berbew | 8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe
Size

55KB
MD5

5c7ed85260f0e4827ffc8877cae37c90
SHA1

3b9735a3091bca61ced24a99b3eaa62188691482
SHA256

8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2
SHA512

0a1ec3b1f69876f1896948c7a60391c44cf71254d5052f9002bf35514b9f59324de5503ed9ffd97dc29b5932331e3c7107bec67a8583a8989080005880775e0e
SSDEEP

768:dTsh4fVxIuUKJwqqKPLKx1/BRE0IyAm+7GcsfQCEmBdrT+ANI2p/1H5Y3Xdnh:CI3dr/qAGxNBRPYGcsfLEgdOsI2LCN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnlhfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nngokoej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4744	Nepgjaeg.exe
1036	Nngokoej.exe
732	Ncdgcf32.exe
2324	Njnpppkn.exe
2128	Nlmllkja.exe
3528	Ngbpidjh.exe
1108	Nnlhfn32.exe
1092	Ndfqbhia.exe
388	Nfgmjqop.exe
1736	Npmagine.exe
3464	Nggjdc32.exe
1592	Olcbmj32.exe
2700	Ocnjidkf.exe
3660	Oncofm32.exe
3184	Odmgcgbi.exe
3980	Ofnckp32.exe
2992	Opdghh32.exe
428	Ofqpqo32.exe
3568	Oqfdnhfk.exe
4740	Ofcmfodb.exe
972	Oqhacgdh.exe
1480	Ocgmpccl.exe
3092	Pqknig32.exe
3876	Pfhfan32.exe
1900	Pmannhhj.exe
4556	Pggbkagp.exe
3004	Pdkcde32.exe
4120	Pncgmkmj.exe
2376	Pfolbmje.exe
3892	Pdpmpdbd.exe
4984	Pjmehkqk.exe
4604	Qfcfml32.exe
312	Anmjcieo.exe
2256	Agglboim.exe
3976	Acnlgp32.exe
2900	Andqdh32.exe
3192	Acqimo32.exe
2716	Aminee32.exe
3160	Accfbokl.exe
2424	Bjmnoi32.exe
628	Bnkgeg32.exe
4256	Beeoaapl.exe
1536	Bgehcmmm.exe
2064	Bhhdil32.exe
1132	Bmemac32.exe
3400	Bcoenmao.exe
3100	Cmgjgcgo.exe
3128	Cdabcm32.exe
2944	Cmiflbel.exe
5052	Cdcoim32.exe
1380	Cfbkeh32.exe
3804	Cdfkolkf.exe
2988	Cnkplejl.exe
1556	Cajlhqjp.exe
1200	Cmqmma32.exe
1896	Ddjejl32.exe
4516	Dopigd32.exe
4352	Dejacond.exe
4956	Djgjlelk.exe
2224	Delnin32.exe
1084	Dhkjej32.exe
116	Dmgbnq32.exe
2556	Dfpgffpm.exe
3060	Dogogcpo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kmcjho32.dll	Npmagine.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Nlmllkja.exe	Njnpppkn.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	Ndfqbhia.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Nepgjaeg.exe	8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Oncofm32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Npmagine.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngbpidjh.exe	Nlmllkja.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Odmgcgbi.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ncdgcf32.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Njnpppkn.exe	Ncdgcf32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	Nepgjaeg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3772	4048	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nepgjaeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmllkja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nepgjaeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjknp32.dll"	8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njnpppkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibbmq32.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 4744	2524	8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe	82
PID 2524 wrote to memory of 4744	2524	8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe	82
PID 2524 wrote to memory of 4744	2524	8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe	82
PID 4744 wrote to memory of 1036	4744	Nepgjaeg.exe	83
PID 4744 wrote to memory of 1036	4744	Nepgjaeg.exe	83
PID 4744 wrote to memory of 1036	4744	Nepgjaeg.exe	83
PID 1036 wrote to memory of 732	1036	Nngokoej.exe	84
PID 1036 wrote to memory of 732	1036	Nngokoej.exe	84
PID 1036 wrote to memory of 732	1036	Nngokoej.exe	84
PID 732 wrote to memory of 2324	732	Ncdgcf32.exe	85
PID 732 wrote to memory of 2324	732	Ncdgcf32.exe	85
PID 732 wrote to memory of 2324	732	Ncdgcf32.exe	85
PID 2324 wrote to memory of 2128	2324	Njnpppkn.exe	86
PID 2324 wrote to memory of 2128	2324	Njnpppkn.exe	86
PID 2324 wrote to memory of 2128	2324	Njnpppkn.exe	86
PID 2128 wrote to memory of 3528	2128	Nlmllkja.exe	87
PID 2128 wrote to memory of 3528	2128	Nlmllkja.exe	87
PID 2128 wrote to memory of 3528	2128	Nlmllkja.exe	87
PID 3528 wrote to memory of 1108	3528	Ngbpidjh.exe	88
PID 3528 wrote to memory of 1108	3528	Ngbpidjh.exe	88
PID 3528 wrote to memory of 1108	3528	Ngbpidjh.exe	88
PID 1108 wrote to memory of 1092	1108	Nnlhfn32.exe	89
PID 1108 wrote to memory of 1092	1108	Nnlhfn32.exe	89
PID 1108 wrote to memory of 1092	1108	Nnlhfn32.exe	89
PID 1092 wrote to memory of 388	1092	Ndfqbhia.exe	90
PID 1092 wrote to memory of 388	1092	Ndfqbhia.exe	90
PID 1092 wrote to memory of 388	1092	Ndfqbhia.exe	90
PID 388 wrote to memory of 1736	388	Nfgmjqop.exe	91
PID 388 wrote to memory of 1736	388	Nfgmjqop.exe	91
PID 388 wrote to memory of 1736	388	Nfgmjqop.exe	91
PID 1736 wrote to memory of 3464	1736	Npmagine.exe	92
PID 1736 wrote to memory of 3464	1736	Npmagine.exe	92
PID 1736 wrote to memory of 3464	1736	Npmagine.exe	92
PID 3464 wrote to memory of 1592	3464	Nggjdc32.exe	93
PID 3464 wrote to memory of 1592	3464	Nggjdc32.exe	93
PID 3464 wrote to memory of 1592	3464	Nggjdc32.exe	93
PID 1592 wrote to memory of 2700	1592	Olcbmj32.exe	94
PID 1592 wrote to memory of 2700	1592	Olcbmj32.exe	94
PID 1592 wrote to memory of 2700	1592	Olcbmj32.exe	94
PID 2700 wrote to memory of 3660	2700	Ocnjidkf.exe	95
PID 2700 wrote to memory of 3660	2700	Ocnjidkf.exe	95
PID 2700 wrote to memory of 3660	2700	Ocnjidkf.exe	95
PID 3660 wrote to memory of 3184	3660	Oncofm32.exe	96
PID 3660 wrote to memory of 3184	3660	Oncofm32.exe	96
PID 3660 wrote to memory of 3184	3660	Oncofm32.exe	96
PID 3184 wrote to memory of 3980	3184	Odmgcgbi.exe	97
PID 3184 wrote to memory of 3980	3184	Odmgcgbi.exe	97
PID 3184 wrote to memory of 3980	3184	Odmgcgbi.exe	97
PID 3980 wrote to memory of 2992	3980	Ofnckp32.exe	98
PID 3980 wrote to memory of 2992	3980	Ofnckp32.exe	98
PID 3980 wrote to memory of 2992	3980	Ofnckp32.exe	98
PID 2992 wrote to memory of 428	2992	Opdghh32.exe	99
PID 2992 wrote to memory of 428	2992	Opdghh32.exe	99
PID 2992 wrote to memory of 428	2992	Opdghh32.exe	99
PID 428 wrote to memory of 3568	428	Ofqpqo32.exe	100
PID 428 wrote to memory of 3568	428	Ofqpqo32.exe	100
PID 428 wrote to memory of 3568	428	Ofqpqo32.exe	100
PID 3568 wrote to memory of 4740	3568	Oqfdnhfk.exe	101
PID 3568 wrote to memory of 4740	3568	Oqfdnhfk.exe	101
PID 3568 wrote to memory of 4740	3568	Oqfdnhfk.exe	101
PID 4740 wrote to memory of 972	4740	Ofcmfodb.exe	102
PID 4740 wrote to memory of 972	4740	Ofcmfodb.exe	102
PID 4740 wrote to memory of 972	4740	Ofcmfodb.exe	102
PID 972 wrote to memory of 1480	972	Oqhacgdh.exe	103

C:\Users\Admin\AppData\Local\Temp\8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe
"C:\Users\Admin\AppData\Local\Temp\8f6ac19958ca96fda9b628f914be0532986a2eea88725717d966eebe88d538d2N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\Nepgjaeg.exe
  C:\Windows\system32\Nepgjaeg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\SysWOW64\Nngokoej.exe
    C:\Windows\system32\Nngokoej.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\Ncdgcf32.exe
      C:\Windows\system32\Ncdgcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        45⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 396
        69⤵
        Program crash
        
        PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4048 -ip 4048
1⤵
PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
55KB

MD5
82d582120fc6e4653cb52652a2769a0a

SHA1
8bec508a23578a7539748823f4ff6d07d3f0cf8e

SHA256
d71b1f9d301eb9171c4598c1a0008283695b4a889ce877f837928d4c39f3d13a

SHA512
accbf6a1a9b9d4d42d4b82684dadae6dec96e87072c86fde66ec75174d6f42c9410f8e9f3407df4953ebb6ba040b1bd5bf0dda90f9925aad6db51699267bf043

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
55KB

MD5
9d45cc4366287af35a4272f96f7bb42d

SHA1
e4126fe12471100bfb5f77500b140dbc8e6d4ee1

SHA256
5ca93c114f743d39570190db74ccb7c734f2e3388170413c080296c71a3d065c

SHA512
53304ba43331bfa204c554eb9dbf78faccc8d66c861f1917c73fa84df6ea9203f9121346ac3920c8e6222112e2316e45dbae3bc51f353011a4e5b369f0f646a3

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
55KB

MD5
8377f264fc4a33d7b20e6d91bf96e367

SHA1
cceeb2ee342baae92eaa3d64a085bd7d1c53ef6b

SHA256
c6ef9259215abda869036cc910507667047431fec079a6b1ee46bfab01b36049

SHA512
8742c907e90d7a8fe7d99216f73947f94eff7e17a7f3472bb46a88ca872f136cced84340fa402d73480ae1929d4322f96d235cd3fdfce6738d45f6b53e113e8d

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
55KB

MD5
c2435d0cdc6de5c62762a94aabb34015

SHA1
fd0aa2933c7abfa310dc3f51cf9f41ab63f191e8

SHA256
71b108692f029b498f0c5df6a419bf891e122738d8cb3940b6d4ac63e8903b99

SHA512
d2f49049f6ea97457c9bd53b130468c1354b719c4c402966b1f0ffa759b0c2b3a484da7787c90993f09ac95ab2abd75b64c868583f6dae80bc556d75666076e2

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
55KB

MD5
de9755618e8ededa6f4606f42d8be5b0

SHA1
322d6a9c8e00b9aa7da60fd604fc7ca8921dbe42

SHA256
42b14c13028c73d546f6fde161a096aaac65c174e7b91c0aa0a5d8b096c1a902

SHA512
f0f51e8068227cc916bba890eacec7fe5c35a5b5a79aa50d2e596c63d1f6c4f2e29e29c7c1c5ef2f07ff3dd2d815911cde6ee6d9ebba486bb7497074620605f2

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
55KB

MD5
e995cbbb560c8a0e567f9026050be59c

SHA1
e4ea182e70930851ce9f32a91844f57c442782fc

SHA256
44e402cf4e4988cb47774b8e30a271440e8d2ae8fd793cb8dc6937a1655380aa

SHA512
31a8eac408f225ce8da4b3d5cf2f6b735cf191d92f769012cfff9c7c0d4fc9eb1a29f88a16aab6a3e1fc5560374ca8104c7c9ea631c53bda3ffbbe35bd539e8a

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
55KB

MD5
ba627f2c36f7a1e6e8a040bad6279e92

SHA1
a6f4010e6afb3b070b5432abb8b341986bedf0ac

SHA256
a9a1573686235a31cde7b2e9f6f87b8f90b76a4c9fe72125427fe7bf1159a76a

SHA512
4992b58604a7cb5497c70a8aed39ed0c665872c55dc7458ee89efb70ea7737889afaa5294148d9b3eeeaecc82cb3c2ee9a4dc87621640ea583be0e5af6e63607

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
55KB

MD5
b4988a7cd23c216daafa2e5048af1ca9

SHA1
99b00ea3e9676c02552599c910cbc626abba9d29

SHA256
bad22b520629fb18a18da6a60e548eee2e636eae353d0176d75c4a70730a8645

SHA512
9cdface542b099f80d25b65ee0fb880d710584aa167b41e5a5b1720b6439db622f742757a08915eed95e64b1c92c3bfa89a9e567cfd64e376941688ea7a69b9a

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
55KB

MD5
a08d6b2c7e82f94e565cad93ae1f1a52

SHA1
938fba4d59806eba405d34b99b8b127e38618c9d

SHA256
539cb6f8f865ea945789ce3af65d5f3a1c44f2929c35e59319582512b4beda55

SHA512
251ef22da5feb4f88db4003b4fa462d73248b3a1bc82f299af0718eace17645275d4631f319e42fb8ae59f286731b2fce6428928d307ed52f69210a65b0f4ac5

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
55KB

MD5
1552640dd1564d1cfa7fbfa40055be7b

SHA1
90e48f1a9ad8dade49a30688cd5263bdfe14f4f8

SHA256
e96c1e0266d2b9bbd74cdd70754dd08c94d6523e94ced40562a3d68d5a487924

SHA512
9b96fc89f25eb7a96095acda55582f7964a9c95eb585636fa19112e6bc02e67d3850cce94c388b43da14ed9017d972e77b86dec5a92661d3d35d12195295a04d

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
55KB

MD5
bde72853667533efeb05e2dbb836dbf2

SHA1
e33e5260e69293291fd78ad0df98242b34bb8054

SHA256
a5edec8173511243d4ae14424926792ca24614c8ddb7899f77e6cfd66cf29348

SHA512
74a9b8caeeced22e1b5dc3b9dd61905b2360420e40b25d8933c28deaa58f5421753896d2a8b7e5d8d838e34426f6072955b88dee91bc9a99de3f3d9a5a336889

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
55KB

MD5
8452414db41a823263d11be1e3b8034c

SHA1
6c7280fd9f80fcb3df5fe6e4982e73eaac3033d4

SHA256
d5bc71e2d3287c5a0a9475d731c94281b52b7bb1c85c14029a414756d779a675

SHA512
31fd3bc203d28a86632100ee99cc156b953e7d45b72edbcd3b8e63c3b6ecfe24a31d182155469ec0f45cb14a82c3d4c0ea717dd0175db04f309dbf48a542a1bd

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
55KB

MD5
8fa14bf6843d9b5b58154b338481b3b3

SHA1
ef054042be37dff6d511fa14fd75003536246f1a

SHA256
8932ebcbc91ad48f3b3484962b099f0afd07a35bdbc188bf53eeb4cd2ea6987e

SHA512
ab226244c056b00886b2d3afd5589d49fcf23bbf9d367146ebadddfa77e14abd41fd3c7093d8dfaa322821aef2d586ab34ebba1e5c27f366f780f06ecff9a0f2

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
55KB

MD5
f68691078939eec70083d7cd8f950cbb

SHA1
fc7c210013a08a6cb69f6d390e857c2ae47c27b0

SHA256
72c6e618143eb246cc1f80ef8f6c924a885f2acff5a0635ec334e8515fe87174

SHA512
eb7bea663ffe1dbcc5396b654a1c3ae35f6becfe2c870f1584bb1ddf79b8f0ee69bb7f53b2b09f7382b1a7e15f36d4edd96b14b576fa77a1ecb804e9848cf8df

Download Submit
C:\Windows\SysWOW64\Nepgjaeg.exe

Filesize
55KB

MD5
ec8fb54be27c6310147c5cc7f8835059

SHA1
fab351ed4dbcd02506f67af7d6c6d976aad42aaf

SHA256
1f631d7bd1d0d7904ef0e8ee757a06839d616f1962aa08112e02c3f39d73ddfe

SHA512
e98899392e9bd4629df0da2ebda7f47e7d4622473e7617a5d7f7f4c12e3c8eb4b7057b9d3a376c7e403538e22a51d41a3456201f401a86ab2543105dbee74f3d

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
55KB

MD5
a1bf346a0027ce283f66bebe8aec33fd

SHA1
0b6a17d7c08e3a0f6033b8b7efd977fd8389552d

SHA256
340a002a0a177edc5f438fd5f23aafe213ac04a256a68bddcef26d446517179d

SHA512
77f2ed40a6cb61af8c836eb311d6e33ec6dd2d30b08dfc7e6980c6318b4dd251f0c3a5bd64049ad3fdee18add0fe2f110ffe9ee9f5e40ccb7f0ce12a9820dd1e

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
55KB

MD5
994fff648dd51bb35f002dc5983b7a6b

SHA1
0bc269e6b8d4b1226b468ef03b72b3fa4e1a6974

SHA256
2902122a6093eab906f595596f10eaccb5d109f022316a0d525df831dfa16cfd

SHA512
388fc71b0652ba9c4ef2e60655943fd3629adf325d36b62a02727e043c526696375a8c4bfa067a03c1ffe1bd755b75811316a38a21cfc2aa9dbaaa67f16aaba4

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
55KB

MD5
f9684ff2b77f633b464595afb001dea9

SHA1
8d862b7569df9bfd109ad004dc3e9b59542a6511

SHA256
e54f902a21505ad3ef0cd34c1ad0e2e7ca7b3614d7c4f7caba80132bcc6a2387

SHA512
8faae79940a79afba258f8e74618ab88867d98b1dbb90836bcc29519537a24ecf46333278a052407920ac1bdcb5d8e618a9403d421a94feee6bf9fd8eed620c8

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
55KB

MD5
648da5d345a09b3d9242518df1dc99d0

SHA1
38a5bb53012da53412768e41127935d8668e85a2

SHA256
453ac4300a7c4eb4430b9394e27394f35f8d79b65b911d708c56f59a5596c526

SHA512
e3f640c152dd28882c45005fe13c744fb0b5ea983b4df81e8fc89386c17f9bce6431b63212121c5723e51372049e1baf083eb701057864534795787fea9b0b78

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
55KB

MD5
2868ca5714cab237b8a87cf436efd314

SHA1
85b6b3222974bdf19980a1ba73f66eaa6b5a4c22

SHA256
8bc1c66f643c4eab49b610a2f4c127b8db66ca00e38423f9b37c2821e81840ba

SHA512
280da3f52084b799edbac66656f0d76f89b569105346218e337e1e83498af5e096e7094b7f63e97d3c0302dd4d966a9e58406bce64059eedf6c3c9a46822dab9

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
55KB

MD5
ed4fd65f1b244347c7508df2009d4ff3

SHA1
b0a37b46a8d424b0555c0d9e09b6ea0d7d5ffd2c

SHA256
df3ca2233fff266e74ffaef038b5a32411c360acfeb15c504d3bc58d952b3d68

SHA512
05c0cc2f7b27c22a0e8ee2302e246539676f249034d610b76a615297c23ef64d1b60254324d0da2a0d2e65a100b6cb2e6c83864937108c1c4b5dde78aead4bac

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
55KB

MD5
78304a4d970e12bec7623a36784c6309

SHA1
28f5d65dd03106fbff9153e8672c70593b25d136

SHA256
5cd1f5313ada8ef720daf6d4dbd73ec7c067908ffced7c97b3f7b9a49fa1af8f

SHA512
5c21318e870aa709114a0cf9c3f5667e80aacb9f2ee9bc8ef6d1cb9c5b005f99f45821af4e58478f9c025c139435394c5f62df1b2d59c761bb484040b55a8ca8

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
55KB

MD5
cddceecc67d663d503b4f66878e71fd5

SHA1
5a845d3ae2b965a14200770f031855708e73a306

SHA256
231c67d020bc679c8da32f46ddb91ffb025a508c6fd9204874388d9a09e6d438

SHA512
cea039b5393e2662066b90063dfebff9e31993c0e36756de2a5941af3a1bbaabeb5bc60cedee5cee89360bf0fbde7f61da710b4c666613755d9bb7dcbfd70d73

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
55KB

MD5
c4152cef193bfcf1b4427dae6e62740c

SHA1
1a252e4a293af281677fbe0d7157bc6309337f2f

SHA256
7afb774ef9c2188ec1ca6b287c1f6bf6eb29aa63dfbaae0a5377cfff12fade7a

SHA512
7b679a3a473a9d26de0febdf7022c5464b1ee239fbee54e8a8c8c63dc908c0baaddd598baee2d50db56d7c303e0abac078565a64597126f0d85b4c416b4aecaf

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
55KB

MD5
a528edac8ac6cf22505abc075776dc67

SHA1
58b0391d39f6535c7add6ccc36f0cdbbe2af6fd0

SHA256
7fb06ae406fb2b3c051a3eabcad66b04fc956d329864673e1e970fc9e3f4b676

SHA512
7823a234d3eabda1e2a61564dd91a22cd88ad754aceb9e31a4a241f4a5bc90e59ccd29625d3a94a0c5d3eb26135978433ad76d60d8de4be190b2346ab47e638c

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
55KB

MD5
9a04f5450489371ee035aea3a11c7402

SHA1
42d8e0416d1eb16a27ca42a6c82b93c1bbf3152e

SHA256
565854cb831b9feb2272e4133ff4c3b413ebf8a7f544c43eca23ed5696e681e7

SHA512
7bbcb6da4728bb5dead6f3161a553b02dab41ae215cb2dc43b2e69ddaff9ab9670e618369759991a6e14e9b7a4f9549b41626255be464919b793afe7a1f92786

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
55KB

MD5
81067b3e090eb32a7272b1db34d9dd1d

SHA1
51e1a2c50ac41ec565bca2e09df894f10d17c21c

SHA256
505818c1d6711bab0ff51222b730ab8dfe3bc60a672911a1f5f6ce0f4060f63d

SHA512
5e594e31e1cab2e2d724f659576b513e288475593cd64f7ceb848e87da8e42404a67232e93c0062d1bdf5188dac39280e1c2dcb634ae9d107643fd2b6e04c8a0

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
55KB

MD5
9ecba1eef4f067f2567d7571f0f85af3

SHA1
9da0313bf22706ca7b9252630dc3175d94adc5d2

SHA256
58b45fe81947b9339ca398ceac9c9a80126a1b73cf067cacb23610d5982aa81a

SHA512
9152e41ead963153fa8fb7195379814c1e6586edd0d67f359cd48826dadd2fc6bf642fb825e088d4873f2e0bcd55caa3174fdb0233e1f82f990c8fcb52783e90

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
55KB

MD5
e1b717b30505812ce0f70686e3053dc0

SHA1
551ca09e4eeff9e70db69b1954d1b87eabf219e7

SHA256
5de132e8648f2e61cd1a90505adf14a8e9c74466f078034ec392d54da699b6c7

SHA512
682c85692df9f9f2bd7479b48a650103c377ac7a69e603237184b5e44d8c27832cbf6e8548ff68f54e83f55a98427b2c4d868a792d72351f1296254501ccdc2f

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
55KB

MD5
ae39585f2c9f14874d4bb569b9abe08b

SHA1
6707a24cdc3bb0f2d45023dcc0de2a9eaff7661c

SHA256
1d00994b8988eeb18076a0df0eee606949122cf815030f4faad2e99aeb26b076

SHA512
9a0acfc544b98b82836d12e08ad2d6418fa70974134699ec280f3da1f485923667eb67870b73b5b82a95c0b8d4445383ad8d69d7971350ff0baee4a981038ddc

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
55KB

MD5
138ceace81361db3dccbb992537072e7

SHA1
5e7b0c199e4e96b00852f8219b6ae2ad089ea7c3

SHA256
b98c31a4ba7c06547b43de07d26a11a6f6ed3e08c3decf7d45bc76a7e153ca1b

SHA512
a21cd5ba5105a24377edbea48a8dc56c62c8a66a63ee8b85a40d2bb1611ced3232be2e6ad44e21689cd1ea7909083596cf01eae957e8bd1bac77307d8ce0a709

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
55KB

MD5
ff365e72944e2aa4e7db1c10d7d49559

SHA1
ffd263eec112bc2b7dbf2ffbc813553d28d1ea0f

SHA256
4381e2e08e113e11bc1a02efa14e411b7c2cba016d083d53df724e3a0baff5ba

SHA512
7f2a19ce2cade6235ae61943dd64be479825ee94109c933c803aa2f508f9011eb22a833bb1d566dce626cb90e64513b80360687832afeba7c4b9fba2463da352

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
55KB

MD5
75f0f5373f3f39defa001a46018c8451

SHA1
362a920e0139d8b7b5ed901550acb80cdd3cfcd4

SHA256
db44b8cf7d0e487fc3a2107450cdc9348493eeb44e7b3049ddabc128b0ad7978

SHA512
1607b65c84f4896b4a6844943ca58240cb06a93897fec46a1e04521651683534dfbfb730eade28342654892c12698bd882d0a6ef018a712b1ed4fafe5156a4ba

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
55KB

MD5
51ebe970e001471590399e430a60aee8

SHA1
6297eff991e0152ad8cbaa5404da7ecca510047d

SHA256
fd62760ed718e0fdc68fb08a0039a445deb890cc8f3ea24e1fecb90683c3f3b4

SHA512
2ae6b34462d41ff5e81582a786f0b49059299d3d1630b721cc679c3f84eaf8f90cc7a7bdf7920e5858950448ac742e48b37a021f25178a645ae9db6b5a092eb5

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
55KB

MD5
57cf6c0f53f9da34266e3970adfae201

SHA1
42a36f4af7258bfc787d051285af176b0245d0a4

SHA256
3cf0c09fa91f96103da471708d306085009ff82ae8008fc9f88e00eba80bce40

SHA512
34eaf5162c0707c628ef02197932914361452db8a4f1c188d1b0941d85bfdbfcd7925540c7f45d12d56ad78d9d7e8a9b2540a533f690119487938f9cf0ad32b7

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
55KB

MD5
3954cb24af34e4232eace880dd9b172c

SHA1
c0090965a4c47d2ec99f3de98ae11158e5bdcb31

SHA256
abbed6681138f5f5be983f4a85aaf0681d033671e3fd4f68ed8f00aa3a22c933

SHA512
cb183d2f18d7ec27b95d0abca095bd6821c1237be6bd698794e78fe8843ea0e22a882b8f1ce795c0903ddcd3a769cf5a0c445f8b1458a352d3a3795bc7908529

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
55KB

MD5
02cec5ec61c3f9192c7420f93a1086b2

SHA1
33b7c00d87cc89c1bc11b314d8f39a974248b649

SHA256
ffc4b3369c2a5d2d2c848cc244ec3618e0a13ae4ed8056b96b0aba1ebbead9ac

SHA512
a2e8cb9451f348c5f145f53068eb2c4f60122daf5ca587c81c2d94698862b1ff6dda1186a6cac86b4301a9b2fb4324459f071b319a44737aaa1b7355ba202d2f

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
55KB

MD5
5a871ff5aa77af124888a27bebcd3a31

SHA1
76e1778671053c35b5c942c5887bbe89d5eeda42

SHA256
d273219218f363b56ed9186f2c31412a4070720aa7289fb86cc463ee6938e64e

SHA512
a97a463588208f4d9dad457a0aca779331d879f52c80ba3cd8dc27f153109cb09258734fc1c237b696f23ab2a8f22b8f8be0d210807f05b60edac723625d1e1a

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
55KB

MD5
443cb5a5c5590862905a45dabddf8f2c

SHA1
a1a4bdf8c999b43374c5eb1ed52f928164ce7cb7

SHA256
d0d3fa7b37053a8a0cdaf82b7afd1de02a304ba60ca1acc5ef0904e8849ae87b

SHA512
9c00eeb95502a9bc9c8423de49ebdde4d7d0d90f11aa1a17c3e85e8b6ee0837da33c67eaaca862b40f504193ab695da923cbd005706a7137391453310e21a3ee

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
55KB

MD5
27d149b71331f88b4e9f2af2a2848f9f

SHA1
6d7ec2e5de2ef4c7f02aeca8b50ca968b41050dd

SHA256
b449046000d72c01c49e72517dc88b6a003aa51d29281a1e2a1da3ed33cccc3e

SHA512
acffce42364d9a0698fff6653ec4881a71a1fe72c773114112a4909132c3d4a4b9706cf09ec863d1e300047e1902a8a6427483a3495f124b378cd478bd4700de

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
55KB

MD5
48a42ce804931f7103dec5ca727a25d3

SHA1
5e4720741b18902d42e026f916af87e89e7fed39

SHA256
4226a9424e7a71061971c2855f70a9424b66e0c60f3bb0020173c10fc3bc1366

SHA512
3083d6ac8701d5436924c9d90a423ca42a11339761eeb63987d4eafe793cdf405f3b8e744027750e7cc54463223b4c9565c13dab9dcc0ef6984cce1055d6d93f

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
55KB

MD5
10466c72537d7a73b96f912672c18480

SHA1
7d5f3fa05fb496b253c4b7286d0919ef6032c2e0

SHA256
71746385899926982275f0f73de5908f96b0d5b431d33547cb98b1d60d8a0360

SHA512
0a0b89c360c15032ecbbd9d8a48625c975c06d063a50f51bd4c816ba5b0155d294bfdaffd12a502faa6442c449c2abc404b05e3099ce19f02098ca21d6aa5558

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
55KB

MD5
ef2653a16b3bfbdb04cb3e280b85e169

SHA1
1fe9ad05cab48a0744e81e1867c94eef08ac0ac9

SHA256
65b1167baeb84d92bd416e1542f4e510b7e6d4c6953dbc417796d1a9e85b2b6e

SHA512
bdeb4907d2401134bc5c90c8f945b74676b4fdf4ae322b2999ec1510301dd1e6912a58e27f665fcc6ead77b138832e652cc35e7daa61bfad1fd178ad3cfabd93

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
55KB

MD5
2364c846a74653a7d4928a480f61f484

SHA1
29cb9805e4027b2cf8b6661dafab4de5bfe43777

SHA256
588ad764abbdd5910f5cc887caaa5a9a9b3ae32dd4989dc910b592e924878a9d

SHA512
3724e7797490787902cdd48845ed9eb3d1c20b8a07b560726238b2f0c5de5c39624f595514133a13c01c50d435cd14d231cc19b7a865b1729445a436e88171d3

Download Submit
memory/116-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/312-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/388-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/732-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2524-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2988-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3128-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads