berbew | 1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe
Size

74KB
MD5

6f84ad914d98c0bf726828d96086e920
SHA1

9a51bfed5450d4fffb2930323560abbef33d7908
SHA256

1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843
SHA512

70d04900ab5c3608768486eb9986560040385a0ecce86754a2065daa21c6f270c0d56e8c419ee0b0defcb9eb1c1617169c21987aaca5715243acfa487c3c45d9
SSDEEP

1536:A7E5QwzaF7/D3uW6YKLTkRnLNYjKeRlDkUVDkUr+:235txK3kRLNwDtVDtr

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1888	Nfgmjqop.exe
1672	Nlaegk32.exe
2296	Npmagine.exe
3752	Nfjjppmm.exe
1168	Nnqbanmo.exe
1468	Ocnjidkf.exe
4280	Ojgbfocc.exe
5072	Opakbi32.exe
1220	Ocpgod32.exe
1332	Ofnckp32.exe
4632	Oneklm32.exe
4376	Ocbddc32.exe
992	Ofqpqo32.exe
712	Onhhamgg.exe
4844	Odapnf32.exe
4140	Ofcmfodb.exe
800	Olmeci32.exe
3544	Ocgmpccl.exe
2548	Ojaelm32.exe
716	Pqknig32.exe
2720	Pcijeb32.exe
4812	Pjcbbmif.exe
1744	Pmannhhj.exe
1864	Pdifoehl.exe
5104	Pnakhkol.exe
1688	Pgioqq32.exe
2472	Pmfhig32.exe
4700	Pcppfaka.exe
5000	Pjjhbl32.exe
1740	Pmidog32.exe
1956	Pdpmpdbd.exe
3476	Pjmehkqk.exe
2160	Qmkadgpo.exe
1540	Qgqeappe.exe
2424	Qfcfml32.exe
2012	Qqijje32.exe
444	Qddfkd32.exe
2564	Qffbbldm.exe
2076	Ampkof32.exe
4988	Afhohlbj.exe
1844	Ambgef32.exe
4752	Agglboim.exe
2596	Amddjegd.exe
1436	Aeklkchg.exe
1432	Ajhddjfn.exe
1244	Aeniabfd.exe
2872	Anfmjhmd.exe
2072	Bfabnjjp.exe
4548	Bagflcje.exe
3316	Bganhm32.exe
3208	Bjokdipf.exe
836	Bchomn32.exe
740	Bgcknmop.exe
3748	Bcjlcn32.exe
2276	Bfhhoi32.exe
684	Bmbplc32.exe
1240	Beihma32.exe
4452	Bnbmefbg.exe
3428	Bapiabak.exe
3244	Bcoenmao.exe
8	Cndikf32.exe
2264	Cabfga32.exe
3688	Cdabcm32.exe
3788	Cnffqf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Ojgbfocc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1736	2912	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll"	1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npmagine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpllc32.dll"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1888	2808	1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe	83
PID 2808 wrote to memory of 1888	2808	1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe	83
PID 2808 wrote to memory of 1888	2808	1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe	83
PID 1888 wrote to memory of 1672	1888	Nfgmjqop.exe	84
PID 1888 wrote to memory of 1672	1888	Nfgmjqop.exe	84
PID 1888 wrote to memory of 1672	1888	Nfgmjqop.exe	84
PID 1672 wrote to memory of 2296	1672	Nlaegk32.exe	85
PID 1672 wrote to memory of 2296	1672	Nlaegk32.exe	85
PID 1672 wrote to memory of 2296	1672	Nlaegk32.exe	85
PID 2296 wrote to memory of 3752	2296	Npmagine.exe	86
PID 2296 wrote to memory of 3752	2296	Npmagine.exe	86
PID 2296 wrote to memory of 3752	2296	Npmagine.exe	86
PID 3752 wrote to memory of 1168	3752	Nfjjppmm.exe	87
PID 3752 wrote to memory of 1168	3752	Nfjjppmm.exe	87
PID 3752 wrote to memory of 1168	3752	Nfjjppmm.exe	87
PID 1168 wrote to memory of 1468	1168	Nnqbanmo.exe	88
PID 1168 wrote to memory of 1468	1168	Nnqbanmo.exe	88
PID 1168 wrote to memory of 1468	1168	Nnqbanmo.exe	88
PID 1468 wrote to memory of 4280	1468	Ocnjidkf.exe	89
PID 1468 wrote to memory of 4280	1468	Ocnjidkf.exe	89
PID 1468 wrote to memory of 4280	1468	Ocnjidkf.exe	89
PID 4280 wrote to memory of 5072	4280	Ojgbfocc.exe	90
PID 4280 wrote to memory of 5072	4280	Ojgbfocc.exe	90
PID 4280 wrote to memory of 5072	4280	Ojgbfocc.exe	90
PID 5072 wrote to memory of 1220	5072	Opakbi32.exe	91
PID 5072 wrote to memory of 1220	5072	Opakbi32.exe	91
PID 5072 wrote to memory of 1220	5072	Opakbi32.exe	91
PID 1220 wrote to memory of 1332	1220	Ocpgod32.exe	92
PID 1220 wrote to memory of 1332	1220	Ocpgod32.exe	92
PID 1220 wrote to memory of 1332	1220	Ocpgod32.exe	92
PID 1332 wrote to memory of 4632	1332	Ofnckp32.exe	93
PID 1332 wrote to memory of 4632	1332	Ofnckp32.exe	93
PID 1332 wrote to memory of 4632	1332	Ofnckp32.exe	93
PID 4632 wrote to memory of 4376	4632	Oneklm32.exe	94
PID 4632 wrote to memory of 4376	4632	Oneklm32.exe	94
PID 4632 wrote to memory of 4376	4632	Oneklm32.exe	94
PID 4376 wrote to memory of 992	4376	Ocbddc32.exe	95
PID 4376 wrote to memory of 992	4376	Ocbddc32.exe	95
PID 4376 wrote to memory of 992	4376	Ocbddc32.exe	95
PID 992 wrote to memory of 712	992	Ofqpqo32.exe	96
PID 992 wrote to memory of 712	992	Ofqpqo32.exe	96
PID 992 wrote to memory of 712	992	Ofqpqo32.exe	96
PID 712 wrote to memory of 4844	712	Onhhamgg.exe	97
PID 712 wrote to memory of 4844	712	Onhhamgg.exe	97
PID 712 wrote to memory of 4844	712	Onhhamgg.exe	97
PID 4844 wrote to memory of 4140	4844	Odapnf32.exe	98
PID 4844 wrote to memory of 4140	4844	Odapnf32.exe	98
PID 4844 wrote to memory of 4140	4844	Odapnf32.exe	98
PID 4140 wrote to memory of 800	4140	Ofcmfodb.exe	99
PID 4140 wrote to memory of 800	4140	Ofcmfodb.exe	99
PID 4140 wrote to memory of 800	4140	Ofcmfodb.exe	99
PID 800 wrote to memory of 3544	800	Olmeci32.exe	100
PID 800 wrote to memory of 3544	800	Olmeci32.exe	100
PID 800 wrote to memory of 3544	800	Olmeci32.exe	100
PID 3544 wrote to memory of 2548	3544	Ocgmpccl.exe	101
PID 3544 wrote to memory of 2548	3544	Ocgmpccl.exe	101
PID 3544 wrote to memory of 2548	3544	Ocgmpccl.exe	101
PID 2548 wrote to memory of 716	2548	Ojaelm32.exe	102
PID 2548 wrote to memory of 716	2548	Ojaelm32.exe	102
PID 2548 wrote to memory of 716	2548	Ojaelm32.exe	102
PID 716 wrote to memory of 2720	716	Pqknig32.exe	103
PID 716 wrote to memory of 2720	716	Pqknig32.exe	103
PID 716 wrote to memory of 2720	716	Pqknig32.exe	103
PID 2720 wrote to memory of 4812	2720	Pcijeb32.exe	104

C:\Users\Admin\AppData\Local\Temp\1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe
"C:\Users\Admin\AppData\Local\Temp\1e4c9acd2eabcb363b4ec4973fd6e0ffcc6b42ca3b7dac84dc73d1c7737c8843N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Nfgmjqop.exe
  C:\Windows\system32\Nfgmjqop.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\Nlaegk32.exe
    C:\Windows\system32\Nlaegk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\Npmagine.exe
      C:\Windows\system32\Npmagine.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        35⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        80⤵
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 412
        84⤵
        Program crash
        
        PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2912 -ip 2912
1⤵
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
74KB

MD5
dcd6d4550da27e140f0b8e4db079da3e

SHA1
6922aab924934a2a8edf2a0f6e969d371db88adf

SHA256
8b03c72db7b73aad1d741fc3c058c2b81677ecbb92672cb82f5d9cd8185c6d6b

SHA512
1c03a5b1bac24b9bc563d164679ded6209abc8012b3cff958c16ae60b5a96e190fee4b21acbee60a398be9bb0f2df3a2f9cd0c6c1ef0c5f3c1ff809401bd61f5

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
74KB

MD5
a8c242d87ebdacbc1f76ca0d17caaf04

SHA1
e3bcfab6dc59a2d200b4ce7bd2aa3a8ad83e683b

SHA256
b382effe03d52806981123805d106fb0d00037f03850639b6ef8fc22833b2f3f

SHA512
8f324dd1f0a26dbea36fc90ce009f29637b55c78eb448ed2ed01d9d53efa4fc55e9f2552a3a1361b358c26e8ce3bf894bf9c08eb0358c778ac832e15953b7cb2

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
74KB

MD5
9dceefb58d9ce1ff8e76c70fc4286423

SHA1
dd9f5f3c2b15d74045f5eb919b23a39d473267bd

SHA256
45dab88b27be95dbb5ddb9e01cae9c707063091277f59e639f4a07d1ae2bcc13

SHA512
4647246d40d263f2352461bccc1d277ffdc1a2d315d0fa19bf0886888b21a16254723e966b2cec6d217f34bdb6d132b6098b8635b9cc846ef3f8bbaf4deb14a2

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
74KB

MD5
a0d4a8f8a6d097adbd56c4f22151d639

SHA1
50a453d2ad93e3f4724fd1f0a235ef707883223f

SHA256
c34f0fb1d64a20acf0a99994f3a4786662c60216fcd13a913ca97bdd122ecd20

SHA512
eaca1d2d8a7ce34d2c2bf4f730c7f18a69246161b69b637c675857694cfee223c3d746c37e6becb1424b7e9955e9b43af043d026cc0914e6658098d6dd9310ce

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
74KB

MD5
0297a9f442d5cb8d238bd80cee3a51e5

SHA1
0cee7b8da7f1d5b965fa178b9c8102010d13022e

SHA256
56c9e4aafcdd8ddb628bfcb329f472bf1aef918f5e9524b768bba888773e5cae

SHA512
9f0e2b11314fe0a62e0ecf34b20640e1ca33ee7f1d047984c5d6e05f303354c34e840596c6789a45da17990f535bc344e559deb35a15e770d3da4458680d9d38

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
74KB

MD5
ec3b6ff39c4febab438b72b265525c0e

SHA1
7cfceb9b3eab6a875698c60aef7ded7a7bb2b31f

SHA256
9d0a36b77c0597881dd705b209996b2363ed7f5d037fde94873057611e28b40c

SHA512
fd760db6bce99a8fb48f746031a0794c825066902b9d843da56be9334b86ec17a570945e3b5837817f9f707e815dabe10de836759d3560fe884404c9292e8d6a

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
74KB

MD5
b137e5cfe18aaa66555f6f6886b8fe8b

SHA1
3642d9ab2705ce347f878774da2c405f8a5fad14

SHA256
9e73affcaa603ce37cd61b8cbbe2941490c0dbfff241566f3815937a13414823

SHA512
43de038606b691e89aa994ad1eece499318daea225a576a2ab96180a9ac06a8da8f55971bec5976345394890c47e0376f9dafce9a9f74d0dbab8a6c1f63a6e7d

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
74KB

MD5
847e81122b689eb8afe2b6a07d80b2a6

SHA1
56328c74a1c34b777461989b354c7bb978489300

SHA256
c77acd4b74421307e90ad147b2ca494b1731a9cc84f7bd7b6edaeb32934ea4af

SHA512
9a30c423a0fb697f7445c5d5e391fd9c2c9a7aa7a6017541f0279db555e11a521123f88bf8560000cacdf0f5b6381031e70eb63849a027be639e73cc14be9039

Download Submit
C:\Windows\SysWOW64\Gnpllc32.dll

Filesize
7KB

MD5
9228129ce53e874507bdd71b5b6ae4f0

SHA1
b0875dc6e067326814f3747446eaea61a8252c8c

SHA256
30d9827b3995de5eb126b357454975aaf455431a8737334f0467459e3757ae85

SHA512
00117806e3e016a831ed1ed009522250d885cea01c4060c2083ea7b9694902a65b9b2b172d6c5ac36eb70ce7c67b5d5408389a3f4bde75743e3ab5f36e2c37a4

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
74KB

MD5
2f4b1815e1aa9e1acac92bb66d2d1875

SHA1
4b256df27d5d4eb2bcf6c9ec87d4554050df3420

SHA256
bb37bab489693fbf40d5548867127f165de6a425fedfb7fd854cbb6fbed12fec

SHA512
435d306e3ed3fbd1729cdfa9e7c54ca32f27a5d6df5f83e72ce70fdfd3614fd6319ca9fe6aacbcba8bea94b3e605096e01713a4627869f4df4ee7b315a59a851

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
74KB

MD5
8a6f7201824797fbede5fc553ad4d5a7

SHA1
8629aba18be10ce95e0bf917c50be11f9a66222a

SHA256
8b22fde89fc922a92db9c3345256346ba639a43c66bc0fd1ff3906f37465ee05

SHA512
8a43d5728d0d7f04b448f738dd9b0fbfb23c97358c2b16b8f464e696259c0f6580d7343bbe46d6220b6e837ff6a8ea94290ae6d43cd71b2caa4592cca5c11f33

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
74KB

MD5
0ae395082e5d9761c85bef7adc51aa2a

SHA1
aa5790ccd993c575f23b675481da29647f8510ee

SHA256
1fe3e6456ea699ef724dbe4655d580336d51fd8548ffbba0330459627e96efcd

SHA512
82d1e1bc9939abf71ba8c3f128303f9b45b0c186ae8485ee23e49efea54ccb00d32a20b7b141e25d7aa76cf54e669e5d25fad6d70c68a8d5d13f98852f726a58

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
74KB

MD5
0bca213aaa8e2b1eea5f2e7e7677551e

SHA1
a2d96e6a75c2a06ce33e9afd95c5deba3b220bc8

SHA256
efe129afc79c7a3dcc166aea21315b78dd34411fd7ae28a0d47c66d624549af3

SHA512
0c124f5b1aa0c4e9cec55d3682150251dfe81481d109fb1d28646eb9b084c582066f379394eb5eceb8b56ad13c9558d97db0c9ef7fd20aaa279acfdcdb9be55a

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
74KB

MD5
0d31e2e2d9946e10d4ea1922106938c5

SHA1
9cb747d6fe66e6565a0d6c9c6083e6054f8e6de6

SHA256
c469bc5c1005c61574efb231fc3d9e6e2d8145cd3a4c61597e7a33691cf9b546

SHA512
bec194609bd43a8fea2e720f95accb3952232a44278ca0d9211c768bef0b89d27722677c8c8085529b7347f14d2a412ab9ef15da05a99f7be224e661fe1fc3fc

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
74KB

MD5
8aef3bc1f1a7c3d8941ed83dc795a6b4

SHA1
0cffa75aed2f5d3f777288568b494604d68f772e

SHA256
096e1bf14b4bc44c85fba544516b18dc3e2074bbef2dac44ecca527fcebffca1

SHA512
891fba2beb1129b715bc5ba1a6cce086e844d8bd3648a6eba63fd77d1f458976760d21d712731dd6d28e5121754416c3195f6e7c94980650a43ef0e2442d7e50

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
74KB

MD5
b4033fb42c08de5026dda219325a101f

SHA1
3f3472b1b8ede67fe1e49cef263e5b5175f473f1

SHA256
67c932265587ac33306b7f088f3d68bf6685c153857c77ebafcfb8a30fa920db

SHA512
86db14f4b8cc6a586b768b7f85182ad1d8008d7a7653a8385e7b230b70a8b7c352b1eb0a3c89aebcd8b5b07f6f588781ddda2c9b68fefba8dd0064601b057175

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
74KB

MD5
3c5d606379d99e833b9771e0f268b3bf

SHA1
2fcb346ce4a786471c06a204e0eded3d497434dc

SHA256
25cf3082dd0d78700c5f917f451e5382189f4cc97e62726bba702e184d1ee8e7

SHA512
594f56eef2af95f1a85d9acd6e2a420de4025e454a20817efaf280243d2662be90231166bd0f9d054a8c3df08566fc519d93be6ce0d9f78c73605012e62a2994

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
74KB

MD5
fbc7490a27032d1fe8316fd42903dab7

SHA1
7060975c3e33cdf45f1e6d63b33084c992ccb544

SHA256
ab111486f2311a0c60a865ab637877a569512448e95a378bb441f620bf15002c

SHA512
6a14b9943233f08da8dc3dff150b114e3ccf071b37733eed29f970c39ae1e675223b573d9e661513f13dc198271e14db58dd34e9fcf81600fcad3cd52f5e4020

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
74KB

MD5
0b3d13a1bd5b582d3fc7bffa23819ba3

SHA1
acfd36bd86863d098cd59fdff58a9d77b2967967

SHA256
a026dda99287a623c77fcb49d609e8c4e0a61d6b1cd21d4302a0b5a4ab560ec9

SHA512
e97c30b86fd726e9735536e214774159537bf3b6bfee9d618bf12f0ff981575eae2b4b6843a348c07aae13e3e53441a884554e7b914a74b0160a1ce6db6f32d7

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
74KB

MD5
48c28428950baf665b851755758ceae7

SHA1
db29744da114d31bde28b822802717529415b793

SHA256
d414a8bff97f63ffdee743e52ceedbcc5dbfc19823b974336d2b51c57ed19826

SHA512
92ace708e76597ef38bc7921af3a59c99c88e744ea1b2ae63b81a088e737a67bea4aa97d080018b3a52638eab2b89b89b9ad51d945ba2afd1eb627f22fcda431

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
74KB

MD5
bfdda92cf693282cdda6ae75cfd10677

SHA1
50a09f2ea50db1c5800207977cdd2c4e9d6ef77e

SHA256
57b26a696cdf7303b8c55a818ed5fd6ccf6b80d4eee7b7b5c2bc6fc435d50466

SHA512
1cb1596c5975a8dbad05dad007830ff4d815eaeba951048e21a34efbcaa7d7ca0cce7f9f2a477fd0ed4754c3f5189baf4f847496e551bf26e783c07f33d685f4

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
74KB

MD5
09c569b3206cf2742dacd8a6765f7c03

SHA1
b9ee64e6046118bfa4b3f7d2bfcbb7bc4641d3e7

SHA256
66388c933ea928965a9b623da2d35b8d51262ffedc09428fec3fe2e30901b1b3

SHA512
151e625c5696bd6216cc991d853eb55d13b1997ac42ff16304c0521dd0af8d3b1700af3c9ab81d9db75d236fe565fff75043c383dc0d5a4d6401341eea60b016

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
74KB

MD5
a605252086cfb06886d6cf175bc2afb3

SHA1
3ad1dfe50a90d1f5c64389efd60cb67f8acec432

SHA256
fd859b5320457123241eb802d08dc3de038231b140135a631d84ce569c6205c0

SHA512
a70d2b7d32667f84af433e9f2371524d4bceac2997a8af4b5342443fda42e9ca35e805cef4233e051ef696a28d12baae8f23dd09f68823924a8da4434bc087fb

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
74KB

MD5
bc12917263ac7d6b655c5a176dde7fff

SHA1
3e5765305bf39fcf7cad772485cdcaddcc729a73

SHA256
3a00b83a5297954b71d353c2a785bd1cd78ebec4d1129405afb4d1d2f1a7e43a

SHA512
65a504c84b17d27c93c730743058ee1708c4f04105a73b487c1a21d8fe30588bbadb625664268beb29da36678a7967ba72c9d1db1d153b6a241e98a201c6e4a0

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
74KB

MD5
593d41bf6f8faf85aeb5542cf67e56e4

SHA1
36f306935ff983b29e943821730236a19bef72b3

SHA256
df249e40a8f69cf95e5307ab393ad23f89e9c52b1e6194357cb68f1ac582e273

SHA512
6a477cd646af5205925fcbcd4a5faa798361c9b78730871db1f15b42d8b35f4ad2f2f0270d7d9bde87e4e1f17926072b0b539e43d124709608a1317dfdf46abc

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
74KB

MD5
0643a621823553699a7018967396801c

SHA1
d5f84b405e87b5c051c739c6d2570cea09aa770c

SHA256
3f0864a460dbe7bddeab227b5113bb2dc03c32182b87131125d33667c1a3b6c0

SHA512
8689169cb622e4d0b7c1c362bc6d89082f07a4eb0fe57cd97b163f1f91d09939dd008e0f8f45f8d5a34a0adb67af8fce7ec4530709bdda17cfb283962dfc8536

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
74KB

MD5
24a34f9f0c1da3789bbc203f54d0a86f

SHA1
d323edf483e14a8b506f3f9ac230f1900b0c98fa

SHA256
7894df12759192cef7d1f281efa4b374bc01cf0da6818b8f7d919a06935d750b

SHA512
1af5cc6b31e6bc83d1d53bf7afda67bc09b2b0079a7043d1d56c7ac89c53347df5f112e355375d788fd3e406010ebd240d4f776ec2b06231560249df728cd8e6

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
74KB

MD5
1f34d8f4ce06fc15aec34a7efed2de1c

SHA1
e159a5799757ba7db69eeb119d0b59150215aee7

SHA256
d743c17193a22120dd843d138928c3c5c5d269c7c07c6915f85a11d66f2b50e5

SHA512
9c94f26c114ae8af95352662e8eddf82b47756d311ae6eceb7bbd46305a6b37114a73e15da968265a509107a30b58998da3e4739967450de01f91f813692ce28

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
74KB

MD5
6cca70065b8f1ef08bc347ec5a87f949

SHA1
69f3720403b772ba794e171dd6c2f5ea433306ee

SHA256
8108b978b3663361697be83316fe6ed7dbe7f218128f021af6f629b8f8266d03

SHA512
85862a02e23d48cd6ab206f9e447ebd9a3013383e104babe53dbdbac3de4d43e5257a8a1bb63e941dedb9a38c8ee028d5278ce1a1fe2b177137f01cdca1d436e

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
74KB

MD5
d40a4ab35f3455685f30f78d69e7a5e7

SHA1
e8fdc7cacad66bc1ae7dd0918ade4b49b4cbf993

SHA256
212a8799b22f46c03a5f02123e3ed98b052f38342007db0b60edc742aa0861fa

SHA512
831723f53c06bba02bca57d4aa9ee0e3dda8a8ef42b7fe24fe0dbb6c254571133ef7a8e962f9e432def10013a0e933af91aba8032bf7b2bec0d39b93a575091f

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
74KB

MD5
52dbed6c64a52d668dae0f00091f0810

SHA1
1a6809bda5f1d7e3ceca9c9e9a5a887f1ff78b4c

SHA256
c32b815bb645af69d582decaa6c39907eeddff4ae4214336f31a417ff74b9f57

SHA512
8c7a2a2028aa98aa392a653ac7a83c525044075d7062bc8e80d81beca5262c4ba5e0eb5141ed75d159062af7cfb6e5cf1519d3f29ab428bfa7c42328d8b4c48d

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
74KB

MD5
3971870fff07e0bccc6ff68ccc6366ab

SHA1
e81be8168d8734f78e0e55da00522ee3eb8cb252

SHA256
041920febeecce54102eb54b6a8fdd255a637a051521ee1abe05b26503845caf

SHA512
75bd0aceb2ecb906513bc07443e955e72f2c0c23aef5f5e17e551acf64fe8d982d188fdb0f0310f7447f6c847411d5ad1a8fdbd70b7ec8a48f8323b02c3d469e

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
74KB

MD5
6cfd6680ed3917e81473421ecea34f38

SHA1
526eb054fcb6950aa6573a68918379643658c573

SHA256
cdb0e0854599f7a546725bc419a561df59066ec4ee88bcccc3dab541f41b9a4b

SHA512
ce9053297e96c83f01ceaf53e3a9fda8b921e48c7f9499a85a803a0b621b269017d93922d6a412ee4c72851bd71f856e5dbf9f81404e37d526c49e96852f0c57

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
74KB

MD5
c3708d7454bed59b0c3636b75d640f37

SHA1
fb8eeb2f2b6300506a231e6f8f17fd2dcb7f6778

SHA256
062305dbe90c4580c9ca112878083cb45182cd2ac5da115048115b148870136d

SHA512
5e185e3a1a9121e4289a7b8670fb2a9d0e0c8f5bf9409e9c136330833ae6c5f3cb04fcc41170d745d5b62e16a0e2c7f68f1db6665b8a2bedbabe28e57624669d

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
74KB

MD5
59a7e024531e957af2fa246d161c611a

SHA1
c46d060da507514278870e2df746ea5148001007

SHA256
f9a73456b8818df09daafbb4549a207f54c4e33715fb350e94ff70a1f94b272b

SHA512
5ba132d3c9d70159891234dddcfe6d1b95d7a551c941bf9d840d55b6804d1dfb0c65751fe4d1a8bdc9d5bcacc568da05f00c3c9129c58f0ed829c4ab2b51a2d9

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
74KB

MD5
ab67d632c5ab3e73da4622f5165a31d9

SHA1
5978ca3ef8d490cf6eddf83ce4c0670298c703e4

SHA256
29c16b3e904c33e1ca48d3f6659ca2807a0c0cc87f68af3a0c621796730388e6

SHA512
b168b2c17e2748f0374d9a080534083eaea46b9392875f474c93ece77d8c0640dd7418f35ec969313ee4c929e192f345213ad1fec146623561e7440f3b7d8391

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
74KB

MD5
47854a6d8334859017581c8d98a8412a

SHA1
429f76be260e1e9c983eff6261a20bbcff359da4

SHA256
95f482b3e36e3b5d1598aad223b1ff953726e475858c7e268fe20424e5e148df

SHA512
44ac044295f8d64e027d0eed104c2acda3bf3a559b6c88282bcdcd72d56b04ee7dea597981322a888228bd4828ef14d0af7e0e7bf86a67b9acd7994fd3c202ca

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
74KB

MD5
94a00044e5899ba14f857a1f1667dfca

SHA1
269a23ac410aa52adf094405c9a92c0bef82c363

SHA256
d1c14a4a31e8d362ca05c178b49812c8871a944cc97a614e07a0fe4d3780fc35

SHA512
3f174747ecae85aedf12e9ca1be7aa2283390fe76541587e6bb26ca3492006aa88d07891ec1884c63fe243929f94d98564457d4994dded818d027b40ac4fe7de

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
74KB

MD5
461149422febc69f3b36e746a9314027

SHA1
71c5303f17e3a6195c12592b2ae897d7e7c4abd1

SHA256
b340011dbf5af933662b984441ac2d85f553e8f0b5a384d6bf045e34a68aff04

SHA512
8359b3d423c70eda5d4301727bc000a924a0f320d134e2f10697386a0db7d5fd10e2889b2867cb780c6656726cd25a2a5e04c09a6d657de7fce85365b6ba06f9

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
74KB

MD5
fb337576d262bb738525acd3f5233c8a

SHA1
0a09eefe7a715fc5b1580afc6768d9438928f4c7

SHA256
281899fcd19e13b3c6ce6f86263b68d67e268bce28ecb7d2f0f97ad87f39f4a3

SHA512
daa9d0e3b254d46c2abba13799b6d4bc09022ca62afbb2c97235c1d7e32dfe1640616568d5255e150d769b5919ddf1a1ab0fea51785615f76d78c9994e515e16

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
74KB

MD5
3c2d7cbcfe7a27ffe84fd8b0b71ea137

SHA1
94c3f0512f36af3e89007c540790663566e2be34

SHA256
a52bd5298e46c819e640eee9ce10400e0b09fd7d9a70994cfd0a16f016ba0282

SHA512
462f9ddbddfea69c5d801e0c552b93602db28b75be6d40699eb63dd0bf95e8844a10a0c504f48f79f0c79d1f83963d3f994679f8a1938f0d2000b75537cbf59d

Download Submit
memory/8-431-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/224-563-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/224-509-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/444-287-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/684-401-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/712-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/716-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/740-383-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/800-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/836-377-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/992-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1168-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1220-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1240-407-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1244-341-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1332-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1432-335-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1436-329-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1444-467-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1468-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1540-273-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1616-485-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1672-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1672-553-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1688-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1740-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1744-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1808-527-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1808-560-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-311-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1864-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1888-546-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1888-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1956-248-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2000-497-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2012-285-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2072-353-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2076-299-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2160-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2264-437-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-395-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2296-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2296-555-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2424-275-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2472-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2548-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2564-293-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2596-323-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2720-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2808-539-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2808-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2872-347-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2912-554-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2912-557-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3208-371-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3244-425-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-533-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3280-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3316-365-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3404-455-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3428-419-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3476-259-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3544-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3688-443-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3748-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3752-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3788-449-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4052-461-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4140-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4176-561-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4176-521-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4280-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4296-562-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4296-515-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4332-263-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4356-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4356-540-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4376-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4452-417-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4548-359-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4556-547-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4556-556-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4632-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4700-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4752-317-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4792-479-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4796-491-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4812-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4844-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4988-305-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5000-235-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5072-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5076-473-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5088-564-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5088-503-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5104-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads