berbew | 1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 19:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888.exe
Size

217KB
MD5

c5ff3be5adfe2ea89f596816a1ccccc6
SHA1

7ef3b5c8f119ce3acefa3c09adea44987c6e5e0b
SHA256

1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888
SHA512

3131cafaad063710b6e8f7ae0759765c512560102a2d2a00bd1df612a1c74457280580acfc43084e32d03cb59283e57c44b8d447e3b66465f339a043719eede5
SSDEEP

3072:X5DXJfRImMiTAZQ8HYeVeS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVD:JD9RRNyYeVdZMGXF5ahdt3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhbal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4036	Miifeq32.exe
1088	Mlhbal32.exe
4172	Ndokbi32.exe
392	Nngokoej.exe
2912	Ncdgcf32.exe
2948	Njnpppkn.exe
736	Nphhmj32.exe
5112	Njqmepik.exe
4984	Ndfqbhia.exe
1464	Njciko32.exe
1308	Ndhmhh32.exe
4700	Nfjjppmm.exe
224	Olcbmj32.exe
2252	Ogifjcdp.exe
3416	Oncofm32.exe
2664	Ogkcpbam.exe
4064	Olhlhjpd.exe
2688	Ognpebpj.exe
2700	Ogpmjb32.exe
64	Oqhacgdh.exe
3624	Ojaelm32.exe
4164	Pmoahijl.exe
4268	Pgefeajb.exe
904	Pmannhhj.exe
4380	Pggbkagp.exe
3104	Pnakhkol.exe
4128	Pdkcde32.exe
3140	Pgioqq32.exe
3948	Pncgmkmj.exe
628	Pcppfaka.exe
4228	Pnfdcjkg.exe
3688	Pdpmpdbd.exe
1796	Qmkadgpo.exe
3592	Qdbiedpa.exe
4340	Qqijje32.exe
732	Qgcbgo32.exe
3508	Ajanck32.exe
2088	Aqkgpedc.exe
3480	Acjclpcf.exe
2628	Afhohlbj.exe
2160	Anogiicl.exe
1860	Aeiofcji.exe
3260	Anadoi32.exe
1904	Aeklkchg.exe
3252	Agjhgngj.exe
3896	Amgapeea.exe
3744	Acqimo32.exe
4992	Ajkaii32.exe
3800	Aadifclh.exe
2968	Agoabn32.exe
3988	Bnhjohkb.exe
3848	Bebblb32.exe
1748	Bganhm32.exe
3060	Bmngqdpj.exe
4444	Bchomn32.exe
4220	Bffkij32.exe
2844	Bmpcfdmg.exe
4376	Bgehcmmm.exe
8	Bnpppgdj.exe
4592	Beihma32.exe
4812	Bhhdil32.exe
3120	Bnbmefbg.exe
2632	Belebq32.exe
4824	Cfmajipb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Mlhbal32.exe	Miifeq32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Idodkeom.dll	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dapgdeib.dll	Nngokoej.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Ndokbi32.exe	Mlhbal32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Njqmepik.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Gbdhjm32.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3256	3208	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miifeq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhbal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndokbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafdhogo.dll"	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhbal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Njciko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Miifeq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 4036	3432	1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888.exe	82
PID 3432 wrote to memory of 4036	3432	1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888.exe	82
PID 3432 wrote to memory of 4036	3432	1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888.exe	82
PID 4036 wrote to memory of 1088	4036	Miifeq32.exe	83
PID 4036 wrote to memory of 1088	4036	Miifeq32.exe	83
PID 4036 wrote to memory of 1088	4036	Miifeq32.exe	83
PID 1088 wrote to memory of 4172	1088	Mlhbal32.exe	84
PID 1088 wrote to memory of 4172	1088	Mlhbal32.exe	84
PID 1088 wrote to memory of 4172	1088	Mlhbal32.exe	84
PID 4172 wrote to memory of 392	4172	Ndokbi32.exe	85
PID 4172 wrote to memory of 392	4172	Ndokbi32.exe	85
PID 4172 wrote to memory of 392	4172	Ndokbi32.exe	85
PID 392 wrote to memory of 2912	392	Nngokoej.exe	86
PID 392 wrote to memory of 2912	392	Nngokoej.exe	86
PID 392 wrote to memory of 2912	392	Nngokoej.exe	86
PID 2912 wrote to memory of 2948	2912	Ncdgcf32.exe	87
PID 2912 wrote to memory of 2948	2912	Ncdgcf32.exe	87
PID 2912 wrote to memory of 2948	2912	Ncdgcf32.exe	87
PID 2948 wrote to memory of 736	2948	Njnpppkn.exe	88
PID 2948 wrote to memory of 736	2948	Njnpppkn.exe	88
PID 2948 wrote to memory of 736	2948	Njnpppkn.exe	88
PID 736 wrote to memory of 5112	736	Nphhmj32.exe	89
PID 736 wrote to memory of 5112	736	Nphhmj32.exe	89
PID 736 wrote to memory of 5112	736	Nphhmj32.exe	89
PID 5112 wrote to memory of 4984	5112	Njqmepik.exe	90
PID 5112 wrote to memory of 4984	5112	Njqmepik.exe	90
PID 5112 wrote to memory of 4984	5112	Njqmepik.exe	90
PID 4984 wrote to memory of 1464	4984	Ndfqbhia.exe	91
PID 4984 wrote to memory of 1464	4984	Ndfqbhia.exe	91
PID 4984 wrote to memory of 1464	4984	Ndfqbhia.exe	91
PID 1464 wrote to memory of 1308	1464	Njciko32.exe	92
PID 1464 wrote to memory of 1308	1464	Njciko32.exe	92
PID 1464 wrote to memory of 1308	1464	Njciko32.exe	92
PID 1308 wrote to memory of 4700	1308	Ndhmhh32.exe	93
PID 1308 wrote to memory of 4700	1308	Ndhmhh32.exe	93
PID 1308 wrote to memory of 4700	1308	Ndhmhh32.exe	93
PID 4700 wrote to memory of 224	4700	Nfjjppmm.exe	94
PID 4700 wrote to memory of 224	4700	Nfjjppmm.exe	94
PID 4700 wrote to memory of 224	4700	Nfjjppmm.exe	94
PID 224 wrote to memory of 2252	224	Olcbmj32.exe	95
PID 224 wrote to memory of 2252	224	Olcbmj32.exe	95
PID 224 wrote to memory of 2252	224	Olcbmj32.exe	95
PID 2252 wrote to memory of 3416	2252	Ogifjcdp.exe	96
PID 2252 wrote to memory of 3416	2252	Ogifjcdp.exe	96
PID 2252 wrote to memory of 3416	2252	Ogifjcdp.exe	96
PID 3416 wrote to memory of 2664	3416	Oncofm32.exe	97
PID 3416 wrote to memory of 2664	3416	Oncofm32.exe	97
PID 3416 wrote to memory of 2664	3416	Oncofm32.exe	97
PID 2664 wrote to memory of 4064	2664	Ogkcpbam.exe	98
PID 2664 wrote to memory of 4064	2664	Ogkcpbam.exe	98
PID 2664 wrote to memory of 4064	2664	Ogkcpbam.exe	98
PID 4064 wrote to memory of 2688	4064	Olhlhjpd.exe	99
PID 4064 wrote to memory of 2688	4064	Olhlhjpd.exe	99
PID 4064 wrote to memory of 2688	4064	Olhlhjpd.exe	99
PID 2688 wrote to memory of 2700	2688	Ognpebpj.exe	100
PID 2688 wrote to memory of 2700	2688	Ognpebpj.exe	100
PID 2688 wrote to memory of 2700	2688	Ognpebpj.exe	100
PID 2700 wrote to memory of 64	2700	Ogpmjb32.exe	101
PID 2700 wrote to memory of 64	2700	Ogpmjb32.exe	101
PID 2700 wrote to memory of 64	2700	Ogpmjb32.exe	101
PID 64 wrote to memory of 3624	64	Oqhacgdh.exe	102
PID 64 wrote to memory of 3624	64	Oqhacgdh.exe	102
PID 64 wrote to memory of 3624	64	Oqhacgdh.exe	102
PID 3624 wrote to memory of 4164	3624	Ojaelm32.exe	103

C:\Users\Admin\AppData\Local\Temp\1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888.exe
"C:\Users\Admin\AppData\Local\Temp\1f398475b162696609a51a45048e6cb0ac254cfdf84c0cfd4f37a5ab542e7888.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\SysWOW64\Miifeq32.exe
  C:\Windows\system32\Miifeq32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\Mlhbal32.exe
    C:\Windows\system32\Mlhbal32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\SysWOW64\Ndokbi32.exe
      C:\Windows\system32\Ndokbi32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\SysWOW64\Nngokoej.exe
        
        C:\Windows\system32\Nngokoej.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
      - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        26⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2632
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        67⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        83⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 408
        90⤵
        Program crash
        
        PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3208 -ip 3208
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
217KB

MD5
089bc6e73f8a0aed46997476ac2f079d

SHA1
4719fb2e42b897124bf329151d4386667bfba06e

SHA256
eac42804c2e83f585be25b2220e29b843aec30a9d334ee13d3654bab5104dbd9

SHA512
71ab2d2eebdfd65bb6ddcab3668ac1f678995e231d719f6d343ace29b76828f8d98cb35c6222042c2c0cf32502507e1f54e0995479bb14373e6335da877b0b37

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
217KB

MD5
c6baabcbc3cf508be8842c67118a8251

SHA1
14ffe62719444d2945df8202dcb95e2c36956816

SHA256
606265ae5f9a58b2e78b382b508d71b8eba907ceec28c4583a61f25849fe3e95

SHA512
836516a2c02688d482237e82272d80c57ce19dfaa99e9830ecbcee1a3b2afa0fd006b82d87aec676b1f85ac7344409b80db4440e99aa6f581e1ff8d1ee7dd7a0

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
217KB

MD5
1d9e9a15c9e3df769c2010bd5ddb0a44

SHA1
3d2af3b190173477f36db745d22c7f998e838f34

SHA256
5475deda3f71fd37a9b9ca5808e32fb6d5503804e392bd3c1833428d31d58497

SHA512
61d13768990434ccfe58177a478f4dab3265b6925d3e0b30d372494d021012c2b18cad6117a7484a89b44aecb733c27e7a9b24eca7c6280c1c039b6487ba7d89

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
217KB

MD5
eb74be50abbe9f229a51b96247e0425f

SHA1
fc09bda71381679c85cb575d3bea7bc208058f84

SHA256
1ac8c05c73df71e30ebcaf25ac7111a77fb6c2ae74b400b9d732af6e57ec083b

SHA512
a0161ed8e56fdcc76b466239792bc76f9142b0aeaa8db8941db007cbe8ef25755b2b959dea4556dd9b636858e2ac77759e606408c299387de032ce962e94a56c

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
217KB

MD5
33b96d2740199f274c55a02d40076614

SHA1
fb5b6c53cebd2f21c9fd822863c82a805f179448

SHA256
fcce7fed3ab8bdfd724b65959018aba952c5f8f114afbf6d72ecf6e016f5b327

SHA512
52392c22590378974ee9b9cbd494dad417c15ab8c539f5a92b4f53fe340f24491433182e3ad20c2f8f6a571b0bc6c0c97deb201cc819b444f68133028be860f3

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
217KB

MD5
880597c70e03f68f349f69d22ad6b438

SHA1
84f8f3d2afd7221b739ce8d95a46732767051bbb

SHA256
c4ec2928c48bff208f9499860c04d19ad283a863a22f0cbf6bca2551a4d5810b

SHA512
b71c5738fb405fa87fee343652e3018ef7c1de33f0dfe5788c097f23f97684f7b7fc24d1c06977df57b4142ceccd4e5f6207b596966499dbebfecf7ea9fdeee6

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
217KB

MD5
0a5c31aab032a1215a548df0360c39a7

SHA1
914ee77d53814b3ac6a6653d9070064d286920ab

SHA256
3eeeba74d12160bdeca2201e3b7ad5cb2102fc3f76e123ecd3dfdcfbaaca5e1b

SHA512
84c494f2ac4fa11f876ee00ad72f3f2d8908b264bd3df27d0c2fa7c604da1f8befc23cf3929aef7628ce85b24ed1cf17c012d473a1bc484d72ef096052854889

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
217KB

MD5
13377de3668d410d8a13fd569e1929be

SHA1
8ae38bd4199420024d3229ce9b42d0b0d89ab909

SHA256
5f020cf7d474a0f7c6fecd05df0ace79a40638ebe0a4d350a88ad4af0509c36c

SHA512
3a0662d36216aa395974dbf7b42b499b0f91e011a7a65f9f3b80468a28dfb4e8a88615b8019dd0d65847d6cff9c7f7e6dfe6fa6f733a68d04c3ef690174b4f2e

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
217KB

MD5
d585e231458505561c8370c310633d79

SHA1
3fbbb26e56b6e13ee4b57bf842c9b2827661fd43

SHA256
3990e532974b868ce3b3e6312eda78a44940ef4c3223a4ed3da808e44a89e2d1

SHA512
b1455df951483c6308b76a4e28918c32e6fc37d70cc08ba46c8ef35efb5d1e76412f99d47bf51d7d712c9940ee4d21d4a35f8b4a8365a84ff3492437ab470062

Download Submit
C:\Windows\SysWOW64\Dapgdeib.dll

Filesize
7KB

MD5
b4af628f050fde2ec6f1f97e4d3db862

SHA1
823b61aa159fa8b3b57b48dd002df7661de30f73

SHA256
057bb9a6abc675581951e414a611b21861e8068958272c91eef8f4dccc5a6d93

SHA512
8a3257847aebc59e32f88c2daa56485ad04836c9ca6da9b6088727f0797380f3ea3a4ce5f281cdc18a6ea3b156f17dd3e501a926bf2b6f00b1f7b4e50db6b120

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
217KB

MD5
c6f954bc553ff9f311aad88c56a860d0

SHA1
65dc75d9b38563c3de0621f071f62654d5574b4f

SHA256
a6e7b7694b1f2c55529a16915092f8f5ba7fcf63fe90ce6de632b125a10256dd

SHA512
b6f37183e878dfcdc3af81c59348037ac0cfc3433eeb41dc4b0741f4e2d8392f6ab277ffc24de030f22d60dd42ac38fcafb7ad4143ea35ab3677b2d56015111c

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
217KB

MD5
c6ff9a870292b3f0752fcc9023ae9251

SHA1
a5929dac5c8376faa40139a735fafd20d7d38aa7

SHA256
3b98245f9b4305c4336d55f187a3bd451951fc44678400c603afb9a7e762ce3c

SHA512
79948dbbe79619d9a1b4d804957b4cf11dccfb93d6b4264b2e0908bc8057d89254605d1c963e15d7e8680c70e6bf48e326acd1154494473154e11e949fd7742d

Download Submit
C:\Windows\SysWOW64\Miifeq32.exe

Filesize
217KB

MD5
5e33f7a1da898c946afee2290b5ffcf5

SHA1
693339d700d6139b588c7155bebc295fd3c2b8d4

SHA256
f2d762ef7279b06cadaffc244a65fdd2dae7010ef95720d82bd6156583460d46

SHA512
02daafdcfc2e9be1c8b077480d40b0f879f25f79520bea46139f23893e05a5938dcd381648b44752abb32cb81983057dd7740db1bb22faa3a581f5a7fe499be2

Download Submit
C:\Windows\SysWOW64\Mlhbal32.exe

Filesize
217KB

MD5
e125032f344b68a0a000e04ef4ee0a86

SHA1
b7d69e3b959c57c67ce8b22204a20e4b08877ec1

SHA256
70dc8a2fd1537041111d8fd7305e913b851069a5e41f76d9e105cedb26f2331a

SHA512
790ff9533630aee50648d3654c46cd27f64436c9c655da5517d4c5d34d12a7de099a16acf383fbbe6bac1c370ec99c021ea79a5e19431cc92ae4ecfb4ef69f94

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
217KB

MD5
424cbde7e45afe0f86daaf5636acf604

SHA1
62fe3deb6f75e6c6502a92ff5f73e9d1c77964e0

SHA256
03aea5362ca6d91e4b1c70480a340d803498401fe79040cdd5d9076d2649996d

SHA512
6ff943b36b65c8da45050d7713f8f7554c268491e34ea6c04df309c50f79c26000aaa556b4803ca3e3b0e1d68231f5d06de5b2033e6b9c31ba101dee09ae1f1a

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
217KB

MD5
d367e16ef8343c8e577922275463ef40

SHA1
e38e560fd50ad90689eb5f4a31981ed5618362ae

SHA256
39fff4556ad7ea445a236621953ea33a4e49f5a371eeccc50e34648a7fd101fd

SHA512
413899bc3599a53beeabd7618eb9a83be45b83d1a654ad2fa8dee0a723358a5c4ee07389712082637a8efd6fb91977a21320202b516c6f31bd5aba1139b303ba

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
217KB

MD5
56adda04991e2663475f6ddf5bacf9fe

SHA1
51818a7a0c20c9a790bf2ac2c16dcf01b184f61b

SHA256
137a8aeea4a3ea0d0f0a4b77dad26b505df330f9ed54dddc150cfa6642bc6993

SHA512
62150632956a480986a9480a23dc041aaa7957dfe76c3cba93c5bc63de7a117dbe0a30542602586304059bcb71f0f294cfdb74896d8a5e90ed687430aba7645c

Download Submit
C:\Windows\SysWOW64\Ndokbi32.exe

Filesize
217KB

MD5
7a2cb442e34619f82b34570b472bacbb

SHA1
39914dbb151251f258cad40520a1c526a1f64263

SHA256
220f46b60e7b93070b6f81698bf377ff47c78c167c8e5bfb4f3ebf4f59973623

SHA512
88f1b9a6634d767758ef4e392168a544ce60779e4561368394b7d3a5488d386a75691b9d2a7fc28848b46ac30fb4a62217213b850d89fa0ceb269c5ba087208a

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
217KB

MD5
e9039dc91e7bd6874f19ac0e07a5d070

SHA1
3a8fff26d68aefa83e29a65f4134d6a22276bbd1

SHA256
2c3251abef2c7920a27d59e06097902f611716c9d1e351863f9da63bee779be1

SHA512
5525057f128ed4739a4e266f20d5da2c9a2cfd26fe4e7c387d5209eb9c958642d78822798f97bf601325c585612d0739842c4848fef4bb8d2f248d731f2421e6

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
217KB

MD5
12d4edabd0538abb953b9464dabf4082

SHA1
d737199f82e2407541f01b549cc066665a356e21

SHA256
936303cc040f59acb44ac045a9c7652e3b4b552f02efe27a3d39d62c9d9fa8a6

SHA512
34f648b61a4c5368728d95d300de7588c314185e92296fe5be424f03131fa57c45be0628405b7e09929609ce7cbb63b5e811a9b5c9ad82c6f0fb3949979696b8

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
217KB

MD5
b59d9ea1a2f898cd32a0d68fc4100cfe

SHA1
24db353064bd8716ea679909a62b7b2875570905

SHA256
8f9a69726c86b30110a66e00ba93f49c9ca255afba9e28811b9597b33832ca33

SHA512
5678c222836a2b8b1f42d0d5b8cba20722d4ebd8b0595e05532bbcf1a5f9ca7ab92647f299e7ba0ddebc36043ab1e36dd0cebc89186cce2810e9f5258c7e207e

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
217KB

MD5
0fc80c5a99a3e5be22ce875db07483d7

SHA1
f14bdb9a85a3fe05a8a8e768329bb383694a20e0

SHA256
39700bfb27715b25200fdef57a1f29efe9fb03be8ff9ebbab9375df5e7f62b0d

SHA512
33a894abd64668656cd9417b4815b399c726e63da1a9cc01f9c58622c2de605a0cf8565cc9476fb831a5534d3d2abae1e68979ba4dba2c178b01c92ca307d519

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
217KB

MD5
26730d749c290cd5d605f63106863df9

SHA1
fcc5579a6a51f1e98842fc96bfbae2ad8f9af641

SHA256
a3d31aac39edf06fac143aec3f22771a61e80cc9232ecb79a890d0ba06d96b2a

SHA512
b0e4b492b7cfba517807a1f7c33a5b89f28f1e708fb067bafa670474eca55af4ce5096fad698050dd97aae64bf90fd1e8a0c841f10b6f90eabd003cd2f1aad9a

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
217KB

MD5
2ee596dec05cd1e1cd0bc5807cdbc336

SHA1
a050f1d8d12ac03055824f941b99edad2938ee59

SHA256
fc00dc1dea17b4a500739cbd10867a00b2929184227545335d8f53922bf5e753

SHA512
8d31994e0c6bcf5fabbecb267c9529dafa6b231e3bf0cb8f35b2404d9b97a2e3dce2d58c8c27ad7748d9a7aaf35540c000900bbbbab55ff5157817735d947db8

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
217KB

MD5
60f0b477e5da1a9941c56aa1988b1c87

SHA1
eb01a862eb624ba6d4907a0be4dbca7ad45264f8

SHA256
e6edcb5628b4b255e57d582a1ad1ed00a48c82b17474396493a798f88a948de0

SHA512
976c95f35d650d6ba9037eb088381f4e70d7b0f99a2b78bef7a4d1050f59a96b2b8a938f745b87569931dd8e5c85cb209cb1a4910ce2737630b7bc1402e8bf0c

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
217KB

MD5
a283ee1f4fee577b6a19299605b09c3a

SHA1
cd9a6d5e290150ff7b26bb7c0f04279b2aa4d62e

SHA256
d556e09f807def88d12817d194a039e364401683d0f470d2d5f89f3e7d223ab1

SHA512
2a3424ed3700a233305b1646edec7a15aa9bd30efe331e15b6567af066dc391a565163010be7b54b5b295ce7313e7b5557ee0fdc5685339237a5221133e0b1f3

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
217KB

MD5
95c6e04b9b8bd6c94b8bbcb1ff5af19c

SHA1
36cc220577025de5cc66e518cd0c86fdfd41a997

SHA256
4d92ae41fc993e9ebaed25ab3e92c572346bffd1d9b88da2ed8b8df814f9c91d

SHA512
179b9f8e1cd7543443ebfc2fcf54b4e47df0327f587bd4395b24271cd703a513991102a6794c972bdc5eafec0c72256fd49b341b6f9a463e065d7a49503125f7

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
217KB

MD5
f66e019abb3ae737ec6e21a524047269

SHA1
03db605013fc24e8b622394573c62f7df25e54ae

SHA256
126a599ad818d7fc9374dcad92a96c8f7bca98f52354b5d94c64b4c5c76d2cf0

SHA512
0bb03e4d301d7e0961e2dd76abc74afb94147abbe76debe1e24dd812863c180bb889b6a136cd32ac7ba938687aea3fd23a2454ed26685c03f466c99fe8acf2cc

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
217KB

MD5
d91b8229dd0607e7b7d4b780041e7693

SHA1
33241a721681549e37b07873dcb316ebfc1e18e3

SHA256
69b2d7a654ce6e94a711ecfafe563bfff291cbe1f2bbaba52893e850ae3daf78

SHA512
a6007ae3c219a7f98ee27e76f9e7141b9031e7b364cce7c4e03fc7063718d013084da48f821fe6af4a8245b1eb83b404ef05e01a00e90c4d6fbb0d25c9901c0f

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
217KB

MD5
f9b97bf9f31387e365e27bd8cd6228fe

SHA1
e56ef7ebf2bc902f5238ce62ec16401361259439

SHA256
d842e131b8ffdfdd2f9b490d6b4311b96e5f0d56badc8774bac3054e5a03114e

SHA512
9d7d28b1a5ba5757fc4fde78084280a4de0344bfdc7644f503123710cb3d6ca25d253e57f6b9f20bdaa51484863b861c364592b1f07a903770d0af4decfcb8ad

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
217KB

MD5
e3466fcd0574bcbb7c982090202c81a0

SHA1
0dac09458c6f1e7a9e8652fc408bd42421ba2fd8

SHA256
6e6dc0432f5fdda1d2bee1c15a0502b061c04a78ef917e44554358b46c26b938

SHA512
235914e95175f98d06ba9c91f27c177ab75d4f24bf984096697823029f8f7bca1bd21de69559e4cbc524bf57d3d4009bd6e8dd2a1dbb8404c98ceac585bdbcd2

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
217KB

MD5
9ae2bcc1d58f29a34ecf554f51a5c615

SHA1
e0aa2367d6fb190a1913fdf73a1e12358086f2ce

SHA256
2ed3e0d61b933936fd80c04db04188c705dc0cde2055f5e2d2039942b259739e

SHA512
99c8fc9fa3cf80f4d331db3fadfa39a6cb53589224e213ff3f9acf676bd3c7677345df4d63e10a26fbfdb77637420a68bebdf343bdd775573dc617cc2f66342f

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
217KB

MD5
692e675e0c9b67de9ece955a60125d32

SHA1
dfd87248ce008679a53211253bb8b6ea00902c89

SHA256
15f08b285888e9b995bd6bc49e260ed207cbb297469ff979c73ba65a92e796fa

SHA512
5fa739349ff37b204e912a6b49328d58ee9833bfe434c937612a0646c3c5c7d37f50f3eee562fa051179184c82610e080f458f904d4ec408318de6b55577086f

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
217KB

MD5
eb4b0e8a1c98c50f6e3d8087bc6eedc2

SHA1
346d058d1d66036b0955085bba5a8a1ba83944bc

SHA256
e84058f118dcff22f05e015150d544f1293a4eb8218c9a1d417650f780660b8a

SHA512
43cabd819fe2685fb1cc0d74797d9430352c6aaa93cea5133825a8103f33f83cd010bb7b102c6229ea41a9f60ff91b64352c97372ea7c7a95bfa2961dd3bbfe9

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
217KB

MD5
bf0fcae9a1aecb7f7435acbd4eec3cf7

SHA1
b4a73cdfe639a3ef1141e02ee16536183a1a5be4

SHA256
02070bb64015d677eb4e1cee4c6682b93d0ed38d002b87bb945dfb9aab0a1e63

SHA512
e9baca854b012a4e926f0b70565bc49da66253c18394d1467bb2df6efe8bb2123dbfa1723dd98f558566cd7f6ec7f864ed84af47212a18bf6b381af5a5508847

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
217KB

MD5
d7b26ef253606f3cefd60e1fe9833e45

SHA1
4200e06238da45691c351bc7591f6595b7cb45d0

SHA256
228f54ef5e21319537ef84aeecfca0decfc8c87f1ca026f911d2a8c3011ee51c

SHA512
cffca354d12a814483aa6604e2e555cbe394869cba4e00a27261d90f6af3eeac014ac6b15a937a7c1860db18a1f646c6463f2f8e99df490fba2099597ec10ccb

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
217KB

MD5
3a0b3547bd9cb885af59ebfcaeb82bd4

SHA1
ae133a197c5b1a09085d37ee0cc0c4e37e9673c4

SHA256
0f2e0d4765ad3a74472bf7ff8c18bccd2a3977a798816293451d7244a8a0b693

SHA512
95d85fb6a61c9e5bf815ff76b85d8a880b77614bd533f1b99f116b4932ae046161e711e9584c3c197eb35ce0bf3c84933b6eb1443843353554b0eac94f6b7aaa

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
217KB

MD5
97ac3403ced4457d690022fedb72c4b4

SHA1
55ef9803c06e2ce97b8628d3efaf611cb1d00172

SHA256
4291502f4376d170aad58f55d969bfb726de4a4dc710b2f8ca46e0607b02ec61

SHA512
1dc44c96b99ac42387db0d3f64b4766b8b7e4dd13023c8e5833afc1a0b53680f833aba999e8d58aac12070b41a02212d3db8df709c9f4948ac692298ce844507

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
217KB

MD5
8f6816632a0facf7dc59830f97afdda2

SHA1
fdde039f958f5fccbe1268207623a06a55ce6f2b

SHA256
7c49fde64e3312652d09951cf4341be09b332247d69d3afe1f6a55a785906c77

SHA512
5d15cb58c9c206cad6512f377becc3c6f97ab64bfa5ac238a6bb1d036fc75f0b08d4748dcfb6ee7c083b3466884bd75913778536a5c5e614f522fa1b1480bb7f

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
217KB

MD5
75c55fc8e3223920fe9ebf8f0acc353d

SHA1
f81aa3f7e36630209ac521bb434eaa04ff66970c

SHA256
b63cd622aeb4f55f54011877e8eb954236f1c486ae5bfa9da9e47cfa58e0502a

SHA512
f6b1cb672774f4774836720639ccb59db9fae09dbeefeea0917ba326e53f0271cf740d9b48969d8500791ddd24ca42737cb295d5f7b149761726c11957b09a61

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
217KB

MD5
6a6d66be9bb8ce1714607cd053566321

SHA1
e62eb3a01edf4071fce24f1341057062ee57e494

SHA256
bc1285889eb79a7b620f7e0f5cadd45182177606cfd8e9ccd8a60d907b9077c1

SHA512
db2f04f7dda50f4f4e8e2fe623568edcaecfe0e5f2b1d041e60f4a4252066b656d8beb7cc0a3b9b0acce3c2c770ba92d0b6165ec2dd8c08ab376a6e1d318ac85

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
217KB

MD5
68e3f415091b376c8098de8e5613f426

SHA1
a4375b43e5feac8402aae2654ae5a546969c4e1d

SHA256
5b4bdeb92a60b64ed85c20ac0106f33a0690ec052abd01b07af03f1c521ee7c0

SHA512
e43cc154edcc1be604086781c07b9c0e155b979eb704e988a635eb574a9dd6071ab0596b1d4c0198a7612baadca11a80f8503c11e16c473822b2909adc0e1ac9

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
217KB

MD5
3b8cf4030d47ccf58c9a0491805f776c

SHA1
4c403e3bc0a24c028d8d1019030a2b76027699f7

SHA256
77e95a93aba10b79b7cd061102b3395c59ad77b813c7af9fd76607dda6bce05c

SHA512
d427ee17e5c5c52b45052267a64f5014050ca094e163a31bfc5145ca1faad108b19525695ffb5a44e95bda06657ea17018f038ea99af87cba3116db307e2f29f

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
217KB

MD5
0c24635e9050b2ebef972f4ee013eaed

SHA1
69f0b35cb2a3e8b0ff26f7471bbea29220d7d134

SHA256
3115dc4f0c4fd9a06f0c8aeeab731e7880076cf65e9d78dd2fbcd00ea191f4b5

SHA512
c615acc01fd78959268991c98fbfd919bd3fcdae1a5ad763d051c7547609ff952a9a04277289a24ec2d118a0af30ba2d31d1f23e5f3ab3d8e2b9f9c5ca4cfa7a

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
217KB

MD5
dbec9174b544a854f828c6506c93a25a

SHA1
3c3690dea2f8131195431ab474593e1fbc6449ee

SHA256
738b7941de3b2af77ce40bc181ad512a2b6d5b45cae02e7f83fd3ed6bdae262c

SHA512
eddfece4f6cf961493e1f79924a5b1a17cb39d48e593bec5749595c37f04c19099672a1061b3f672d7efa1e2947aa2d5390cbee3c011ced3cef5e21af6687d1b

Download Submit
memory/8-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/64-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-631-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-669-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1796-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1860-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2300-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2540-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2632-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2948-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3252-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3548-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3688-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-628-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3948-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3988-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4064-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4764-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4992-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5112-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads