berbew | 9b9324169784eda723200301312043ead96a00f4d475ba9ce9ff10f2df35d7c8

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b9324169784eda723200301312043ead96a00f4d475ba9ce9ff10f2df35d7c8N.exe
Size

128KB
MD5

1a94e6d36fa6386e871e30d5a66463f0
SHA1

2f024dde220b8c6181cc484f75f8f6c001dd08c5
SHA256

9b9324169784eda723200301312043ead96a00f4d475ba9ce9ff10f2df35d7c8
SHA512

39014d3443102f14abe5448273f4155f4303ce5a46ab8df393687f2b6f7e7d71e30e3f64f04a88d6e5f1fcec1724fcf137d8a1c0b01e411b1a4851fa1fc8dd26
SSDEEP

3072:SNzsIH5dqM64oPUjtRKG7UDd0pCrQIFdFtLQ:IHLtkG7Ux0ocIPF9Q

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4632	Nfgmjqop.exe
4832	Npmagine.exe
1624	Nfjjppmm.exe
1564	Oponmilc.exe
876	Ogifjcdp.exe
2416	Olfobjbg.exe
4708	Ogkcpbam.exe
2032	Ojjolnaq.exe
1248	Opdghh32.exe
4404	Ognpebpj.exe
3856	Olkhmi32.exe
4452	Ocdqjceo.exe
1900	Onjegled.exe
4280	Olmeci32.exe
5052	Ocgmpccl.exe
392	Ojaelm32.exe
4348	Pqknig32.exe
4192	Pgefeajb.exe
388	Pfhfan32.exe
2744	Pdifoehl.exe
3308	Pfjcgn32.exe
3380	Pmdkch32.exe
3876	Pcncpbmd.exe
3440	Pflplnlg.exe
1980	Pqbdjfln.exe
652	Pcppfaka.exe
4444	Pfolbmje.exe
4516	Pmidog32.exe
4604	Pdpmpdbd.exe
1464	Pjmehkqk.exe
4772	Qqfmde32.exe
5048	Qceiaa32.exe
3848	Qjoankoi.exe
4528	Qqijje32.exe
1488	Qcgffqei.exe
2024	Anmjcieo.exe
4100	Aqkgpedc.exe
4636	Acjclpcf.exe
3356	Ajckij32.exe
2888	Anogiicl.exe
4572	Aeiofcji.exe
4344	Agglboim.exe
1948	Ajfhnjhq.exe
3512	Aeklkchg.exe
1536	Acnlgp32.exe
1552	Afmhck32.exe
4008	Amgapeea.exe
2992	Acqimo32.exe
1620	Afoeiklb.exe
2332	Aminee32.exe
4852	Aadifclh.exe
1928	Bjmnoi32.exe
2028	Bebblb32.exe
2976	Bganhm32.exe
4308	Bjokdipf.exe
3864	Baicac32.exe
952	Bgcknmop.exe
3808	Bnmcjg32.exe
1916	Bcjlcn32.exe
4440	Bjddphlq.exe
2220	Beihma32.exe
4152	Bhhdil32.exe
4160	Bjfaeh32.exe
3456	Bapiabak.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5668	5576	WerFault.exe	185

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 4632	4428	9b9324169784eda723200301312043ead96a00f4d475ba9ce9ff10f2df35d7c8N.exe	83
PID 4428 wrote to memory of 4632	4428	9b9324169784eda723200301312043ead96a00f4d475ba9ce9ff10f2df35d7c8N.exe	83
PID 4428 wrote to memory of 4632	4428	9b9324169784eda723200301312043ead96a00f4d475ba9ce9ff10f2df35d7c8N.exe	83
PID 4632 wrote to memory of 4832	4632	Nfgmjqop.exe	84
PID 4632 wrote to memory of 4832	4632	Nfgmjqop.exe	84
PID 4632 wrote to memory of 4832	4632	Nfgmjqop.exe	84
PID 4832 wrote to memory of 1624	4832	Npmagine.exe	85
PID 4832 wrote to memory of 1624	4832	Npmagine.exe	85
PID 4832 wrote to memory of 1624	4832	Npmagine.exe	85
PID 1624 wrote to memory of 1564	1624	Nfjjppmm.exe	86
PID 1624 wrote to memory of 1564	1624	Nfjjppmm.exe	86
PID 1624 wrote to memory of 1564	1624	Nfjjppmm.exe	86
PID 1564 wrote to memory of 876	1564	Oponmilc.exe	87
PID 1564 wrote to memory of 876	1564	Oponmilc.exe	87
PID 1564 wrote to memory of 876	1564	Oponmilc.exe	87
PID 876 wrote to memory of 2416	876	Ogifjcdp.exe	88
PID 876 wrote to memory of 2416	876	Ogifjcdp.exe	88
PID 876 wrote to memory of 2416	876	Ogifjcdp.exe	88
PID 2416 wrote to memory of 4708	2416	Olfobjbg.exe	89
PID 2416 wrote to memory of 4708	2416	Olfobjbg.exe	89
PID 2416 wrote to memory of 4708	2416	Olfobjbg.exe	89
PID 4708 wrote to memory of 2032	4708	Ogkcpbam.exe	90
PID 4708 wrote to memory of 2032	4708	Ogkcpbam.exe	90
PID 4708 wrote to memory of 2032	4708	Ogkcpbam.exe	90
PID 2032 wrote to memory of 1248	2032	Ojjolnaq.exe	91
PID 2032 wrote to memory of 1248	2032	Ojjolnaq.exe	91
PID 2032 wrote to memory of 1248	2032	Ojjolnaq.exe	91
PID 1248 wrote to memory of 4404	1248	Opdghh32.exe	93
PID 1248 wrote to memory of 4404	1248	Opdghh32.exe	93
PID 1248 wrote to memory of 4404	1248	Opdghh32.exe	93
PID 4404 wrote to memory of 3856	4404	Ognpebpj.exe	94
PID 4404 wrote to memory of 3856	4404	Ognpebpj.exe	94
PID 4404 wrote to memory of 3856	4404	Ognpebpj.exe	94
PID 3856 wrote to memory of 4452	3856	Olkhmi32.exe	96
PID 3856 wrote to memory of 4452	3856	Olkhmi32.exe	96
PID 3856 wrote to memory of 4452	3856	Olkhmi32.exe	96
PID 4452 wrote to memory of 1900	4452	Ocdqjceo.exe	97
PID 4452 wrote to memory of 1900	4452	Ocdqjceo.exe	97
PID 4452 wrote to memory of 1900	4452	Ocdqjceo.exe	97
PID 1900 wrote to memory of 4280	1900	Onjegled.exe	98
PID 1900 wrote to memory of 4280	1900	Onjegled.exe	98
PID 1900 wrote to memory of 4280	1900	Onjegled.exe	98
PID 4280 wrote to memory of 5052	4280	Olmeci32.exe	99
PID 4280 wrote to memory of 5052	4280	Olmeci32.exe	99
PID 4280 wrote to memory of 5052	4280	Olmeci32.exe	99
PID 5052 wrote to memory of 392	5052	Ocgmpccl.exe	100
PID 5052 wrote to memory of 392	5052	Ocgmpccl.exe	100
PID 5052 wrote to memory of 392	5052	Ocgmpccl.exe	100
PID 392 wrote to memory of 4348	392	Ojaelm32.exe	102
PID 392 wrote to memory of 4348	392	Ojaelm32.exe	102
PID 392 wrote to memory of 4348	392	Ojaelm32.exe	102
PID 4348 wrote to memory of 4192	4348	Pqknig32.exe	103
PID 4348 wrote to memory of 4192	4348	Pqknig32.exe	103
PID 4348 wrote to memory of 4192	4348	Pqknig32.exe	103
PID 4192 wrote to memory of 388	4192	Pgefeajb.exe	104
PID 4192 wrote to memory of 388	4192	Pgefeajb.exe	104
PID 4192 wrote to memory of 388	4192	Pgefeajb.exe	104
PID 388 wrote to memory of 2744	388	Pfhfan32.exe	105
PID 388 wrote to memory of 2744	388	Pfhfan32.exe	105
PID 388 wrote to memory of 2744	388	Pfhfan32.exe	105
PID 2744 wrote to memory of 3308	2744	Pdifoehl.exe	106
PID 2744 wrote to memory of 3308	2744	Pdifoehl.exe	106
PID 2744 wrote to memory of 3308	2744	Pdifoehl.exe	106
PID 3308 wrote to memory of 3380	3308	Pfjcgn32.exe	107

C:\Users\Admin\AppData\Local\Temp\9b9324169784eda723200301312043ead96a00f4d475ba9ce9ff10f2df35d7c8N.exe
"C:\Users\Admin\AppData\Local\Temp\9b9324169784eda723200301312043ead96a00f4d475ba9ce9ff10f2df35d7c8N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\Nfgmjqop.exe
  C:\Windows\system32\Nfgmjqop.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\Npmagine.exe
    C:\Windows\system32\Npmagine.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\SysWOW64\Nfjjppmm.exe
      C:\Windows\system32\Nfjjppmm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:652
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        38⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        56⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        59⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4152
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        77⤵
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        81⤵
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        85⤵
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5136
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5224
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        93⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        94⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        96⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        98⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        99⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5576 -s 404
        100⤵
        Program crash
        
        PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5576 -ip 5576
1⤵
PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
128KB

MD5
83abd53ebf7b24fafe8fe8127cb65c62

SHA1
8dbd9e74c9536096a86f32280556d4f07948d0ce

SHA256
583ec46f58710334f632f02124ae3ee5802ccc176d44da8381c854ef2d5ac474

SHA512
2de5c18563dfab60c8e8944c600ed2bc0816d12629eb6cd8a6997ec8a302d42a9e730df27c862c048c03c3da90222710e755b0f99545a58c7bb79d294bb907cc

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
128KB

MD5
9c8f92af3bd181dfeeb3c1e8d4ea2762

SHA1
b44bd5bd91efc4a8144e827c5b4acf5be9e89069

SHA256
d6ad6177e36e2cdb1fd353767ef6ab5aba61a44871962a55b15756154ae16f9a

SHA512
3fe68a20884a2002a0c6ee360c7b8493fd0fb3d8cfddcef8d6d4b012480c8d07a7902dbeca51577465a65eaf2582f9897f685865a89afb359739ca9fa0aa5df7

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
128KB

MD5
1d76b888a7877360d371aa0176d5b2ca

SHA1
05f2e6651f90922dda2d29f7545d51aef894e217

SHA256
6e259ed0eede44cb0a87e0c54201365c7a46c2fa12bb3802085f7ba3ff878d59

SHA512
a13afa7f4039fcf3b97446c05ac9baf0572688fe161ad3552d7b0e64bb6c12ab4ca5604a870f4dd5ab0483b0f051afc06e8798eb8d131c8b07d31279929641ba

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
128KB

MD5
6f141aec9cbd425c1e81a001a0566b80

SHA1
1b0775972c04636bd04bc18cffe428154b69d408

SHA256
6bd9b89f13198f45b81008148b9669020a95f5ae21eea1b03226404340191f17

SHA512
f83e39315a9b0137289dbd1ccd4918a7dd4fabdacb97e1aeb50f89cad07fa7ef6d0d6c67bae0db27a3a2a38ea7fd2e4507afd8fe3dd1d742513aa5472511b0ff

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
128KB

MD5
40f4352f271536ee42fa178dbddb6641

SHA1
bb8712bb15ba5e25c1c5cb15b74f67f204e53eea

SHA256
8bebf6bbb2aecc80106af5dbaeadd5cc63713440fea89b5df809bc2521b8d9a4

SHA512
819117ef4069eb4b983a42d5daa871c4dbd2b41a7d569c395f081d211f5034bb27e96883908c138a747f87753115d02454ac5cd1559289776ed1060e4303bcb4

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
128KB

MD5
956a0ba67ff5990197be6ab182125c69

SHA1
b43849cbe331fadb349a6875860c4a3f540b9c1d

SHA256
f33c1b1fdf2b51c7d1f3e20cf1570b5d68f1e1a468229863db8559312bbafb1b

SHA512
e8b975a888fefb02ca5d6e70a20c6a16b2ba02610b3524c253227ec150f63b766e8b8dec872ab63b06cb16f6ae78e04964a8c40cec2d6ff6d95f4b24a7eb1ba4

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
128KB

MD5
9bc9c81b0d23c46137e8e622be0eb76b

SHA1
9bb07f1005b9e342e100d9ad56890ada86642b1d

SHA256
8d731edcb3290e8dfb1abca7632b235c3247612649d7fa80c8c15c16921093d5

SHA512
8a55d8b1575c39804a13fb6d0360c0a46c4e45fa41832d36b624a2a0503b853171dc08de662794fcfda7196efcb7a07185824e17d0bbfedd4eba6277a63e3831

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
128KB

MD5
fb5ed8502302cf4b960b5e7c8c613208

SHA1
32f25ee6fa4673a9c0f60c553cd690ea44bff834

SHA256
a5edbd668eee18223b69e96e743ed0d0e652ba6a3f228c2f30211210fafd55aa

SHA512
1ddc2a6f17f43ab8fd57d26102233ad018da4805e4ae9e79aa6fe098c6889d86c666b24c56e1829ea2286a983fec3a9331a8e318b879c474d2f46436f8090353

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
128KB

MD5
0fd34f094498291ba87582874a0fb836

SHA1
f068e9c24bbc0db3d76d115d2b2888af5c028a7b

SHA256
abac2c8eb3f6a7551bc84cea597ba6a7b924355c87bb3accd065b503b0c418d0

SHA512
68a9b8cad599650547a1334ef81baa09c0dd4f00359dee7098ca787afa993087b5c1442378c9a9fc35d51b16d7cdbabc849efbefd2297ee4852392550d7c9cd5

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
128KB

MD5
d70495f5fd8b5b2a8eeb033bce0e7478

SHA1
aafd9465eb88135f7b1b14cf86c687d8498ae7a6

SHA256
745f50228533648be48bfb6a46b45a70ef0caccf3f6b1c79c0dd20f40d422acc

SHA512
6000edea431d1f354cfe554d9dce10584b2955f8bb5fa814a450df03206b507fad6b9f2b27b09659af4301fc821f6212917f01a53daaa8be2c8111e5dfac0a2d

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
128KB

MD5
ebdef7a0d6f7897fa491581336b9f157

SHA1
29dae30491ed53f6f7bdc2fa183d7397f59f7bb7

SHA256
cd064e19508843b287a49b3b6bf0c1c63be181faa7ef46e6d7c2ff1bb303fe0e

SHA512
57f30c05e1062b10bf4898b9980c14870461e2089012c274939496bebdd5f11335ec5732faa6acdf76642e084b865c0a66824f4c4449aac4dd190d49b39cb8e4

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
128KB

MD5
71b220b9635aa5c3f77f86a7b9bba611

SHA1
3524a82273fe62cea91669e6840cd51edaf32d25

SHA256
3c0e033e484dc3cc8aeb0231d485ec35a399e9cb1fc8c4112eac4c435cc755d5

SHA512
d7191178df8ec665ebf293559bc5ef5cdeb6ef6316992133ba83e45819d4f1454741e3780813413d342b267b00dba112747d6f0371532bce454489014308d8aa

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
128KB

MD5
18fbbe027dc6e1cd18ac939a2f0b8080

SHA1
8a2e3173152f79b39db8da2fdd7f571e70f9d081

SHA256
3a23857edb52b4e0f3aafdcb8ba483ec49a3e4db7d2b33785d609b54d59f0167

SHA512
33ecb45488e6dbe2019131bc456cd5c70f85c218b00a3adc2d0a4dd1e7e5841fb2f9396acbf36a18c7d48be4472ef34b54fd848d205e5bdc6a16a1aae3fd74b9

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
128KB

MD5
d602169e7f15ede5211fc4da7941712b

SHA1
4606a0f053ea5a7637c687f8d00d50053c62d341

SHA256
05de63a61cb5c67f5ab12651f5538760d10772f59b9f8ac91f2872111563435d

SHA512
65e76d1596a11ad115e84878b0826dbd5bfb3aa943af8a17cab7a577072ac7d95e685448617994eaf34a83a5d133aa17652adb5cceef6af47f164b2d5421b0c9

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
128KB

MD5
593e617631e72ed52432fedcfff77d15

SHA1
fedd9fab6848ade37bc0bc7eac81fdc22f5f5910

SHA256
8cf08bbddb84c8f8dde3f3030bb5460f61d5f2402f21daa132a1a9a4f36deddc

SHA512
14a295f83c48ea876d1206add315df826e0617ee9abc87213d96d62a0917b275d76dc5b99c0eca9fa03d1af1619259328c11a597cdcaf2c0037db4ec26e6458a

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
128KB

MD5
eeca3500735598118305ee5f17a9a3f9

SHA1
49628246ecd70fb3e04077b5777fcf926b95774d

SHA256
bb31ec5bf59e3cd5c04e527f9ff30e04b14ae8c1671ad6fde9ce37bafaacfd85

SHA512
252a4705e6ad2408f6ec898eedf8c8f116a62054fb263dc5bd68da6087014bd5197d5abc1426d0c78d55471ff71ca85d8719d81f7b94f32cbac9c04f051e5dd1

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
128KB

MD5
7431ebb546177c704210c50754377006

SHA1
0c98227714a8f2e018364e686a73d350ef422f90

SHA256
be39388351e8baa15d3fdc222e7a16b64d9dd8dad8940259030d39b0ce0f58c8

SHA512
70ba0b4d0ac0c4eed07016834511698fda36dc01f425595279a5ab63a1655f220e56db0d57fb46898426c1b930717d9fd85dfc56e1913bf144e590a54a8e566c

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
128KB

MD5
f579b4730ddf9e8ab38289ef5b698db9

SHA1
67efcab51ee64add23d539758e06bd14163527db

SHA256
42830f857bebf06aeb9675d95a133083317ee8cdde747ca24e6491e137d4d0e7

SHA512
b3686b7f4701ce615b7189d325c23ab681bb58d9c670f01785ed97687a453c53c1fa840ad0531d9881cb2ca2fd0206d03a96797e3cea62b4170e078aa37a6779

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
128KB

MD5
92bfbad1b2f0ea9711d6db7556fd59ad

SHA1
58245881271e94f64caf68f26fbdcbdeb04b6930

SHA256
35b43a3a142aad751eec3fc3d285c70b94c35b91ed4ac3063f6192b9ee4284f0

SHA512
4932f32c6d5f9561f03980ba7a57a048664d4e8808e9fe4f2c89c88359f8184b8859b9b162b3e91a220ebfaf4f0028f7cd08e87785a3c1882cf6c1ac3c929808

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
128KB

MD5
a58d0543402fddd48726e64da7218d30

SHA1
16c6add089b5c6ad4381d3209477774f245ca7fd

SHA256
e4f969f8fd158860a68ed957cdb6ad93d5a0967a7318f6d121d7851223d7e927

SHA512
36a5fa49f6383385a774381001ba499ff247cff42fbfee4c78b0a7ce948753d20ab0f7732e09e8bc5f2fa45dcd3c8eb4e3a3d2dc14e97c75a97878e224b31181

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
128KB

MD5
7c695cc86757226290d2be987cc484b6

SHA1
d6de83d9efc8ffa75e85bda19d1241f81c5434ae

SHA256
c4e6e25501f0de56175c6e21dd188bdcac3aa7045edcf09979dda37131d1b109

SHA512
c100ef06441537b6eefc2376112e9630e570eccb0a42152edc4df80d5080bdb1416fedc86aa5475fd823a4926bae0fc5b2faa73ab89f5641d3f090983dcc65c4

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
128KB

MD5
0dbffb790785e60edd97fc12fa9cdb3f

SHA1
8a914ea260be51d476fbbbb1a1af35877519b485

SHA256
0b0544447eaa38fbfe34c3ac8ad5fd22d4a0631d2a71f4fa9689aef4f3827e32

SHA512
66c7b5406cc2ca30481225e763139d5b919e9d00e56f57a0d3f342f16346977afada468a004f08fd4795fbf960a4b10696221e8839bd77e40283fca5a079e1f0

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
128KB

MD5
e68070a8e5ef6d84a52b3e5736201557

SHA1
01161bfd428677a7fe7bde0ff377ec98f73065f8

SHA256
0c75e14c92ee4cf6a3a8a6e2ff7b3167f7f70d33da630139705d7688133a5279

SHA512
f235e24d0f83086a423c572cb1af4a4e0321b0b69e677a181bf9b966b20c9dff88eb5ac9fd0cc7667f1bcf387bc31275f1b9cd25446866b104af91a001c8d0f8

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
128KB

MD5
2cb297b2af5e4829144a6414858b7239

SHA1
120027adb13f3bc29dc4556c5e774514c9148527

SHA256
3aafba9ec8d516cd169cfa926e87ba3abe113e9ba6c14b53e879734f3fa72d93

SHA512
53bb9793f772b8bf1ed29c232220423aaf368b7be7782fb2a566cdac4b12400b8c9dcfd638f944a29996d56b690f59ee23bb705844387aeecbccc6351fbfcbb6

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
128KB

MD5
8bfd27cd955053166d346fe68615b338

SHA1
cd7a2b4e590c9917b0a87048c823a1f28c133cc2

SHA256
ba119a100c0b45367e39b3cc507756d759d6310b4c404dbfb271956750f36500

SHA512
b41483ec794405a5f52170f1e879de9e7eb05705cfc4353c2069ba1b2d9d795399a86f7f05c41df552b4a8bda7ece1c75a6ae7102e443545f364eb68146ef9e9

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
128KB

MD5
3b27ee9a53ba4f46f95750af3a60a40d

SHA1
0acee588f6ea921fde1a06073f523e6f6fe79dfe

SHA256
07f9275e30ef3c26895b3c7b3a2b0172a07e430d6e8346fcb9b92e6bd6fbd096

SHA512
906b87014ea0a830afdfed0361e1d4894e3bd21175d6ac924c11850bf0c2bd29b61a6c6f292d9d8a4c8fc5b1cd72626f33a43f21bd075760f9658e06e1ebfc73

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
128KB

MD5
539c3763148143338cdbb7a5ebb47043

SHA1
cbbe76f06a9d621872ba06185b78a010eb008b1b

SHA256
8040c1ca19ad54222ee5dd934f36be70a80ab57d4cc7fa8ae80368d403cdcadf

SHA512
b8e97d37e0a6f86a235c23a4882293abc9e479edf705e3728fc3494a42f685ac64327a25e6b6b87808eb139210fc5bc0eb9dc2cd9d18e311936a6e4de5199f27

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
128KB

MD5
25b4800d5b693da8c891bd82c6e19bec

SHA1
5b81391bd98b78fe38b7a08ff08e5b40ee70c9b2

SHA256
1e7f9e3e8ac8943c3a6e1a2dd8846c5d23f88d8bea8dcb33a03d3b7078184852

SHA512
e502ba5670a96caec8e0c3b1902e398e56abf9301172c0013e42326891228b5d512dff7ee99ae718f2b8c4e2cbcc5aea616634cbac874f64f39fb6a0517a3bae

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
128KB

MD5
e1922161b02a2e3c1534e587771b81e4

SHA1
aa59310a6c1d04a4f42c904a832f3ab9213bf162

SHA256
3d3c70ba08588c6ff12eb0e500348dfb1855860b8bab66800376726030372197

SHA512
e32b9fe6934827022c70686a3c94bbca1a4d9f8e427f0e096c7d5de8fcd2df029d0199abb73e82c9aedb06cd898ab302b58b7b8070062a0b094acf25ee6b609f

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
128KB

MD5
797be5686d1ed627f3a910d63a81349a

SHA1
15b1f8308e8498e894a7696fd6eeafd72a4483a2

SHA256
407708e2095c72ddd8d16bcb87ebb17214d790a6e592bcf8444da767f5b9ba5b

SHA512
d5c7311ab67171a94da9b27512e28f02c7e1fa1164533073e5c1008e04b9e9102d2a0f91e90d4cd283c58f945af57e10f244a718dcdfae4018eeafd5f2a9821a

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
128KB

MD5
4902a0f654a7eb371415f7ef8ff05db8

SHA1
23deaf4669b86f99bf90e9215586f2045a2e13c6

SHA256
12d377db6f472d6ccb1694b7631189e9a2071bf072f15ca6fe45eba8c1430701

SHA512
cd3ff14904d89445c025088643981985a8403b07b449a3f2d7d3d41f33d502434c0f8c669f84ca8a3b2d21a0642524c8f70f871a7325c41aa9fe441afd2ef0e4

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
128KB

MD5
d14dcb24f119220e8caa70ba3b9826a6

SHA1
0175bfa439ceff3637308abee2a251bd9e560051

SHA256
d495e08d6818b3fd1ce243c006c3b699f60d9786a6cb8cb9610a908d8ab618ee

SHA512
9361ac4f3df9425a8888567e71bd55bcf914ee7cefc089cf5f738ca2e54ab875452b25d5a3894b352a7d34b2c6c6db4355d38a6fcdcdda37ebf5fa0d025e4843

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
128KB

MD5
9fe5803229808135c718dda0e348d646

SHA1
f1477b62f55129c943917631ebf2c42613a8ee38

SHA256
ab5de12bbe465650787876669953488c4aa8944b487ca22badd95db3da661734

SHA512
5ecb08a69a561a4114a19af461ee0530fda8d58e3a44d0c7339895bc7c6f574714d04e0952ae6322164df0d4f7dce29b6fd74ce4513b5318bcc9a4d4f6f00205

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
128KB

MD5
3e0da3fec0e8f7cdcc4cc7d3f3ce0112

SHA1
8c671f14a2fd074d21b097d06137d69d8b50a0fc

SHA256
df66988d428939e35f6ab4d7f4017b60da5d880613e66d7953b739d647aafa00

SHA512
40ac477bc7f7143f6fdd33321eabf36fa2162fc2633bc67278924850beb2dc1e78ea2521ae8ad242ff64c97c16e9abb688485b290bee3392b9825eed19f5a5b1

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
128KB

MD5
374838541d0b86a72f7795ccc9389440

SHA1
1d0d4cbdd2f21addccea8e1f09d03c773e3b0fbc

SHA256
244fdb1ac574b4d38b2cd22302f1fbb15fd9d88a47f0717eb05a90a658e3dbf7

SHA512
2064ca128fd65a31bb7bbe4822d00947c2e054c6799a6ed33dcfca0960e944b369e44e4ada2a6adb7be65eeb5cab5cdfd61e96824aa1c971fa7037eff88256b3

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
128KB

MD5
1e0cbb49f3f9037cd82914825d4d5c48

SHA1
2c67d07aaf7fd3a8500e0db2aa94ba5141733c1a

SHA256
b25458958a616ff4ef8a14a113ffdf58a7b84ab1d29a1000a33a76a054761200

SHA512
8a89b89b1680976985eb5838c5c54c87449f7110bfbdf982da6ddde4657ef6f8614584b37baffb9c7648be0037efbd81d27af9f0e59e4d76e14c50fa23f5534a

Download Submit
memory/212-566-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/316-580-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/388-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/392-127-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/552-490-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/652-208-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/824-549-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/876-579-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/876-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/952-406-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/956-508-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1252-552-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1464-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1488-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1536-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1552-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1564-572-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1564-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-565-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1624-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1704-577-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1900-104-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1916-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1928-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1948-322-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1976-460-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1980-199-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2024-280-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2028-382-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2032-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2220-430-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2240-538-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2332-364-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2404-520-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2412-594-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2416-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2416-586-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2508-502-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2520-484-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2544-472-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2684-454-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2744-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2888-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2896-587-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2944-536-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2976-388-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2992-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3124-496-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3308-168-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3356-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3380-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3440-191-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3456-448-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3512-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3732-466-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3808-412-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3848-266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3856-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3864-400-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3876-183-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3960-514-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4008-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4100-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4152-436-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4160-442-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4192-144-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4280-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4308-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4344-316-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4348-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4404-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4428-544-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4428-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4440-424-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4444-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4452-95-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4512-478-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4516-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4528-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4572-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4604-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4632-551-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4632-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4636-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4668-526-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4708-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4708-593-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4772-252-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4832-558-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4832-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4852-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4900-563-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5048-256-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5052-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads