berbew | 25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53N.exe
Size

96KB
MD5

386df6be7c832f744506083fff2ee770
SHA1

37da53a67c298d6e7f2352997b1fb97a0366c7ef
SHA256

25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53
SHA512

380b610e68fca7508c3b75e5c7582facd9d45153143956eb4c9a2b116a158095baaf934e9798d501bd63b05a250bb61616dc45e16f3bc104a6b92945a1b45fd1
SSDEEP

1536:hHHAB8TmJ1Rp/7pbtdeMzVNqP129j2LA/BOmsBCMy0QiLiizHNQNdq:hn7TmJ1LptdeoV2A9jT5OmkCMyELiAH9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4376	Nnneknob.exe
4784	Npmagine.exe
4652	Nckndeni.exe
5072	Nnqbanmo.exe
2908	Oponmilc.exe
4244	Ocnjidkf.exe
620	Olfobjbg.exe
4936	Ocpgod32.exe
4496	Ofnckp32.exe
4296	Olhlhjpd.exe
1140	Ocbddc32.exe
872	Ojllan32.exe
876	Oqfdnhfk.exe
624	Olmeci32.exe
3784	Ocgmpccl.exe
1928	Pnlaml32.exe
3488	Pdfjifjo.exe
4940	Pjcbbmif.exe
1052	Pmannhhj.exe
4848	Pggbkagp.exe
4460	Pnakhkol.exe
5088	Pcncpbmd.exe
1432	Pjhlml32.exe
1100	Pqbdjfln.exe
1460	Pfolbmje.exe
4040	Pmidog32.exe
3056	Pcbmka32.exe
2560	Qnhahj32.exe
2516	Qceiaa32.exe
920	Qjoankoi.exe
4888	Qddfkd32.exe
2176	Qgcbgo32.exe
4392	Ajanck32.exe
512	Aqkgpedc.exe
3008	Acjclpcf.exe
4688	Ajckij32.exe
3464	Aeiofcji.exe
3980	Anadoi32.exe
2588	Amddjegd.exe
1380	Agjhgngj.exe
3576	Aabmqd32.exe
2160	Ajkaii32.exe
2456	Aminee32.exe
2060	Accfbokl.exe
3036	Bjmnoi32.exe
4172	Bagflcje.exe
1892	Bebblb32.exe
1280	Bganhm32.exe
4984	Bfdodjhm.exe
2020	Baicac32.exe
2388	Bffkij32.exe
4836	Bmpcfdmg.exe
2988	Bcjlcn32.exe
736	Bjddphlq.exe
2696	Bmbplc32.exe
4312	Beihma32.exe
4600	Bhhdil32.exe
2888	Bnbmefbg.exe
208	Bapiabak.exe
1732	Bcoenmao.exe
4656	Chjaol32.exe
3736	Cndikf32.exe
3776	Cmgjgcgo.exe
2900	Cdabcm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Pkfhoiaf.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4300	4100	WerFault.exe	178

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 4376	4908	25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53N.exe	82
PID 4908 wrote to memory of 4376	4908	25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53N.exe	82
PID 4908 wrote to memory of 4376	4908	25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53N.exe	82
PID 4376 wrote to memory of 4784	4376	Nnneknob.exe	83
PID 4376 wrote to memory of 4784	4376	Nnneknob.exe	83
PID 4376 wrote to memory of 4784	4376	Nnneknob.exe	83
PID 4784 wrote to memory of 4652	4784	Npmagine.exe	84
PID 4784 wrote to memory of 4652	4784	Npmagine.exe	84
PID 4784 wrote to memory of 4652	4784	Npmagine.exe	84
PID 4652 wrote to memory of 5072	4652	Nckndeni.exe	85
PID 4652 wrote to memory of 5072	4652	Nckndeni.exe	85
PID 4652 wrote to memory of 5072	4652	Nckndeni.exe	85
PID 5072 wrote to memory of 2908	5072	Nnqbanmo.exe	86
PID 5072 wrote to memory of 2908	5072	Nnqbanmo.exe	86
PID 5072 wrote to memory of 2908	5072	Nnqbanmo.exe	86
PID 2908 wrote to memory of 4244	2908	Oponmilc.exe	87
PID 2908 wrote to memory of 4244	2908	Oponmilc.exe	87
PID 2908 wrote to memory of 4244	2908	Oponmilc.exe	87
PID 4244 wrote to memory of 620	4244	Ocnjidkf.exe	88
PID 4244 wrote to memory of 620	4244	Ocnjidkf.exe	88
PID 4244 wrote to memory of 620	4244	Ocnjidkf.exe	88
PID 620 wrote to memory of 4936	620	Olfobjbg.exe	89
PID 620 wrote to memory of 4936	620	Olfobjbg.exe	89
PID 620 wrote to memory of 4936	620	Olfobjbg.exe	89
PID 4936 wrote to memory of 4496	4936	Ocpgod32.exe	90
PID 4936 wrote to memory of 4496	4936	Ocpgod32.exe	90
PID 4936 wrote to memory of 4496	4936	Ocpgod32.exe	90
PID 4496 wrote to memory of 4296	4496	Ofnckp32.exe	91
PID 4496 wrote to memory of 4296	4496	Ofnckp32.exe	91
PID 4496 wrote to memory of 4296	4496	Ofnckp32.exe	91
PID 4296 wrote to memory of 1140	4296	Olhlhjpd.exe	92
PID 4296 wrote to memory of 1140	4296	Olhlhjpd.exe	92
PID 4296 wrote to memory of 1140	4296	Olhlhjpd.exe	92
PID 1140 wrote to memory of 872	1140	Ocbddc32.exe	93
PID 1140 wrote to memory of 872	1140	Ocbddc32.exe	93
PID 1140 wrote to memory of 872	1140	Ocbddc32.exe	93
PID 872 wrote to memory of 876	872	Ojllan32.exe	94
PID 872 wrote to memory of 876	872	Ojllan32.exe	94
PID 872 wrote to memory of 876	872	Ojllan32.exe	94
PID 876 wrote to memory of 624	876	Oqfdnhfk.exe	95
PID 876 wrote to memory of 624	876	Oqfdnhfk.exe	95
PID 876 wrote to memory of 624	876	Oqfdnhfk.exe	95
PID 624 wrote to memory of 3784	624	Olmeci32.exe	96
PID 624 wrote to memory of 3784	624	Olmeci32.exe	96
PID 624 wrote to memory of 3784	624	Olmeci32.exe	96
PID 3784 wrote to memory of 1928	3784	Ocgmpccl.exe	97
PID 3784 wrote to memory of 1928	3784	Ocgmpccl.exe	97
PID 3784 wrote to memory of 1928	3784	Ocgmpccl.exe	97
PID 1928 wrote to memory of 3488	1928	Pnlaml32.exe	98
PID 1928 wrote to memory of 3488	1928	Pnlaml32.exe	98
PID 1928 wrote to memory of 3488	1928	Pnlaml32.exe	98
PID 3488 wrote to memory of 4940	3488	Pdfjifjo.exe	99
PID 3488 wrote to memory of 4940	3488	Pdfjifjo.exe	99
PID 3488 wrote to memory of 4940	3488	Pdfjifjo.exe	99
PID 4940 wrote to memory of 1052	4940	Pjcbbmif.exe	100
PID 4940 wrote to memory of 1052	4940	Pjcbbmif.exe	100
PID 4940 wrote to memory of 1052	4940	Pjcbbmif.exe	100
PID 1052 wrote to memory of 4848	1052	Pmannhhj.exe	101
PID 1052 wrote to memory of 4848	1052	Pmannhhj.exe	101
PID 1052 wrote to memory of 4848	1052	Pmannhhj.exe	101
PID 4848 wrote to memory of 4460	4848	Pggbkagp.exe	102
PID 4848 wrote to memory of 4460	4848	Pggbkagp.exe	102
PID 4848 wrote to memory of 4460	4848	Pggbkagp.exe	102
PID 4460 wrote to memory of 5088	4460	Pnakhkol.exe	103

C:\Users\Admin\AppData\Local\Temp\25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53N.exe
"C:\Users\Admin\AppData\Local\Temp\25f1d7e375503fc53a1792fc07c491d8fbbafd568ddbc941799b346a3c12fd53N.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\Nnneknob.exe
  C:\Windows\system32\Nnneknob.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\Npmagine.exe
    C:\Windows\system32\Npmagine.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\Nckndeni.exe
      C:\Windows\system32\Nckndeni.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        25⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1460
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        34⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        49⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:464
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        70⤵
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        75⤵
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1344
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        79⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3100
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        92⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        96⤵
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1080
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        98⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 424
        99⤵
        Program crash
        
        PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4100 -ip 4100
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
96KB

MD5
580fb14b042af5b68839c7b5bda60218

SHA1
3d03ecbdb40e88d9d3d29fb7947817a08b40a424

SHA256
ee7fd32113f3216476d746c2b5d853f901a3b4626d84f2cfeec8902f0362f004

SHA512
96ef18d2490e1aa96c9f79f24ced6f72a9e576ab3845ca4270af89758373cb5fd4b52243cad3506dac2e7413fb1c169bb4f78a4c250b0d7f3f013ea518e844bc

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
4325deca3488f31c5f59000895945c8e

SHA1
3f55484bf9a7bbc14224a3faf785eeeb9a798955

SHA256
1080c8bdd6c5aebf8082f28061ecfcd8a44accd2aee59860754f79d30eedf947

SHA512
217cdfca94962aefc0b3ea43fee8746be67ff5becaf4391c52961e7c180c134d35f1ebdba8302b536aa45aa741231e99f022e9bd0f7114310d22b34e4d080e58

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
96KB

MD5
9ca2dbcb9dcc650ed5e974c523c465f6

SHA1
4ec1503d3eb577d19f17b0b1fc8652c8953ca138

SHA256
152f9b4b0a26db82a717e40969ab782ec47d3e937f3b3ad62e0a8555214878e6

SHA512
f78f1fa26840c853c595067045fd01eda49a9f968a37680414b2e8c28a01d4ffe6ad252d47211a70d9c0cf104ac38dbafa471c7047d13939e114ae5341954376

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
96KB

MD5
a5252fdb02ea88c919ca5f3c05d14558

SHA1
06a3a2d7e28660cbb21991d4772fc5867aafe732

SHA256
4379a17e4f485fb319fef1fb185d6e88a808143df64c94a5f44164849d6488c5

SHA512
70fbc1c8f5d22065461ba434ab428587ddd13a3acc50a9f33230c64705d846067022e904e948be35a572a8567e7f88f53f7c30015641c3950a2af432cec982c9

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
96KB

MD5
f5abe49671d29881e94ef0267f64dedc

SHA1
f1f51d37c47a9a07a0662b104a38bec2696e06ca

SHA256
4524ae777900b40d1e7e97c3d56e6d686e85aaceac12a2621e08eb71cb636e91

SHA512
03cbe06034b3895945057e68cf267759e94d6c574473305a6431832868afb009ce56708955ca0a18bbee03f0ffbfeda9f6132a10b684d93774ee5fdfee4fa06f

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
96KB

MD5
db02f7dc56560656da854c52b1116a7e

SHA1
ee17c2b8e6eacc792d0b34f21998c18f37a7f405

SHA256
acc04adf956a5e498528f95cf9adb2e8f4c72d762da7e2350a89a5cae17c9cfe

SHA512
feece234aebe01ffb901744edb3a8afcf832516e1b0fa35f5316dac6a3caef4a007e035b8a81f89ded113ee42bc249b6cf9ee7efb4e51d8384a04da35b5031dc

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
8cbbc1296ad7eed0ca9c4d766c19f686

SHA1
a15c0576de2f82556212f3ec4ac0f6c15ed7a595

SHA256
769e3f6cba6eef1566b56bea557ae23d71ee26c9fece20e3afb954fa5502c5a1

SHA512
c759e8e837cb090fa05d54486530dd436d587a5d5da1205317edce705f0d3db77d254db698faffff6cd6fa9d73896ba014a33dcbdbd285566bee106480819a56

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
86e53b7a97d362a3dcab64c90d00f2fe

SHA1
5db8ec1adaea53b9b1bde3f07450566b6256d07e

SHA256
fb1ccef1091e9a9e894fc424e8edd8bf208ba2395c6726f2d43f33bb5b7e9646

SHA512
7124aa65bb43e583bd8d445abe2bc4ca7750cbe4d4e75d4e159f43d3fb68114b143335f800c3c1d2f46889575f2f0f98dbb869f9f993b825a73ee0c71d8710f5

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
df6ded071e55069b931e69aca62fc93b

SHA1
e915d6cb24a852777f6ccbb6fac643141dc8921a

SHA256
505b82091beb42db9ac3f4d0cf6a861adcdacef7d8f709123a946f02b1700481

SHA512
7139aa18451f7d07128c448e06c8207a43bcf3497b977ca7808d5d5b406d746e7505ec1f82e4e556e7a20224019ce390462984269b5db8c3ac731648bd67be35

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
96KB

MD5
16b02f5fe6220be7725f806c98b95d15

SHA1
b85a011ce92f6ba13473e819ad190fa748dc51ff

SHA256
fa0aa027cf302c35c249d196a905dc8b12494eac1e3bad22a6995518556950b5

SHA512
ac9ceb534314308add37a80250273c0915f713a1197e913ba897a0f87810264c7eccf9f5ba36a893576e6b217d7b9740ebdb4f9fde93db02cc89cb4ec075f5c1

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
0387c2f7cd3f7148e5650c084b300455

SHA1
fb1bde79e7691d32a777ae9f08c814787a4410b6

SHA256
d6348773d686f4d31d9f6c4311be5f98e556786e45f8f85dd1e55523357dff7b

SHA512
164db919f915f30a32f8abfb5202af8eb53e56946e0ac52513eb82cb20b7d7cc77ece304e9f2671e49ab7d6b98134a7aee570ad9033c0c8b1dcf7692c0ab2fa4

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
8d73049d0dc4df592ee2584a43093ef5

SHA1
cc971c6e51e8f0b2c22b337906c0c33ea666efe5

SHA256
5b580262c9fdefc9795b967da74f4e4133022d58315d26cc3f63f81ba3019a74

SHA512
b3775c99c43bf400702e059f53ecc742bda89c7a05fe3ae30ab7c95b775ad50204cd8510cf0c2c56ce99018454bd9368cf439fb34ded891094b966730b1aada5

Download Submit
C:\Windows\SysWOW64\Jclhkbae.dll

Filesize
7KB

MD5
ec58f4a92b9ae615e388d3135e9185c2

SHA1
5fa9dd0847002049e43eba495c3cc644182e2d23

SHA256
61d4e4cd7bd437c8d4732f4906dd7886f77e80683c124266feb94365b1ef1c34

SHA512
e8691ccbcc39ca723d9b7b0f2c8c6cc46512d719c8c4c35fd3d10fd84a9f5ce1800539b5f09f05e652db11b6ab6953d03763a5512f25a56902b3c9a461795b89

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
96KB

MD5
2f7daeedd98d4cf89a66c34ad79e8755

SHA1
c11553d9685315b66eac2d632c4f82ca97f698d1

SHA256
c53ef2cc673c18278bb4885074e15a7ad7631be1c6db2e557b0402639b9db077

SHA512
0362ad832acf95182eef279f2dabd318a0d76245383700c68293b8690394fb981cfe6780be5621efd92f7bd72a629d19826ca7939dab082cfbaea96d2b33d8f4

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
96KB

MD5
ac61b4bfc6b93772802cc70c898db7a6

SHA1
921ccc0161228926b2cc26c202ad62ee123b2c1a

SHA256
615a5b97303b429ee50a6fabc361fc43f70aa5213862e3c7a297e43c5157ee52

SHA512
0d5c32c3398094efb683f523ee7349b098a2a2943720d9a81582b7805a1b08a058f97972a54086d9d6df718fd04f675c8695e219c48a07290397fd5d271a5643

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
64KB

MD5
d4ea6c9ccc1e0d3a1935d13640f0b3f5

SHA1
28b73b4d0986a881f417ee83b66525de293fc122

SHA256
a1ea5623bb50cfbd16fb22cbec45a393291956e159553b55c0975a27d00725db

SHA512
aadd267d5655bdecd1e9156357fb882016ff9e50e2d5a89b99ebcba7b596ca0b182863ea31e13cb4a5433046d88f9c91455be11c5a75d47711f61d69ce494d35

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
96KB

MD5
5b9dfa1adcd8712e4d5d589e6822d5eb

SHA1
e0c20d2e3fb405a7d7571f3362b937cbf73051ed

SHA256
67d16501e742322afa6dc469ff29dfc334ec8370a9b24666bdb8ea98e4472766

SHA512
ca5083df3e529e4b6426babff2a094f7ede2272bc31716505526259608ba12403426211bee648eef74a468daad0ea928bfb39fca959c04e2a9771b2bbfb30237

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
96KB

MD5
311301f63c95d3412c45e5cc659722f0

SHA1
9fdbde5bc0929666caa72656d929521594f2f689

SHA256
b079a33ffecce99207323436a5d59bd8808f3237ffe6dde548141f1bf5dcae84

SHA512
b0b4b5325157425fe5413ee7f80557030dfac3a97a723c31901dd070de61097c11e52ec9ac4d968107883ec4a728b5ea4220bf917bda79fe32ee745ffe3bf251

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
96KB

MD5
c8e71ac469ba54f7429ef55b7a8a6d17

SHA1
54f5068b9c70ca5c13c3c2a84d67de6250a9d71e

SHA256
bacca653447cfc7e7e31d6a4d2474112f677350a7c1f6ee476cf6809dcbf62f2

SHA512
ff45fd9361b488a2dd86b400b0546f9012abae1fa61b79e2fd5406f6486575ad99246c3fd228b051f980452708d775ccd40023035f1239be4e0155016ec82ce1

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
be7aaec6ac56da24cf12774e4aa00f50

SHA1
056a4ffb6de2200bc3e8e585c7b24ee2537e2aff

SHA256
2cbe34d8fabe4e5d20375445741c76288d8db7d64d507fba4dace3e5ca30ccd5

SHA512
a3a9f99f4c5bf30624b47a10ee02aa319dac0f8e9e797bfe7789240132c257c2e3cff3d3d20bab84986376fda47744d901e11decbfc631f9434ae207fe1fba41

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
96KB

MD5
e386361d252cf4077b70d2cc356badef

SHA1
99e7a8480ae08a3f22b3e5ca6eefa2141d57dfa7

SHA256
622525ab7f1c6a9288319c6c4fa88821b09b4c89b1b27adc23f4b878c28ecd4a

SHA512
56d4d9e3ee32da60424b7cbc40a74d1a9da77647ea24ff8b25642fcf1843c6a7cdcf5b1be30b094b3f7861d678c761c3e524fdc02e12fe2cd466e32fb1a28f01

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
96KB

MD5
f6a4a17b06ab520f7d93d30ad04184f8

SHA1
a93b454266a652db9f5df66aef21051cf6a79601

SHA256
bb3e4b2a0be16995d6f9f1e3c250ef9da6f2fb23839019a07f5821c5a2b7f623

SHA512
7062a8a95a3efd4e880ac3beaa02d546688a5d1d5e0f94405525ad32d8042f335b4f35e71ec1598acb9ac7ed9bf24aaf51b90d428f51c0ea89c2670696abdc8d

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
96KB

MD5
4b1d300bc0fc113772b8d23cd863365b

SHA1
1b8c522fa50e4e3fc8681ae4ca1c413c3291eb0c

SHA256
850a1e5a05f83a6fce4977c4d9af20131bee5dcdb5bdbf3b9d7d6a728cec357f

SHA512
0b9cdaa6958cfbba9327a5adee34a301f806e1b8370f1c4748fe5b4d04e3098d88676c1d64080ad041b3621d922547f79c8549e3fb24e24a6ba29fb75bcc5fe3

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
e386d1b6fc89ed4128a94a56a104aa34

SHA1
9a95b0c12455276bfe2120d0e6168506d2e62a62

SHA256
2c3e3844612afc47b941891e5a41c64a7107d495756a7fe463992084d54544d1

SHA512
23c1220a3813e4afda903a21af09eabdc1d64be71b58e5ab22d5b624331a87054c51ba9d7d9e65a315c739e9a0c28f91f9ef208838412f2ca08d276d2252c17b

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
96KB

MD5
b4d133f28d56107f594e7462ad3e890d

SHA1
e1b6415625b59cfe95202184ed15156933d4a802

SHA256
11e798d1d0793e796edbae9e60c26fa51fc0bb6a0ddf26bb55509cb1141405f1

SHA512
af9501033d2e4a5bd2cd7d7af7a2154713125508a3e88f65316f096f55cd9c6646ac7ac37f2503484fcdd572341521f1b24181bdd20c5df43c69ea9b4ae4135b

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
96KB

MD5
90b6dda4932c664c9310bddd3584a83f

SHA1
1625b12ac21af1af1c8c4aaa9da2a8838a9c77ba

SHA256
4d054444a7a6ed000ae0f962d735944ce160ea53eed19b94848c8a6f9cb3f490

SHA512
2be603d0514f086d3fbc88a474c49970ebeed97ad781f2e74e47bc5a4081fd37c0d62b57c2377de7b85453e4b7cf0ea498430b111de5f0a37d9548dc5b052fb7

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
e010ff4768b4b15a2d6d80112075e0b4

SHA1
c337b00c147d288fe6dbcc5ce11add3f9cbc4def

SHA256
a46edefd9f85674b16cf47b1939060fea54551e7d797c4020a0402a3cda06854

SHA512
bc64c3c740e4863b363373c98198045242c54df8ae71f5d67572a192667fd58ec87e3ea3c45fbf73259f908abd625e6d19707071ca56d7feed84b62efae14b26

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
96KB

MD5
076dc546027c8739d11abd3d3a7e99ab

SHA1
2262509018d2b9af58889dca56c45a1ffae8c74e

SHA256
82a37a0d707b333c053f829ab5b23518e714e66e58560be54f9f375617c352db

SHA512
bc01fe0cd29794c179574704bcb955b7d3c6f66d9e03897bfb3550f6a624f5cbd8dbe060c661665cdba42ffe6ac2a1e29356521cc8d8049d09a4978aeee6476c

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
2f194fb6d5f8f78aad95ea38142d2cf5

SHA1
acfcd959290e77f5f29e07879fa30f249d4c5266

SHA256
f36c6f06885599788d8e0efa2bd5fc3e888515e7ee54179ac7137da7ff2e3aba

SHA512
b74a626da75aa78c492ffb0e9c4928672e05523c7766e86de86f94ef52c3ca7a1b03efadd242da2a35c6ed23a01c75433ebb1a64bddffa39c0cd4e782551a4be

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
96KB

MD5
317267a13bca3e675d6131330c4c7bce

SHA1
824623b468960b2f91f9e44d58f21a764297a0e9

SHA256
11bae0bf0e82005a4e47de7e9066f457e9b074bf74299e3402307a35cc69a899

SHA512
563c3ff579734853f1e928c68ded58c84cb46bddcbd0148a5be8cc5fc70c51d71a3eac333f0716c25715d32fcc62932b80c424872a4e3f156f3cab6ce57c84fa

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
082394dd661329597073a8cbf0440ba3

SHA1
fa62af39415da910d789eedfe7847c33f60dd355

SHA256
a6f5f1a0dd9b63a3860051e44c411d7cf6c8e7a02873d205ad559f62624c8cf5

SHA512
7187be86781bf8f3316cabf7d6988f56175b24568fdc2daa46be47742f067b89407bcbbc0e6d992ba8c69f367645f88d198e94929a57e78123d63bd98779d4a5

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
ded6cd3dd1a42fd22f0332b4d2dfb796

SHA1
091b0b7b8009d6f5b2b06e5e9aef94a475a9467f

SHA256
6ccb5138e7dc45bb4ec06d01bbbe592658259d0132d7dff8041a60ac40cab4f1

SHA512
236360c8b8f44b08e42201c4e3d0e3ed76d5a01fa90f48611da5d28a1cb58ee873b2bc1cb76b7cd97861f9473301273d9a7fb739a201e81a9acf07e181361d8d

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
96KB

MD5
7ebaecf6217728d0db051735aa6b89a2

SHA1
92c99062a536355c4297153d6c466ecd5ce79b54

SHA256
ab0da711bc29b98bcd92049f190965a96d6aa8ef28552c59e69214d8860fb8cc

SHA512
22ca75be80d48fdf27d355a05aed2ba938d382d1142e1bb9d18d9f01ce1ff3e16ad3aa7d8832d740d8ef31e9e2e8bb4b4e89b5666726a667f7e6d9a4b15d86fb

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
96KB

MD5
2ace99b8ffdef533b1d83945ee82d581

SHA1
91c918a8aa60585ea854cf017d041031916ae9e6

SHA256
01c92ec1ef88b05b0d69f60292b336d02d0e28fd27253f316d2c3042df58009e

SHA512
162f3a1ef48301928e66bed7047b87489677ff8d8ba68f34830acb8eb67158b3c2e4fd4ab633c8ec42e443053b8de3906cd2fb24622159debf019375115e508d

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
96KB

MD5
8f99eee9532f645803e8d3ed1ba1d369

SHA1
654af20e1c2b6bcd6030024843cac84f3f0537a4

SHA256
ba46680453c5dff06f01a081b0355bc70997c33eb00d7e6012e630a0721d35dc

SHA512
99b04b374ffdced19ce7fb1731611578b290741b5c533e704c0abe94ecd39e9a83d1c97e260c2f11757fd7bafa27d94f4ba3578bc4bda31b7d150148b8365d03

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
d014a27c210eb73d29335cde2dea54e1

SHA1
61a7d87b6986f93c1cd0df6fb14a24a61695b730

SHA256
846932e5b61263113390fac37396e04e44e7aa9fd22ea7e16bd1c63244d95e5b

SHA512
7c3ea073da947b0725a6a84d50d66e6948fe1c8fcd9374f59f97075eb6a8fc3c41892d389a93fa0fb0c753a1f5159a1666625c0218467a2646619a358f4f0e59

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
ef83dbbb421fd08f620743911e633bf8

SHA1
44d80f130293dd30b3fa64c07c7708c927d7fcd9

SHA256
808eafdecda1ea84009c5a7ad8786300a6a2f3334673e7e93330f44254512181

SHA512
036069384495a7c7bbb4a71071c25d14ce658dfd4d236f80ef44be5701b3dca7523651ae774a439a2bee1d76e4aba1fe37106499b46128304c7125e94900e120

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
96KB

MD5
fa5b378c3b36e8e0b03297ead0c6bbb3

SHA1
42a91d88f658bec485f5d409026d81a40eb1f5a4

SHA256
2c95ddea2a667fec9e552bef8926dedc04505050aceb4226cd77c17467ed8b77

SHA512
3516fccddcac5e7f17252cabc9ecd397678aff0d5d2c263326456cf5b3bde7d60164bc5d064b09de868a2f1d9eb3e98731e186d51afbd61a93e750a98b04759c

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
96KB

MD5
139c31ee4899e59e1d1d05d20ca5f3d8

SHA1
55c3009c3b18645c9f6277af6e7b7502cd38b56e

SHA256
294e40c9658cf5124df7401cdae01202230d6c6f435ee0ca3b01609676372130

SHA512
85db0df17406f9edab73fb36bbe5bb31647b0afcc6422e948b5fb702f6c5bc44c0ac77aad6f221e0a9a8b97b24fac0d339c5717126717c5fd09d520a128f6282

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
78b35b4b2a3de851288d7a36566ce479

SHA1
2f4c9e760f5ba812fd21b091f444c05f3c6edde8

SHA256
d956327f2c56a0ec9358f960b76643c0b27f6bb0121bddf34fe677c5bef97436

SHA512
3f6b898d04f0a8959b33ad37205ae6d086540d2850233f591833b18a55ff892d5c616b7d16727e9fdae0ca172984de402214aaca7e625dfdcec2d07d9b4df2d1

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
96KB

MD5
2356886bfeabf75fbecea542fe6ff091

SHA1
df18dbe60b5ead7f09ffb6c69fd1ae76b8165eae

SHA256
2eacc32805b62feeda2ef5cf537efb6a56984eafd68ad5813fe1252526248a70

SHA512
168fadfaf0e496ac9c72202a68cb43a4d6331a2f26191ae6aa0d5ddece443902754f59a4699ed741e1566f78997b687fad2fc4d42ae2665aa2f76b5299b9ad44

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
f100c91ab275f9e2ee4a130a64b2bcc2

SHA1
a36c0b58d488969b280b9d2a525e54b0aca3903c

SHA256
e9729253f9d6477026f37a2f2f06a2397bf6f23a2083e6b43e04cb6268ce980c

SHA512
d615d36b37978e333b78a8d4cf47c9e7fa9eea2dac29f5ee5cd0403836f690776d9ea929d96b486d0c2c65b3ddffcf6c909fbe57140c80fbc153e6c1d0346f87

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
96KB

MD5
d739b4787549b61bc49d69269829cdd0

SHA1
da8075432d44ff5fb9e7c3b77e6ea1ab70ca4b55

SHA256
319fbb08414c1643d9affcedb0ffa268924546317554e36d2a90d8714b8db1df

SHA512
b3112c97c69ae297577dbd503e27f217c2051c56960dcfc7cc718bcc4f317ca5e0ec0aba3f18ac56b73c294a932e58bb0c12293e47a1324854514582aa41578b

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
676e9c3e321530d6b378f0fbba7a50fc

SHA1
715ca7abaeb3d3a90d17233e5aab559e2539142b

SHA256
f2ae900c0f7f95b923ff35c39dd9534ac7e33e93fc05a2fd74615ee6a5cbd18b

SHA512
7d38e50092d47080145f68bfa033045d4b39a6402c40aa1b23bfece4d2044feb1ba3a2971cadbe4bd75d34d098bd4b076ec4bcec8a5a61ed7746e3bea7fe5c57

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
b9f4f9ae916547dc29027d401fee27d2

SHA1
efaea9d943c6ec0558c37d93f60e8f2f5cdf2aa8

SHA256
bf9b7296e62fbc9a74dbcb96ef032befff1bd4efa21ee71aa541c67903ff285d

SHA512
995d4fdd2bbd6bc476dd2672027836f100b06768b22bdbf96b88412964b699ef15f500f427ec86c41c3fc3c189bd0c03cc82ceeab6bfb1734376b62a1fa10217

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
96KB

MD5
4948329a5da3f151d2b2f4ca5e1a7a80

SHA1
8b2babcd92090a82198596451988469a5071e8ea

SHA256
d119640b5b173e0126a362cdb7d7a29a7e93c73b93f7b7c5ac107c1b010b7db1

SHA512
72164885c82c90c08c63f703a03eaeb6b1ebf67c923f4159d4a24d547a5c6861257ffc38c878cf0a4f6079cf4cc0ebd84d4f287fce5e581114a2d24e79536744

Download Submit
memory/512-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/512-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/620-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/624-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/876-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/876-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/920-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/920-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-250-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1052-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1100-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1100-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1140-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1140-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1280-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1380-401-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1432-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1460-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1892-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1928-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1928-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2020-402-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-429-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2060-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2176-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2456-422-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2516-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2516-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-243-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2588-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2908-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2908-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2988-423-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-368-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3036-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3056-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3056-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3464-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3464-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3488-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3488-232-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3576-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3576-408-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3784-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3784-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3980-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4040-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4040-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4172-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4244-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4244-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4376-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4392-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4460-179-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4652-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4652-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4688-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4784-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4836-416-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4848-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4848-259-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4888-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4936-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4936-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4940-241-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4940-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4984-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-282-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5088-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads