bb3b434f317d793009cb8cf

SHA256
2d9a3116ffc24751a8496ec3ef7f1d4622b38520f70b025db5340ef9e062b91f

SHA512
ae7e7595ef9881b2cfefedc72daaacbe95a2cfa5510c90ecc09ffde06060046f9bf4e2ef3f17fe0ee135ab405abcb16e99a683781dccb631dba7504ab4cf92a5

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
265KB

MD5
a44e8ec2eb778b77dc1e86a6b238d102

SHA1
e79c95f8d8bd96e350e394ddf7e6a81383394296

SHA256
fa197c520bf798a795e25b80708ea6f9b653114297cf00a7a5f6d92cd804d9e2

SHA512
c14ca1030aed0946079af4eccf276e10b19bf01aaa5a979edba1c607803b86786d02a709c11bc50d9357a00c36c0c0b3dd24c892dbfaf62bb494274886b35994

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
265KB

MD5
acfc0538ee5dd6b8e4d76329db7ee8e2

SHA1
caf33eb01d1b920d42746d44d5540bd1c5d5e36b

SHA256
4f2635f9af9bea1432b65d5f66100b66ea3d6f6af1aa7d87296de0e10c2ed4eb

SHA512
42508c1c59ecc24bb2bda03f59a0e4ab5c64b4bb9a79f8c80dd927b12629f570d736d7588e66510be3a0e6d76613f132f5c7eab3bac12b508503863bca6c7341

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
265KB

MD5
9782487a34e916a39262e6de1f2c9321

SHA1
f131a12278700eecb510f9d5dc443361ff0f8dd3

SHA256
b5db05e2d418bb7715f73e18d384dc979dc70704b5b38776bc926f7258f907a0

SHA512
d454612478e80f3a7ff2649e9c681cbd08f416fe8548e74e91b833fd0e4b0b05f72a92c96eb0119ec5c8ef1b7cde3a48e4d7e110ace2d84f5091aaae103d3787

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
265KB

MD5
11cfaf669efd8cfe9d74e68c98a1f1f3

SHA1
cda05d163b5e0f9eac6af6cd4e45b263b6e0b925

SHA256
8d70d43f58aedeb51ad18f137ed893af01c2b78205d60e0255e0b33ec484eb78

SHA512
846fbb8c4cbd5b8385d9947e00dc034af0ad36a0116b420abe7753d9c145210183f2e7aac82319d1bdad74e257c0e0fe9f20254300e7f37176ff57addb3cc91f

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
265KB

MD5
0e7508e88a0d07d8311dd3c7fa051b5c

SHA1
d25455ecd07eff953179cb1ee369819e50fc0af8

SHA256
36e20f5a3483220f5ed9a338e9572d22078f1422db73ec2dfe8147b0e22436fa

SHA512
e1f570a0e6b1427a55b297d32f6f064ba6be8aac68c9dd6d2716f12d0f8b8565de7d9a561bbb5c3d8ff715c0d3f593840013bdf28275d140aa5171249e5f43c6

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
265KB

MD5
55f02ae824ad4f8a8f4100d43a9ca256

SHA1
9bf8892af82c968cc9179fbeb8f0aeba7bcef290

SHA256
da622aa9c67b489a329953149f071b095828f1838a8c957eb7d0a492a0bbb64d

SHA512
19ac9de89f6d93b53f3a4fde9d4487c6bd0b5f31283bdefc5f0d0e9af75cac883d792e781d12e2baf65fa7265336e12479cce80be1363cba1f182ed3b203829a

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
265KB

MD5
aeb022260f6a1aff369085de239de073

SHA1
95203765f15113ed6463edd1a47273202c994f22

SHA256
3344c7604b804829b2005cbe663175b68ab0dfd0fc693bc636bf0d672feb0dfd

SHA512
0b10de328043fb2d010cf489e6eb052327987b61042e78228a08aad87f5d326ade58a8e8b8291d15a1abdd770f8eae7008854baa2c899e9c80188cfcbaea9a68

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
265KB

MD5
0d6c3de4cac868019d349905ceec8fa3

SHA1
51d13f013136348b18d28c36228471b15097890c

SHA256
7ef87799ae0f59ef9965ad7b9ce6b0c09d85bf891e3ea9f01b9eb472a3246be8

SHA512
4c1b7d564e04c19252bfb327161c25750ec05266aae15093b8a173ca4da7cc3eb05bf896f951a9acd3234a3b394226f4870d99e73a29818595160c9a4515a92e

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
265KB

MD5
219d3cecd751d796a2f2b3135e39f786

SHA1
1a89a514eb1a6bd2ea73a0ba4e5c03f0bc0909e3

SHA256
7484217020d6a55895015a621e320a0083b36484d24cd8b9dcaaa61bae9059b8

SHA512
b7100713bcce8376c9029d5587a0ba5801ad5e3973a197b4f38809564831514174c60f04e976739ba896e40aed1d565c7fbcea7edacb4578a18308af3c216ec2

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
265KB

MD5
e9cb5983230dd2b55dc7959d345749b3

SHA1
497fe22187b3725a473e89a6665afe01411513f4

SHA256
86fa2aff721ec0f0df4873c3d96fd1c0e0ba1dba9499b8d0259d1c05c63c4dc7

SHA512
ff4e6d79f752acda80186f2b5d075f5f3fdace81c245a11f27ac739448dcfe22c4d7742e61652cc26b8832f8aac2297cf2767daa5aeb7af54d90ebc860e45173

Download Submit
memory/384-670-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/384-272-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/436-176-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/440-541-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/440-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/452-80-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/456-136-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/468-260-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/548-159-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/732-562-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/732-23-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/752-344-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/760-487-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/772-229-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/848-368-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/856-451-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/932-499-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1092-457-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1120-168-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1140-189-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1204-386-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1304-128-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1464-332-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1560-87-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1624-284-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1624-665-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1672-152-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1800-588-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1800-517-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1864-237-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1900-204-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2096-415-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2128-40-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2128-571-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2148-245-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2156-326-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2176-427-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2216-16-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2216-555-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2312-563-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2312-574-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2324-569-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2324-31-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2340-715-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2340-95-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2384-570-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2384-575-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-403-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2480-226-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2516-529-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2620-439-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2716-47-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2768-380-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2848-505-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2896-290-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2900-556-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2900-578-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2920-549-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2920-583-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2928-253-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2932-71-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2968-469-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3088-214-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3112-397-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3140-511-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3180-687-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3248-103-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3248-714-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3384-143-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3400-120-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3504-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3568-362-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3652-296-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3660-338-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3728-302-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3788-320-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3956-445-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3976-278-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3984-308-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3984-658-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4104-350-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4220-582-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4220-535-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4304-63-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4340-433-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4368-523-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4368-586-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4372-475-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4384-542-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4384-580-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4388-463-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4512-266-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4592-481-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4708-356-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4712-314-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4748-409-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4956-421-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4964-493-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5000-374-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5040-548-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5040-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/5068-112-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads