berbew | dc116922c485ee4c20973232bc9cf0e0506700cf47be1a0c9b8c9aca18d3e992

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc116922c485ee4c20973232bc9cf0e0506700cf47be1a0c9b8c9aca18d3e992.exe
Size

89KB
MD5

e3c210429c52695cacac595baade4280
SHA1

06aa04bc37054435dbd1ad42cd3c81f22633f160
SHA256

dc116922c485ee4c20973232bc9cf0e0506700cf47be1a0c9b8c9aca18d3e992
SHA512

a51d145d32169ade0f96e6fc08e5e9a7c298c363c1ff38e7971c9404435cc53b956f5c505cc50af41e1a8d94236a9224d13e4fab6d20c718cc4bb634a1c5760f
SSDEEP

1536:OoOLUORUnDkL+rHNrmu6pPCMnRIH+Pcl1i9hnWdxRQjD68a+VMKKTRVGFtUhQfRB:tCOnDkLI5MnaHJlg9A/eir4MKy3G7UEn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1616	Nnneknob.exe
5052	Ndhmhh32.exe
3308	Nckndeni.exe
4952	Nfjjppmm.exe
4284	Njefqo32.exe
4584	Olcbmj32.exe
2252	Oponmilc.exe
3016	Odkjng32.exe
1224	Ogifjcdp.exe
3228	Ojgbfocc.exe
2376	Oncofm32.exe
3836	Olfobjbg.exe
4400	Ocpgod32.exe
3740	Ofnckp32.exe
4224	Oneklm32.exe
4376	Odocigqg.exe
216	Ognpebpj.exe
1844	Ofqpqo32.exe
4676	Olkhmi32.exe
3996	Oqfdnhfk.exe
1660	Ocdqjceo.exe
3976	Ofcmfodb.exe
1140	Ojoign32.exe
4476	Olmeci32.exe
1988	Oddmdf32.exe
1124	Ogbipa32.exe
4052	Pnlaml32.exe
1516	Pqknig32.exe
2000	Pcijeb32.exe
4420	Pfhfan32.exe
4264	Pnonbk32.exe
2428	Pggbkagp.exe
4208	Pjeoglgc.exe
4384	Pmdkch32.exe
2440	Pqpgdfnp.exe
3956	Pdkcde32.exe
3312	Pgioqq32.exe
4044	Pflplnlg.exe
4868	Pncgmkmj.exe
400	Pmfhig32.exe
5068	Pdmpje32.exe
2264	Pgllfp32.exe
860	Pfolbmje.exe
2520	Pnfdcjkg.exe
2072	Pmidog32.exe
3464	Pdpmpdbd.exe
2604	Pgnilpah.exe
4372	Pfaigm32.exe
3304	Pjmehkqk.exe
4672	Qmkadgpo.exe
2012	Qqfmde32.exe
3968	Qceiaa32.exe
2188	Qgqeappe.exe
1952	Qjoankoi.exe
2420	Qqijje32.exe
2148	Qddfkd32.exe
4076	Qcgffqei.exe
4000	Qffbbldm.exe
4920	Ajanck32.exe
5096	Anmjcieo.exe
1584	Aqkgpedc.exe
4060	Adgbpc32.exe
1900	Acjclpcf.exe
4820	Ageolo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Oponmilc.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Ffpmlcim.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6192	7072	WerFault.exe	269

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 1616	3472	dc116922c485ee4c20973232bc9cf0e0506700cf47be1a0c9b8c9aca18d3e992.exe	83
PID 3472 wrote to memory of 1616	3472	dc116922c485ee4c20973232bc9cf0e0506700cf47be1a0c9b8c9aca18d3e992.exe	83
PID 3472 wrote to memory of 1616	3472	dc116922c485ee4c20973232bc9cf0e0506700cf47be1a0c9b8c9aca18d3e992.exe	83
PID 1616 wrote to memory of 5052	1616	Nnneknob.exe	84
PID 1616 wrote to memory of 5052	1616	Nnneknob.exe	84
PID 1616 wrote to memory of 5052	1616	Nnneknob.exe	84
PID 5052 wrote to memory of 3308	5052	Ndhmhh32.exe	85
PID 5052 wrote to memory of 3308	5052	Ndhmhh32.exe	85
PID 5052 wrote to memory of 3308	5052	Ndhmhh32.exe	85
PID 3308 wrote to memory of 4952	3308	Nckndeni.exe	86
PID 3308 wrote to memory of 4952	3308	Nckndeni.exe	86
PID 3308 wrote to memory of 4952	3308	Nckndeni.exe	86
PID 4952 wrote to memory of 4284	4952	Nfjjppmm.exe	87
PID 4952 wrote to memory of 4284	4952	Nfjjppmm.exe	87
PID 4952 wrote to memory of 4284	4952	Nfjjppmm.exe	87
PID 4284 wrote to memory of 4584	4284	Njefqo32.exe	88
PID 4284 wrote to memory of 4584	4284	Njefqo32.exe	88
PID 4284 wrote to memory of 4584	4284	Njefqo32.exe	88
PID 4584 wrote to memory of 2252	4584	Olcbmj32.exe	89
PID 4584 wrote to memory of 2252	4584	Olcbmj32.exe	89
PID 4584 wrote to memory of 2252	4584	Olcbmj32.exe	89
PID 2252 wrote to memory of 3016	2252	Oponmilc.exe	90
PID 2252 wrote to memory of 3016	2252	Oponmilc.exe	90
PID 2252 wrote to memory of 3016	2252	Oponmilc.exe	90
PID 3016 wrote to memory of 1224	3016	Odkjng32.exe	91
PID 3016 wrote to memory of 1224	3016	Odkjng32.exe	91
PID 3016 wrote to memory of 1224	3016	Odkjng32.exe	91
PID 1224 wrote to memory of 3228	1224	Ogifjcdp.exe	92
PID 1224 wrote to memory of 3228	1224	Ogifjcdp.exe	92
PID 1224 wrote to memory of 3228	1224	Ogifjcdp.exe	92
PID 3228 wrote to memory of 2376	3228	Ojgbfocc.exe	93
PID 3228 wrote to memory of 2376	3228	Ojgbfocc.exe	93
PID 3228 wrote to memory of 2376	3228	Ojgbfocc.exe	93
PID 2376 wrote to memory of 3836	2376	Oncofm32.exe	94
PID 2376 wrote to memory of 3836	2376	Oncofm32.exe	94
PID 2376 wrote to memory of 3836	2376	Oncofm32.exe	94
PID 3836 wrote to memory of 4400	3836	Olfobjbg.exe	95
PID 3836 wrote to memory of 4400	3836	Olfobjbg.exe	95
PID 3836 wrote to memory of 4400	3836	Olfobjbg.exe	95
PID 4400 wrote to memory of 3740	4400	Ocpgod32.exe	96
PID 4400 wrote to memory of 3740	4400	Ocpgod32.exe	96
PID 4400 wrote to memory of 3740	4400	Ocpgod32.exe	96
PID 3740 wrote to memory of 4224	3740	Ofnckp32.exe	97
PID 3740 wrote to memory of 4224	3740	Ofnckp32.exe	97
PID 3740 wrote to memory of 4224	3740	Ofnckp32.exe	97
PID 4224 wrote to memory of 4376	4224	Oneklm32.exe	98
PID 4224 wrote to memory of 4376	4224	Oneklm32.exe	98
PID 4224 wrote to memory of 4376	4224	Oneklm32.exe	98
PID 4376 wrote to memory of 216	4376	Odocigqg.exe	99
PID 4376 wrote to memory of 216	4376	Odocigqg.exe	99
PID 4376 wrote to memory of 216	4376	Odocigqg.exe	99
PID 216 wrote to memory of 1844	216	Ognpebpj.exe	100
PID 216 wrote to memory of 1844	216	Ognpebpj.exe	100
PID 216 wrote to memory of 1844	216	Ognpebpj.exe	100
PID 1844 wrote to memory of 4676	1844	Ofqpqo32.exe	101
PID 1844 wrote to memory of 4676	1844	Ofqpqo32.exe	101
PID 1844 wrote to memory of 4676	1844	Ofqpqo32.exe	101
PID 4676 wrote to memory of 3996	4676	Olkhmi32.exe	102
PID 4676 wrote to memory of 3996	4676	Olkhmi32.exe	102
PID 4676 wrote to memory of 3996	4676	Olkhmi32.exe	102
PID 3996 wrote to memory of 1660	3996	Oqfdnhfk.exe	103
PID 3996 wrote to memory of 1660	3996	Oqfdnhfk.exe	103
PID 3996 wrote to memory of 1660	3996	Oqfdnhfk.exe	103
PID 1660 wrote to memory of 3976	1660	Ocdqjceo.exe	104

C:\Users\Admin\AppData\Local\Temp\dc116922c485ee4c20973232bc9cf0e0506700cf47be1a0c9b8c9aca18d3e992.exe
"C:\Users\Admin\AppData\Local\Temp\dc116922c485ee4c20973232bc9cf0e0506700cf47be1a0c9b8c9aca18d3e992.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\Nnneknob.exe
  C:\Windows\system32\Nnneknob.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\Ndhmhh32.exe
    C:\Windows\system32\Ndhmhh32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\SysWOW64\Nckndeni.exe
      C:\Windows\system32\Nckndeni.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        26⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        28⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        33⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        34⤵
        Executes dropped EXE
        
        PID:4208
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        37⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        39⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        43⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        46⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        51⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        54⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        56⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        64⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        66⤵
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        67⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        69⤵
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        74⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        75⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        77⤵
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2728
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        80⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        81⤵
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        85⤵
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        87⤵
        
        PID:836
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4736
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        93⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        95⤵
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        96⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        100⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        101⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        103⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        105⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        107⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        108⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        110⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:5668
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        112⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5776
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        116⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        118⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        121⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        122⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        126⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        128⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        129⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        131⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        133⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        136⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        137⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6108
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        138⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        139⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        143⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        144⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        147⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        149⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        150⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        152⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        155⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        157⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        160⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        161⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        165⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:6164
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:6208
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        168⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        169⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        170⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        171⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6428
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        173⤵
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        174⤵
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6548
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        176⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6628
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        178⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        179⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6716
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        181⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:6896
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6940
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        185⤵
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        187⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 408
        188⤵
        Program crash
        
        PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7072 -ip 7072
1⤵
PID:7136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ambgef32.exe

Filesize
89KB

MD5
16e022b10458fcbdbd0379ebe4e37492

SHA1
2c96b369cf4b1c7cbeedaa480cc520e8f232b638

SHA256
4df5d8119dd7d8645aa1fa5e010e9ff713607370584f280313eba1962c828ba5

SHA512
3eb7dadbc498257c06b930b7e5d191b236587ae6077c351c03ef9eade85a2d24c748286f65692f0e5fc09c85b54d8d80f84e797c7e0d16290e9b43edeadfb5f2

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
89KB

MD5
de58af9de95f327fb22a7f4be3ea2f2b

SHA1
a19e48e3bb707c612125bee137a36a68e58c3a87

SHA256
880bbe8052cd1e1954aff93b5c2626bd73a5fb48a1b88d2ef5c77bc5747c973a

SHA512
f41b173f6847b941ffb5a0d6e9bc3ca2ee697a9d1205120719f2040367e11d4e04384fa79ae6202df82f14644111839fd85a67eab39c74d9fffab55ee8597b8d

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
89KB

MD5
4da403c1e017c4400b783e76c63c2b8f

SHA1
42affc7b7851405d7b171083472ce1bedd74169b

SHA256
309218924e4b8ef148aa3842b5279af7c9a2437a1f9570455f38909fe4dc89cf

SHA512
7c794ea3df154e6e77d0935c07c2151a259389893f1f9af38430996f67d84a0862031ad80b75d8264aeb490f1f5e66dd95ea0945b5282824ca29c256412618cb

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
89KB

MD5
21569d7f36251fb8a72aa4b52a4c5cf2

SHA1
8cd00a10b98b9e36028463555349c060150c8d5c

SHA256
4e27138a8c0ea48fb1eaf519e2d7b5c715a50e4535e3a87d4f569a545cb02324

SHA512
98261050f969c8bdf209816c82e59d8c0ed32e5b1d76851b0e3ed20b59b124bf866bd10b0fc773ea3748de38ab57f8b500267bec9d9ca5436daf85bcd9277962

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
89KB

MD5
d3fb4a6c3a4626fdbffca81663e2c317

SHA1
3ce3d5a54794e750c53941c117cf22dc7ca14da7

SHA256
f42e3a1cf2f762231851398c2fd1cb9b32442bbae52625005c1b6f3685bd7755

SHA512
c5747aa03c7ad81766aceb13f3c9566a405054945370936f99117cebc0faa1331069c33493930850b58d9c67d3c86ed717f910c62dc2eb98afe898e064e7e9fe

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
89KB

MD5
d4de77f560dd07255c3ef6db716ca635

SHA1
813470395ebd68ef42d1cbe78e6381159faf2adb

SHA256
f7573c56137162f5df4f4cafd4f95afa479e444f543c7e395092ab068ccff375

SHA512
bb1e5cb49c4d438e4dfbf6fc59cb68851e8e7fccf52041129b40c110269fb03e474283cb5edabdeac41977a3c5a60bdf3ca5fb77947101cea181adb4af09652f

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
89KB

MD5
44a25f09d634ce1429f0bfbbed69d580

SHA1
071b57810e45ef36eab0d0a232617cd55eeb6f7e

SHA256
fc119e363e952529d95886fb1890262d507a82c634b864e0315c763c72e92886

SHA512
5dffd508447251d7661a9161b4a690c6455fb4e391935834a41971ec05832db48f322c17fdefb8e03c4afdd5ed182066a28fdcb0ddc6fc391156eecb3e163bfd

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
89KB

MD5
3ecc762311b843df4c3245d8cdba8f05

SHA1
bf3bff4bd047abab20b5874b7c7151d13e335662

SHA256
a5f9bb784b98556ef1cd76987edf4656ba4d69ff0fd63315c619326dc461c169

SHA512
26c5d9eaa98700f1147560dfc2ac30cb8bb80c854be1e80661a097e16cc4fe7a36da8b35dca237554e8ce1f62637de3b955ca0a77fc6f65f186b6a675db6e6c5

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
89KB

MD5
9a7261e73d23fafcb3e5642996ff4976

SHA1
e3dc93d800979a6cebf6ea934e9f7d360078fdb6

SHA256
25eaa1be277e6816f38ebf073f0fed9963194937d549ac8d428afb48b052a787

SHA512
7b9c32c0e5cc5edeb066b7375e721013727b7a1d70e254d1ab806328689da137c150ce00b65c70a2167841cd3f8131d209a3bbf9deb51c1cd2e87ad4e5143299

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
89KB

MD5
9ac23d08081171c4183271abeddf8cbf

SHA1
a9ab4f3eed3b84a1d249241b61ae004f9f8c57ef

SHA256
4dedbb465f55c75194291cb49fdb94730f7b1981cca50dfe459a142b18b3b0af

SHA512
819575e833f6f7e40cc00f516d4519604d8155c2b97a74774b53117c7b1bae04233a9ca6718d73836272b9c91de937fa28ede126fcd21ce63279cf3fd5bca2d3

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
89KB

MD5
bf1f0d6e93bb7a5505647bcb59500ded

SHA1
120913f8ffc5a39f856234449fd47bc68017f8d7

SHA256
165c3bc84b73df7c6da803cdb3cdf77d737edbf86da14eba1f8e17e83ed7dc3d

SHA512
d4df2c3fecf666b44dd5fd9d1d3e5f70d2b7c0c2192e61b40cd4d95e080fe390a1eb91d1b23cb6a3810a82d44474967ab05a4930f851199fd7a254a5efa75c50

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
89KB

MD5
9a0824ce304987ecf472ec20a044c2da

SHA1
39f8bc887d50fca4547ab4c74b23c4f48be20b2a

SHA256
b6bb17f8667ff24e7a34e36bcaba3b8ba5456d622ffafc40485d77698b271bf0

SHA512
2c577b7f61ad4549baea60c48f076c029b3e5ff6195d6ba4347cd7b05525a24c146172d09474011b416c74d343306867bf5e1c68ff99d55b955d21efdc4dbab4

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
89KB

MD5
df0acc8dc4c9e88fe9ef358ff0103faa

SHA1
463e432b41ac7f98fdecf90edc707beb757e067b

SHA256
91fa2ed1456dd3c76ac85c5a92a3fa4aaf148de0a866b5c5f9379307aa360f17

SHA512
36d4941833834706f4261f43b58b1c05adb219af60c0f62c98164099fce230ae714b66a12a57fe56a883b90d3ae068d25455d958c404e406abd46eb339e0f313

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
89KB

MD5
628883e41d767487724a0eb7999f44da

SHA1
cddab4d1fe4e91604fa03de499dec8c1527d08d7

SHA256
cb49142420b09d6ad7ada41cad3811b2fa46e6947925b5f0c8666ae71d2862c3

SHA512
d04657d7e6c2bea5ae4fa259aa16a9b49a1ca6852b299842991ed05b43ec6576296f9b655f13138747fa73779b7364a5c2f01623f400cdc2d5b537ae85030b21

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
89KB

MD5
1abfaf8f373558ef215333e1b93a353e

SHA1
5b56147870520592903344f0992c9c06d57c05d0

SHA256
21769fab93431a3c36acf7eabfc37cb588bf46304a35b64ef2111c3968471e6d

SHA512
cecef97ef65ee16312ac592c484ca729151cbb6be46c8a3839e52bbc77c9766c96b56592823f700a6b652a37dcf59e17d6d0b4e5f5056464688033780f78a963

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
89KB

MD5
68297c7a293f67b87919e872bb962fdd

SHA1
60a3bb527a0f0b16580598073f52a447ef4d24bf

SHA256
701fa56ae914f6776be0a725c7da6b8edba390e4e0401fb20cdb667a3ae1ebae

SHA512
ab53c58ac57a0d06ac4d385e2bf3ecdc3a8c42c87b432bd28785d5d3fd20539128a41c43596d68c7023900abcb977ed5ac5cb3e9f72366cd4f92a1ef034e3695

Download Submit
C:\Windows\SysWOW64\Jdeflhhf.dll

Filesize
7KB

MD5
fe02b8ac6fc55a6fa3046ec222ef9fb3

SHA1
d7014278f73bd0a29d1c32ac6b15fd92166a87ca

SHA256
4d860271ea25e4dcb54ea7251ebdb9e6c175c1c4846944f4ed4cae6df1c76ca4

SHA512
c174de31e2baef6755191dbeab305107e39eb3800431b0577430ac57f9cb2f5e4e4d3268e92083da761d314df4204b41b532784e5e453b3e552161a7fd162c51

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
89KB

MD5
887e7ad78b0037138ffd194479562bac

SHA1
156b85f6a25e6c9ba7c731064f3e98fc162f0b0a

SHA256
b727f042eb3e356bf67e7878688738849822dddb154ed9ec821c7602991a3305

SHA512
a67e84d131433bb4617ac2eeeb0bbef6399744d1ed8048fc811aa75c67f6beea047256bf9eb1ba2b981359bf49a9f08b154c8046bda3a67eb2b2e95e96a30d13

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
89KB

MD5
5c48f466c7f13c4d5d5872f8a395d1ab

SHA1
edf456879a530279a5e124ddf1ee11d4e3cd52a9

SHA256
a896d64df4432880edd5a0a30b11ac69dde5bbb306f4101738cf7af5abb1bca5

SHA512
9198ae13a583624a71f4706fedc73b4f5e0ca5107a65ea9d0cff9e7010f4e203df1938d6b9038f3f9f3a16f38b207997a719ba18a6ab2a94764f7ae0268243a3

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
89KB

MD5
95ea434ad1be36e67f8f9b918a0e7fc1

SHA1
72359216389bbef793af1687dbd79feda1397129

SHA256
c10f0ea157e2f902d78dcb495715db67ec70a8682f2b9f0d5377094412fc185b

SHA512
97e8a846d3a5bb7b71e0a6f802fb527145f4aaff9a490461f58fafacc00be91b107b7ce87ef92af5e3ad67cd205c9d7d2b8b457b8704dea0102500be6195f361

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
89KB

MD5
be6f8d6a966c594e92d69f3c2e3784d4

SHA1
e621949550e42305bd6bfb8932aadc025b771c31

SHA256
803e7adc0a684a97c55b79c3e5b9ca688188325fccdd9dd1393cb9ff26842b58

SHA512
c1c772b321b01c777fe0550cd3654895b1175159be8757de80956270b793eec644dba7d9f06b10e0234108f5e1b47aea2b08c86e4e00c137fb4a75a9f4f5bae7

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
89KB

MD5
1377feda93748837e7e115978021e8b5

SHA1
1bd5b3fd51583ca463391a62afba7570ddef2476

SHA256
15801fe9475fcbcd977b7bb2532cf32c6891f27c6c199a39eeec7a3758498eb9

SHA512
c283d5e1b2b981a2149d420b2279cd9133915cb364babcfb8517e75157cb962d6688cc71a3ebfbbf45205e727bfd899f9993e6c94d32a909effc128f2e08d88f

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
89KB

MD5
5b5d98be192155dd795069262d960aac

SHA1
4361b65080eedfce3191af74ec479ef916858072

SHA256
b32d33baf789179c8050713d1c36a52f68bd526174c4225782fea9a3ae1da0a9

SHA512
7fca565d02a63d423ada796efa4d2e2466d39ed1ab811f16e622976bc580675111e056832d253b1f12b01a6c57ac6ed66ff3c3c1ea9708313724036da4754f25

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
89KB

MD5
f282aa83e7fe5c55928953cf841096f5

SHA1
9e8422cefb512a6e684aacc875d92c657f737e29

SHA256
9f35c2cc5ae6fceabd8dbe9b0ed216d4e7e410ba94721b61813fb94029ccd3a3

SHA512
84c58a28e2e3075c123cea98d5369109fc6db15c50ea82fa31b24d25cd57992c255de33c39aa6af7586d879e852aefedff5bea8293012ad5471a710a4bade04c

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
89KB

MD5
908e402a77974035479501f217a89e34

SHA1
11a55d193ab473931e37d3b1e114a3d0d84ace4f

SHA256
64aa129215f3e13f42b08cff81bec47823af3556e97e6808c24090233130355d

SHA512
6e1d093bc98b27409b4beaa45e6c64f50e11d4829f718713e169ad027fc16fadf12d35d00f8ff1ba3eb5fd7a3230d1c9b05b35109eb54546acde729613e89bf2

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
89KB

MD5
9ea5842b12a1ba3a2b3c8f0765e2dd64

SHA1
e34277e970be7a04f656aa20e1f8b8da809bbca1

SHA256
42de2afbed59597cf9a02df8ef05b3ba8040052da919c87c1d1ef29c92b6179d

SHA512
ebecac9e9daf55c7aa711bdae0887eaddb25b3f60196b00e48648694abcf667ac5d40f13febe1e88974043ef8119f242bead43b0313a102bf8bb4bd3dfa0fa7d

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
89KB

MD5
6393200298d0bcd24a94abf668c66200

SHA1
681b6a92596f533c0cfd74be74ba1800746cf51d

SHA256
54deec6f8742b9205060df3a04aeb03f3607a33843d0a9d4f3a5c23ce43cec07

SHA512
c813985d0f89c4c182cac53ec23b2f4bb4d214e077c028587409a6c3e516d7081fb69da9bc4148a379cdb48dd3bc8b60617854a23b519977cd086f4ba2d612c9

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
89KB

MD5
c0b085f658143240c21d6120a8e024fb

SHA1
c72362a0022ee21f4e103f92f3e0ae4e8ca3a2ad

SHA256
e62194ce20f87e2cb164a85e9155651885908ca505be2db51289541d23c86fdf

SHA512
45ce7e39073c63bbea6034744c6ed25fa1cd04eed042cacb1d434a566b27c7077300c977ed72a54f5b8111024c0cf559028875399c8f71fcb7d16a6edc0421a5

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
89KB

MD5
b67ad119fce168baa3161216a2cf6937

SHA1
a8d33c17188905b5089a6eadcbf1efec8a3f4912

SHA256
8d07176f3ca811e4bd818a2cb390e4f4c634385415d7fa6f4c9d8f0845972305

SHA512
ca600c53b4936584e7eed5e953257df3008a32f19d0324b210200d49aa4a547d06d99b2d6e998392eb441dc757f4f6a3a1fcc141cee305c30647b4b8677f2adc

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
89KB

MD5
b60a57ed55409a26c4b7859ffb918277

SHA1
7ed5aba545a84abfc81ab04a80c4505a38bfe740

SHA256
eacc22563c22a49708f07db67e3d45aafce3eaf97dce56b4e8fe380482c493b8

SHA512
2a17e2fd36723a4539418f52c3aa4678dd7d71775eb558199a24698d5497fb395edead7de546a30039c80b0439e73ab762a792151703deb940111f42bfd3f1ae

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
89KB

MD5
f11c59400ea69c98b24dd7e51f5aa9f1

SHA1
de41986633023279a92a8e7ca1314a916a05b2d2

SHA256
278024a0d010045ebc2efeb74e4d6000fd6a8c0868a633ed6dbdd76eb43b1037

SHA512
e3ce80b7f1d7edd85f1bd88ae6b347eb64ceccd561b845920dec1dae94d7b253c504a07ab32abbebc952d4e5aec3d7576c1e03236892c47a837d97f4773b9b10

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
89KB

MD5
b04c877db92febf4d7c98fdb1df08dee

SHA1
0b3918e5deb84d5c08a2dd19e726fbdc8f9307b6

SHA256
535fa9da35d63f7fd36dede5e7808e380f79b99b1a8f6eddf259f2ad69fc351d

SHA512
97ac86afe0617a151bd96b7a200058b895e93ac7d12c843c58a247527f3fbb1e4a40e7ba057c9540e291f6eeaa64464087f7d2af880e9c781bc1d16a30f23621

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
89KB

MD5
6ab45ccb1c312408bd8bce30e7d35a9e

SHA1
bcec8d5034d842d242b8b56c6f8213cf8e1860d0

SHA256
a40672b1e9597e2455ad18f5465204c392a61d6604c7c00a4692606d718aaa29

SHA512
247512e1624b99a48c894af9b0948a552fef852d6fbafe554a899cd07bb41a95fd109beb7be30defc6b1344d718d05f6e1c5eea3087cc4569bdd7c690f557f0d

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
89KB

MD5
72b5e6be8521f0e8fd25a85ddd6f33c0

SHA1
952f830ceec582666a80dcccb238de91fe86a836

SHA256
8dd9b832778dc5132d456a47ab6678e50e4d9e9e5cdec1a761d830f1f88993d1

SHA512
09dc5a86b7b413db5f3a28f3bc208941ce26981e446466ef10a3edf287aa50cc618d69b3e6958da92d3c264af96618ebb31046322a6985bb636d193f2b837a5e

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
89KB

MD5
5891fcdf1b285078c59c9b0d862dd293

SHA1
2afbb3153ccd5ecb98549d3e1b6571ed31bdbc36

SHA256
6a8e22d708b7d680d98f8533e434571a8deb6df3ee8f37ece3527ea44cb314bc

SHA512
85f44ad47efea2e51fc32b92d89c9e7c2afa48465630520eef084e5ca41de5c42f587c40026c35952867f06a3eb416a0aadc26bcb3d1ca3f3497232770ba2c86

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
89KB

MD5
54ff54c36ae860735081e11d9d790c77

SHA1
f2ae4f8e26d1c664e7d4f5d18a16dded143d9aed

SHA256
976f4fda109a1a2172b44e53c8eb6972f701da03ddafd82daa692cbcff4cd56e

SHA512
06c23a08e41fbdc59d98792c948fc71d7803307def29f900f5e3b17d3935ad91433252d1ada0efdff347e07431e9fb56c71cee48208066cd19472db9ede4fe01

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
89KB

MD5
0c23e6b8aa9a0390276c8204dc5d47db

SHA1
b5eec80b8eeca64d5646f21e4442eb37ae9c1bcb

SHA256
89fcd7b3053b1ff520aad8b919011679eb9f814567ee18f5c620ba3e4c946987

SHA512
6e39c3a24841c1f9fa1c8922fd6fc5465264fff3a7332cb8ccc5e5397fe51ce6d901521bf1d7a3d919972f22ab765c0df5fc4686cd5672aa1eb3fdb3df6b93e4

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
89KB

MD5
1f6be193a74cac0bcdba3fa10db5aca4

SHA1
29742715978c3f32fa43f799e15772a5d1f49400

SHA256
cf12db5b9677b9fd77a0a47647f15d277bb046297c6530a33287282a7d17a9ef

SHA512
714b02c39cf7e53cefd8cdb8a89ce2f75732cdbd174a0d429f4d72ffe1c0f667f59bd4d42b68783337136fea182a67b5ae7dbf07f2cf53beca265256415d0443

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
89KB

MD5
ddae0e7e42e7e46b9c19f97051f1a7d3

SHA1
1e38255982eb680f322972d488b9b3c7d07870a2

SHA256
de497127c48fb97629e2f37a8ac4659a6e34d739b3ac84fb8c5a4af982b216f1

SHA512
517d748afd8defd36dfd34955b0b5e670fb613db63bf9357f9d5d6fad0f5c73f5a642790e3bff3612fd1cbf9efdd3c1197918f94a286511a904e9acf91cbeae6

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
89KB

MD5
6b1bbe6938e233528c6bfa64d4e96c2e

SHA1
ede8ea62419c88f579f1e854e17f62ab3bf11d9d

SHA256
901786620114cdfd44c1cfc84e4e89a9ab217253f12d9fcf32ba6b3b93e68ed3

SHA512
69209e3f76a8a0ae85adf3cfe076dc579495d90d77125feb0108e231db68de13d1dcdb55a1bb052002df6cfbd34c13588e53aebdf221a857a8ce65c57d62f7a5

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
89KB

MD5
4f51084c6eba800b7c595fc51336c871

SHA1
0e4dd445881dac8450580b06143f1aa4689ea58d

SHA256
c7feb111a097cc36e55fe1ea3a029e4827493c59b854039358422f5825e43eee

SHA512
493ca95173c902b22c231dec76e0e135d5d70aa66b4dc9321e2f263104af695042c39605000975af95aa0a410f6d0cbdc40839ba0297b4e05688881d23b024b2

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
89KB

MD5
a9c8cfb4305cebe909f0610edca44711

SHA1
a474ba896e9261f3db7dd25e9a0751a84c5975be

SHA256
2e60b32a08851f2a275a953a5373e4e5b64d75385b78247e1de218bed50bbd41

SHA512
f2ee9d7ef616b0c93e5309dd0a9095c9ea2d611ceae7aa0832977eb3334668d1236d9703d8f88eacbc122b427707e256e2f0772d4378509476d0f9f750feb04c

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
89KB

MD5
2d1b827a7c69350abcdc5d78d2fee23b

SHA1
a7f4d8f64932267ef652f4d89ae8a0261fe76bb3

SHA256
192d7875a882a1cd56695c28eafd2526fe264383caff3a5ba202b5c0e1708d65

SHA512
ff803e9784ac097a2418fb0aedefa3a134e13fdcc70bd95c701ffc6f82b42dbfc0e5f582070251a0219224a7ec8334f4d99104e41ab7706bbe3674caf84a39bd

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
89KB

MD5
d5eea9c0a4900c402e9a10f1ed2d2192

SHA1
668bb8ca58b35863d6533a831497fd56581309a1

SHA256
76ad0d76b4030a7d043e44e8d62b13d42aa2f77b2fa4883ab182f9f369ba572d

SHA512
16cf8924fc3ac8ce7d99ee2fe72f90733e6d92dcce366308f3724ab580b60ae71ad53cb826e4b4e96a08c8ab7f63ff3b8551104e77f6b1417641e351ffc642cb

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
89KB

MD5
239abc2f71e7af86d86ddc6f88878d3a

SHA1
fe834f55d511386718f77a19f07644ad2d66b8ee

SHA256
77500590f3c78ccfc310f8e5709ef1c86033362d49420fe541ed237b99c7d8ac

SHA512
71de84546e1a38581b8c7c39c1b9425ec6d6d5c1e105e6dddc2bef334db3850b2845a4ae2ee0eb7364d12309772fca252ffec4e889716f34cd7fb46cbc72b088

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
89KB

MD5
d04dc7a58faf7dbe1b145a0b28f90499

SHA1
b7e1e0e7aa3636ce9809926cf8b475d747291fb9

SHA256
b5a870bc4218c8727b7d4606d5232f986f41ab3077d1a1ab4c081ff988bd8154

SHA512
8d7813613e2323b0303fc99918ee100d4f6c1985fa5acf629f4891705b269ff338dc18b1c30b5e652e63771e4c88b2142e8f612d1198673bfa5850fd1556dee9

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
89KB

MD5
81fb036b6a959b2c7b201ac87f0fe2ce

SHA1
716015ccca46291c7845e24cb45a2ad98c399b2b

SHA256
3d1abe4a83e516cce0abdb100f174e28e5371b1d4062aee3963306a111771b7e

SHA512
ab22e37a65d83cafad635fa32844e7f69d9afac353489638f49b1e6dde9add12b4c43b0d25f901b79e45453d16124102ef86d558f5d95e69c8eec12ba5ae5154

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
89KB

MD5
963b9a8d2b185b8c4c8cfe1e3a9f5296

SHA1
9d1bb23769f4daf4dd77010dd5850e0a33af59bc

SHA256
7bb07154398982d1448a6c085d001ff8d7c56a6c47778f2240d94f78e2588bba

SHA512
c887b79e00b72b000823b298a5e6a5dcc1cec8f3faf163eb8d460b1b35781339fe0e4ba760415b0bbb3a51cedc08c207b9710598aabb1c917869ea2c0b6ec1c1

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
89KB

MD5
c42114c256d758f9b3b703b2791802d6

SHA1
c4f3b11986bc288bea46288b9fd68202470f21fd

SHA256
aa025160354c4506fca53b8f2cc1d390e7e472106351c0c9c799fb313b1a7f63

SHA512
8dee6b1ab3b739a2438c44ab850f1ea7ce7a9885a5bf03e75b3734cf7dec86c3f9b8c5439cc096167deeecf0181e0e3ac6a50182dadc16e8105c24f737a90b1d

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
89KB

MD5
f9c7cf037dcf75ba39e6ab694ce8c98c

SHA1
5cbaa070d202344446a50f00008086a57075cd0b

SHA256
fd38a58f37a91db4a070301e180d3806dd47f020c1dce192f17cd25868d4b7df

SHA512
c9ff95eee1764f2d2e721503e95caa7f6c3102b1b073fc55471c6148ab931dcbd42a764caaabe6a81b9b72d46e8f6b711bd997223aff833318648df63092e167

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
89KB

MD5
ffe9e5cdafa52ceb22577c703c9cd825

SHA1
a4adf15e83598b370b1fc2704fb4a36d6525e700

SHA256
762762662fa5eb6de457ebc9d973ac26f0ea0fc8def4ad7379f8c6026a4682ee

SHA512
c84132264601c4881a1a4cbc404aa3be51ac06b8ecdbf223e214496d101146e07beb445cf11baef73fb27544b0b6229ee3e73a33490e4f8418175c824e0382f2

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
89KB

MD5
201cff4f9985ecd22e78782d5be008ba

SHA1
d51ad30e6168413c103f788f0ab6b694da41129e

SHA256
4e0610e3fa0e4f89c2259144322e7332333fe14ffff3208d12f84edcfc32d152

SHA512
2b1c13b83342fbd0889593140aca3533e7e193f41ea3faf115d61e0d4cbe923866f1ac724b3e14a7d901e2c15517c4abbb7a4873538cc5eaf49857b875e19c80

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
89KB

MD5
964b61b040c8e130735c44782db84d1f

SHA1
a88e05a29b8053c28876327f46b87fcedee2a291

SHA256
c6072f9c1c6cba1abefc99858bd94badbc14f5141325851b4ded23ff95fddf1e

SHA512
de0508dcf1c89229fe4d847519fffd7061daa7674cc0563c7eceb47704cef2b887a740ae2691865111ddff54502e39b7b664eb64f769b6fba29b5d000d8560fe

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
89KB

MD5
71b24c8ef0def74557aecaf077b41f12

SHA1
bd3667ce29249dc1a793455cad855d998bbe6102

SHA256
48f4f5c8c24877fdc552e9d3073ddd6da61dc3c0f226a04d6c17a1ede4cf2c0d

SHA512
2044f5282e668cc2230897d31d9a81c7f6c5e1798b226c177e312ea63766c9d15213f55e19dd913e819621b0dae2d4fea6d2719ae29c9f5db514d4e5ef4e72b5

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
89KB

MD5
7e6e77e94aad0cef860ecc5170dc68d4

SHA1
8883c210c5ac7650d8ccb1a69eebd8039e33aedc

SHA256
dc8766d2e9e141e343c45bf17773399d80c76f5f802de77b9a6fe3d116783d86

SHA512
698ccaba599767d3a6cb7a3ca7b3fabefe02584e4e8eec1fb78407307dfec2e802755b5318f6087ceed1fea2837ed35eb18315149981b3ea0ab7188e48b57de5

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
89KB

MD5
e53371210536e1be6c78032321bcf1c4

SHA1
c71dba1647c8132e8fa90084e7acd25f2d728578

SHA256
005976b3bb9cccdc36676bf5fa2fc96ab30303980fd2a710858370daa6552687

SHA512
020ec285c997a8b6e5dbab2b7d0cf5437bca4986f5d844fd8b41e6dfd2c4b17e274e89c35af1eb2b5b846707f68d236f4ae737b7c32f3040745e7bd834c2ad1b

Download Submit
memory/216-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/216-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/400-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/400-404-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/860-356-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1124-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1124-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1140-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1140-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1660-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2012-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2252-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2252-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2264-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2428-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2428-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2440-300-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2520-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3016-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3016-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3228-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3228-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3304-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3312-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3312-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3464-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3472-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3472-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3740-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3740-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3836-99-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3836-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-307-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3968-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3976-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3976-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-259-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3996-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4044-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4044-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4052-234-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4052-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4208-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4208-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4224-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4224-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4264-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4264-270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4284-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4284-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-391-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4376-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4376-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4476-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4476-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4672-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4676-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4676-250-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4868-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4868-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4952-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4952-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5052-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5052-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads