berbew | 3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11c

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe
Size

159KB
MD5

74744f5bcaadff1773190f56b2e16800
SHA1

6d2a671231bdea6a1853c69f9d3dae5eac99dd4f
SHA256

3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11c
SHA512

535c2eb40ebfaa1fb3ce0df3a1a55b1e757a8e27f61ea8d6fa98a5bfb4e487d78eb833489caaadaf958094867e85c73bde51f9c749fd7e7d152f007921821058
SSDEEP

3072:TRXc9l8hj9z+vSKr0URUtbwf1nFzwSAJB8FgBY5nd/M9dA:xOlWJCaT21n6xJmPM9dA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3052	Ngpccdlj.exe
4384	Njnpppkn.exe
3668	Ngbpidjh.exe
1724	Npjebj32.exe
3604	Njciko32.exe
4464	Ndhmhh32.exe
4816	Nnqbanmo.exe
1992	Ocnjidkf.exe
4024	Oflgep32.exe
1220	Olfobjbg.exe
2544	Ofnckp32.exe
3476	Olhlhjpd.exe
3076	Ofqpqo32.exe
3292	Oqfdnhfk.exe
4356	Ogpmjb32.exe
1828	Olmeci32.exe
2820	Ogbipa32.exe
1056	Ofeilobp.exe
2164	Pnlaml32.exe
2064	Pcijeb32.exe
2572	Pgefeajb.exe
852	Pnonbk32.exe
2032	Pfjcgn32.exe
1376	Pqpgdfnp.exe
468	Pgioqq32.exe
428	Pqbdjfln.exe
4492	Pgllfp32.exe
4696	Pmidog32.exe
4720	Pjmehkqk.exe
3940	Qdbiedpa.exe
2412	Qmmnjfnl.exe
2596	Qcgffqei.exe
1484	Ajanck32.exe
4332	Adgbpc32.exe
4044	Ajckij32.exe
2876	Aqncedbp.exe
2816	Aclpap32.exe
4912	Aqppkd32.exe
3256	Afmhck32.exe
3628	Amgapeea.exe
2392	Aeniabfd.exe
1284	Aminee32.exe
3272	Accfbokl.exe
60	Bfabnjjp.exe
4968	Bebblb32.exe
2744	Bjokdipf.exe
1396	Beeoaapl.exe
2748	Bjagjhnc.exe
3432	Bmpcfdmg.exe
4944	Bnpppgdj.exe
2924	Banllbdn.exe
2124	Bhhdil32.exe
1740	Bapiabak.exe
1524	Chjaol32.exe
4536	Cabfga32.exe
4656	Cfpnph32.exe
2228	Cnffqf32.exe
4952	Cdcoim32.exe
2516	Cagobalc.exe
4368	Chagok32.exe
2528	Cmnpgb32.exe
3064	Cdhhdlid.exe
3180	Cmqmma32.exe
3412	Ddjejl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ajckij32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Booogccm.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ngpccdlj.exe	3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Ngpccdlj.exe	3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe
File created	C:\Windows\SysWOW64\Ahioknai.dll	Ngpccdlj.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Njciko32.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Npjebj32.exe	Ngbpidjh.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bmpcfdmg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3664	2932	WerFault.exe	164

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahioknai.dll"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffpf32.dll"	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npjebj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohipl32.dll"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3052	1316	3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe	83
PID 1316 wrote to memory of 3052	1316	3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe	83
PID 1316 wrote to memory of 3052	1316	3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe	83
PID 3052 wrote to memory of 4384	3052	Ngpccdlj.exe	84
PID 3052 wrote to memory of 4384	3052	Ngpccdlj.exe	84
PID 3052 wrote to memory of 4384	3052	Ngpccdlj.exe	84
PID 4384 wrote to memory of 3668	4384	Njnpppkn.exe	85
PID 4384 wrote to memory of 3668	4384	Njnpppkn.exe	85
PID 4384 wrote to memory of 3668	4384	Njnpppkn.exe	85
PID 3668 wrote to memory of 1724	3668	Ngbpidjh.exe	86
PID 3668 wrote to memory of 1724	3668	Ngbpidjh.exe	86
PID 3668 wrote to memory of 1724	3668	Ngbpidjh.exe	86
PID 1724 wrote to memory of 3604	1724	Npjebj32.exe	87
PID 1724 wrote to memory of 3604	1724	Npjebj32.exe	87
PID 1724 wrote to memory of 3604	1724	Npjebj32.exe	87
PID 3604 wrote to memory of 4464	3604	Njciko32.exe	88
PID 3604 wrote to memory of 4464	3604	Njciko32.exe	88
PID 3604 wrote to memory of 4464	3604	Njciko32.exe	88
PID 4464 wrote to memory of 4816	4464	Ndhmhh32.exe	89
PID 4464 wrote to memory of 4816	4464	Ndhmhh32.exe	89
PID 4464 wrote to memory of 4816	4464	Ndhmhh32.exe	89
PID 4816 wrote to memory of 1992	4816	Nnqbanmo.exe	90
PID 4816 wrote to memory of 1992	4816	Nnqbanmo.exe	90
PID 4816 wrote to memory of 1992	4816	Nnqbanmo.exe	90
PID 1992 wrote to memory of 4024	1992	Ocnjidkf.exe	91
PID 1992 wrote to memory of 4024	1992	Ocnjidkf.exe	91
PID 1992 wrote to memory of 4024	1992	Ocnjidkf.exe	91
PID 4024 wrote to memory of 1220	4024	Oflgep32.exe	92
PID 4024 wrote to memory of 1220	4024	Oflgep32.exe	92
PID 4024 wrote to memory of 1220	4024	Oflgep32.exe	92
PID 1220 wrote to memory of 2544	1220	Olfobjbg.exe	93
PID 1220 wrote to memory of 2544	1220	Olfobjbg.exe	93
PID 1220 wrote to memory of 2544	1220	Olfobjbg.exe	93
PID 2544 wrote to memory of 3476	2544	Ofnckp32.exe	94
PID 2544 wrote to memory of 3476	2544	Ofnckp32.exe	94
PID 2544 wrote to memory of 3476	2544	Ofnckp32.exe	94
PID 3476 wrote to memory of 3076	3476	Olhlhjpd.exe	95
PID 3476 wrote to memory of 3076	3476	Olhlhjpd.exe	95
PID 3476 wrote to memory of 3076	3476	Olhlhjpd.exe	95
PID 3076 wrote to memory of 3292	3076	Ofqpqo32.exe	96
PID 3076 wrote to memory of 3292	3076	Ofqpqo32.exe	96
PID 3076 wrote to memory of 3292	3076	Ofqpqo32.exe	96
PID 3292 wrote to memory of 4356	3292	Oqfdnhfk.exe	97
PID 3292 wrote to memory of 4356	3292	Oqfdnhfk.exe	97
PID 3292 wrote to memory of 4356	3292	Oqfdnhfk.exe	97
PID 4356 wrote to memory of 1828	4356	Ogpmjb32.exe	98
PID 4356 wrote to memory of 1828	4356	Ogpmjb32.exe	98
PID 4356 wrote to memory of 1828	4356	Ogpmjb32.exe	98
PID 1828 wrote to memory of 2820	1828	Olmeci32.exe	99
PID 1828 wrote to memory of 2820	1828	Olmeci32.exe	99
PID 1828 wrote to memory of 2820	1828	Olmeci32.exe	99
PID 2820 wrote to memory of 1056	2820	Ogbipa32.exe	100
PID 2820 wrote to memory of 1056	2820	Ogbipa32.exe	100
PID 2820 wrote to memory of 1056	2820	Ogbipa32.exe	100
PID 1056 wrote to memory of 2164	1056	Ofeilobp.exe	101
PID 1056 wrote to memory of 2164	1056	Ofeilobp.exe	101
PID 1056 wrote to memory of 2164	1056	Ofeilobp.exe	101
PID 2164 wrote to memory of 2064	2164	Pnlaml32.exe	102
PID 2164 wrote to memory of 2064	2164	Pnlaml32.exe	102
PID 2164 wrote to memory of 2064	2164	Pnlaml32.exe	102
PID 2064 wrote to memory of 2572	2064	Pcijeb32.exe	103
PID 2064 wrote to memory of 2572	2064	Pcijeb32.exe	103
PID 2064 wrote to memory of 2572	2064	Pcijeb32.exe	103
PID 2572 wrote to memory of 852	2572	Pgefeajb.exe	104

C:\Users\Admin\AppData\Local\Temp\3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe
"C:\Users\Admin\AppData\Local\Temp\3531f094623c1f8954d21ca756fa13c4e2c0a34fce6b8460f5026f44b8f6a11cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\Ngpccdlj.exe
  C:\Windows\system32\Ngpccdlj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\Njnpppkn.exe
    C:\Windows\system32\Njnpppkn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\Ngbpidjh.exe
      C:\Windows\system32\Ngbpidjh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3652
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        75⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 408
        78⤵
        Program crash
        
        PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2932 -ip 2932
1⤵
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
159KB

MD5
3f9d1fc66d4a537ed66986431998af78

SHA1
af54a3b2bf1766a493a72a8f0b72dd87520cd19e

SHA256
815ef5dbbbe08dde44153ba0d4eb30c3708ee824d717d8ea5a77dd39b5d5420c

SHA512
3376addac3b185c85fdcccd908a02a6764628e2dadc4e3649d315436cd9f6bb1e4d127a4801f051823233e4adb6fdfe1f34cd7de88f635ff58d2d1bd846b0552

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
159KB

MD5
db491414729f4f285a5ce0ebee4fc8e6

SHA1
1353345b2f33c5a07892ce35fb881f98d25cb830

SHA256
dc4df74bb993d4ce2d86f3190107fd079d85906340fe356be4547978c57b0138

SHA512
e0632d2aa9845b320f18b45efcb1e9568251b0bc44157d6bfebcf16d840f19cd1353d7508badb3eaa5d7815434bf9196a9df4fb96250efdb47da89fec2d15a2a

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
159KB

MD5
1a5f712e3fb4c53fdba783b200b694a0

SHA1
56ff63434c073973e3c867ed71c11e5fb3c82d99

SHA256
e2243e2e0702ea30a8188169e02b397226a78926002fb6745a9db216a5abb387

SHA512
12cbb04cdb36b8d8d2aa779927b766ea37524a621fda50a2b724c9c1adaac2c403bf41dc00906e6024f95066924005f72e7de6acfe6f4fb5792fe27c8c59991f

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
159KB

MD5
59e156546a86637eae1619f69394aa9f

SHA1
efbc64c068bdb9169a011a1cc04d6eeec3fb6064

SHA256
f9581ff1641eabe9f80169425355f7e18390105df8f189f6a18cde58a82c60c2

SHA512
f6a5ba9b0f084cdd8dad7a4008ab4ce964ce2200ba2050d71442617af6d0be35e57f53ab31672906ed1414ca059bb4d93318bcb2bbfbdfd79c3b1d64ee457f1b

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
159KB

MD5
cf76491411a2fe2939782b57c672f7b9

SHA1
4be621838ac2b6f8bf52dc95a41cb4c61aa8335b

SHA256
ebf82fc0956a0100d664a7f1599287245e34715a4e99408ac815ab867ad2f7db

SHA512
58380a9733b5e78f11e206a1bdd1cba2423624c658701783799312feb56fd4922c8d43cded2856a035f21b60edf64b8d2a58b7cbb7f425ed34f4970a40aa8661

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
159KB

MD5
bbbf3729ce0d7da8a887f6b4661ca4f0

SHA1
1b704d3dce147f62a61de9f41fefd25563608af0

SHA256
a3236c0049a17a02d2725b63c48ed63b1266991744dacf20b696e84fc660798d

SHA512
de5ec25c776ceb3805ad87a290e1d0d154282c3f766da88342f87d4ab28edc6f715e6afa1ffcdc1729118186fb1efe01ce448f1828ccf48505f1b7504bcdae56

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
159KB

MD5
74de9b4fc18478cbacc751a65a0a3f42

SHA1
daae5e42e927553357974b865f02da664f71f3a9

SHA256
13a32cedc845b1a68e9a6f3ecd2c1fca5edd5823ee67259fde2861ee34ccac0d

SHA512
7759385440f88bb25ce808c5fafb3b38cc847b6156dfa6d7cda263800baaa0ed33258123d7298fe209316eeaa7182f28274c5db92f5ee460459adbe840df9ea6

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
159KB

MD5
ddc5f08c17747964e4a099d6cab8a71a

SHA1
c980bc5dc62ffbba0576a9d4ffc6eb347d09cb3d

SHA256
f2d0daac8fb2bd44f79d4afb40f157bacd938771fa15021e253ebc2e7b9c7d61

SHA512
1da45d88e96a8c9f6795ee174719a470076060f6c5d6860a8f42096263a788368341cb6560457f65e7574a853c519e713b02819782f509fc28614ccf383329d2

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
159KB

MD5
48ea0ef8b806eefebd0a91362013bed7

SHA1
4edcd4cf8438581ade3f80a523ae78c3c4573154

SHA256
6a2eac2423447a82e57f3729f4cf52178ea5e81a55cfaa4c06ba9319682824fb

SHA512
7b139d19123431d86919c269a5990ffdcbcbd3ee0d9af401d606de960ea34c2e88beedcc033e1f40307ef25128f357de93136ed4ae20ead0673a6c32d0f8ee16

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
159KB

MD5
4446b252dd4a8a2fd3b8460d1af08eab

SHA1
4f1863feb8a2f4a76098323944c26dc5d668b3f7

SHA256
5662f37a4726a38031845ded797882f27c05ace3c7c5c1709445b393a775e89d

SHA512
635261281a75d45b853db5e1d4964b625e0d4ce619b4f0b0383921afc8ac9303bc2427f0c41980d8ad02bcf6942366f9f8fee84897a827a74123fc1ceb687611

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
159KB

MD5
4c3335d6347e2efa432fa7c50c7da1f9

SHA1
e14e8d0087b0e861fcfb79cdbbfa22e9c463ec16

SHA256
c8a96dd8e5c060678bb4484e5850926095da213b4184722cff791d8410970cd9

SHA512
834d3a185f03e0ce729a5ab82bc42295788d8e608e017134137351ab00e7dda1878a03d9c3e380e41cf231091e8b90995983fe066aac2be155d81913dec4dc23

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
159KB

MD5
e2bbdccab24ac88529b8e8f14a4c5ecd

SHA1
bf960bc641b8ea01bdb1428a054f3ba8138bcd01

SHA256
de8958b5e11af4b9d3bb87242948295e5cb409e304db9ecbde040fc693d9dad2

SHA512
01dac14a39efa5da78391cae1a6adc076cbac91fd9d724f9d94ae86de2161b26b54759bbfd178f9099fdb29e4ea26c5cbecda2d8fb5fb76745892a120cdf0820

Download Submit
C:\Windows\SysWOW64\Ocljjj32.dll

Filesize
7KB

MD5
e4973808bb2917f010fd34a6c3f304d5

SHA1
cbc31f6f10cf45395f31b75d2c32ac9bc26ba304

SHA256
13ef6e3a51bfa715c7d119787927190a635446ca714d1af010dc6d5b5f20a4e0

SHA512
dbfdc063ca1b76a8317f6041b24a11cc1e637f54ccebcc5711a9622528577d006cd43a4956546cda01cec4dc61bd1dc56b301d830739d8f353a1cb0658d6ab97

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
159KB

MD5
e2be4d6fa6e18cc5db471d4e03af8917

SHA1
481979e3693aa2af71d5016571049fd53b8d101c

SHA256
27b87575555acd7b4404556c144b41f520da78f6527627dab0b0a945f4e23d27

SHA512
5bd7857143a25dc2a022a2261db1659cf2ce14db535b1d8ed364c353e4b11cd3438c42f418aec54d9c9ad66899d58ed06cd2af04348de4d8c883cedc1130e7d7

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
159KB

MD5
544336076c37b3fa4e861cc5a66d1cdd

SHA1
caf65510fe619fd4107ac8294b1c1da872e40f58

SHA256
d8ddb5f6751a6710fdaaaebbe8f928920b1c8b9a2266ddba7a1666e6bdf5b07a

SHA512
b898cd19dd86b83ad4f852e0b82c52c8711f351bfbc9cfe87d11e293cdae8023cfefc53f96af8867d477032c6c9ea0ceafbebfde7c754a2f73712b68db471f62

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
159KB

MD5
ee0d88f9b79365116ae91e4af18dc4de

SHA1
2930cf2aa830073ac6d318a9076b32a208c1a43c

SHA256
2bb5594a5d575dd899c598cf2e8fbc98732311815f197c10cdd00a380235c838

SHA512
330201a65aea211786a1d5e567b9c408bfd5b04cf2f1e27e4d32434de3f3c04ba8d82ead3c62a0c384d257873eb8251b6ead8d7c6525078223170d4af448cd33

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
159KB

MD5
def4d1fc807faa4f063d433aafc16df8

SHA1
58e8801cd6d0dd2085b046ebc9f60289e72e5e5a

SHA256
8dfd0aeb8b55ecd10b4c3c1df63db2751cdaf9e3b07df4bf6385f07b492a3e16

SHA512
adaed83b069c33796aa145e34e62e0579864047fec849e4cb93de58872240a766b6c88cebfe7be9655d038de85086c9f40545f77c875e5f912841ded0682d6b0

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
159KB

MD5
ca0e4b8b6a5f0d3dbab4a36e0b552838

SHA1
9da5107bb0b7deb6dcd5b21c29dbc043451d5f31

SHA256
aa3fd04446f90500c5911f925c0a5ff3a83091abeab55ae715d2d3e3164834bb

SHA512
af7bde548a618f0814f4dd5d569580dc99249465c87e87a7349fe2576754772abd187969355be8b2476e4eed008dc7d2f632074da8c1174c8f3116c01e38e628

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
159KB

MD5
e605d321361b14d7c7e65ad54f551ec9

SHA1
bafc7a10b66810f41ddd6184c07b7193cfa06179

SHA256
2c25d43416425789ef3f4ffa19cd99fcc57dd4beea39e9d39548090a8e1c57e8

SHA512
60575b46ed549f96d1a9cab507b1c7ddc6909cb81d916287a50c710d8ac9ba0e48e889ba0bfec7227d179480e0de6108c92290873d076312b06bf4a90bd750a7

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
159KB

MD5
801dacf69253ee0d9f6bf917ef82435d

SHA1
78e9aa44f80a55f02980e12ffc7f8b0919a813ee

SHA256
b163bc0a4fdf5494f275ceea490cc9b60870a39f4745ee65629a96d78bde192a

SHA512
2cf89fb375f66934eea8ecaf32cd6557e5adb9052cdf4612a2b5600cbf2c1900f4a08820d229a190e10b5abd8f5a12b73d62943e9bf3bb9e8e0a7d0873391b23

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
159KB

MD5
1e44e751481d032c2934995295b71b4c

SHA1
5104e218bac5ad962f01ba9661bb43b3b1005804

SHA256
3cb38d9e7759b36b7266cc408109db00e99975b2826914380c55f6ad291a3e0f

SHA512
86026c7fa3864669e691b23d1491b3db2beea55e1e45e304d5c68de046ee97d3cb9bb0cd916b20e4c253bcbbf6a89b28a57d6b45b9b3232ddddb18d4fdd1dfa3

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
159KB

MD5
9bf7af69c600cb61217135e950779cd6

SHA1
4c0075d059fe0a5cc7e6e61e73ed73b00083dcc1

SHA256
7fcecf751619220df01e1f17b38f6474099cd70000a3a5f97e2ba556e813365b

SHA512
8857d1fe2be20e00c2395ba58ea8fbddd771e60390c36844ccce9d009e1ff292e5dc1a75d4c81a2260f0bbbabb20960e20132c013df5621c40179432fe2863b9

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
159KB

MD5
6f2affece77d9115a80e33692a48b23a

SHA1
ca38796186fde5790fbcf6188c2a2bc9ba40f7e7

SHA256
cefd69bd3d99fc52574ed7c041055c55dec491b9441c651217d8f5e467a72246

SHA512
cb2163497c0e3cb9c3736a3ff1f1b6b2a21d51eecba0aac2a0d1dea86c15285d39ef95bb2d7dab70c33b6ffba2df462e05a270db08643b9bed995c6cc04e21ac

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
159KB

MD5
e86053a3729cfbe1f6e805f740b8dec3

SHA1
7f3908b0234e76ca270858f301e1421f0286e86d

SHA256
c938f2f90f7b4397fbab9bd9bc7a4a844ca29cbe2e8f25ee295cc580e8818570

SHA512
99adf1d7de5abebeabd89cf6c95b75a1bc10625ef734ddf70db12c6c28407e1babe3361dd281482938bdf7c2ce6702d3b3820b308e9c42273445a3e366b88750

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
159KB

MD5
b9108587b56d8503761f290f7d0c96ff

SHA1
69b6c6d2e54a8ebe7e5c4e7c76b50198d76b706b

SHA256
e0253728061662e675e9c82d49be3aab5b3624253756c3bc7c7ed256323e4fa6

SHA512
ee0f61f92b6c37739519573acd5718609b0d804f21bbfc446cac6e4153928ed0a6c60620340666ca2e27fde4a291af122732dd8e27446867c4e187d62619a4ec

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
159KB

MD5
e5aed6d8b37551921ce492661df6fa3f

SHA1
ad17527829d7d873f4af8e9eadfae7f181a24e9e

SHA256
5c1d96209195dec54ae0bb22c7b4a6afac067a7569643ce262e4980757837f6d

SHA512
0699d70e5020974c1b6e89c33b9de438ce94ca84003208d477720f92ff7b2b2908cdc22d80746e7abc2213d67ba03825bf0601f1f4948e790d74c09f4dedc085

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
159KB

MD5
af13974f517e05e0b8f2c9212f7bf07e

SHA1
e9737232bab992342ec9c1f64b00493283c05c69

SHA256
ba1f4ed7d57dbfd221c25c8d48991dc93ef101584f725cd733820859ed93ac1f

SHA512
a43d7bb0cc659a6c9cbb481cb89883e4b4dede7659f209d313733b3a42db870e7901118452010a0da6a985feee38913e951091ac97a97e26a64582c9d23839df

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
159KB

MD5
aad089030f7c61640ad1fdf463c19d53

SHA1
41ef45c3052cecf545582074b28279138e1fef9b

SHA256
b609dc0fa63b9db2d24bca90b8b16cca196f17d56ddc083b811ca86c102396b5

SHA512
b366e6ac9eb6de0b49d019488a4e6fd69e48b04197fa4cecab07d0f817a3c944e6436b9e4aa52741341fe3a98424ee213d44d2050ad51108384bee09e9c817ec

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
159KB

MD5
f585d732e698e923c03c7dc3e5434bb0

SHA1
45b0a5c13bcbf848b605e89918d4e09d535a138b

SHA256
a97fa1c50b5890919761cdd0dfc82fe6fa389ad209c8ce43963812159bd01b7e

SHA512
73b7d62583ebd3b9b4de0105a8c8c1b17b78d0d92e61ae1aa39d5169493be534b5c274e123c0c533171ced20718e2ad831bbcfe3d2659b11e4cbc8a83a7f689e

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
159KB

MD5
c5b868fdbfae557831c2eca6aa872f8f

SHA1
296f211cb7df9b2c4f2401a3913c2244516656d4

SHA256
4fdfc44f79ea9396f37bebd71f5b204a53511bbdc5b552d5d087bb7b2db50943

SHA512
70b7ce1f49d767c2f2be2a771ffecfa5b87c744d0f6f95f6e9a920b9d47ced5a52d1fc2d6faaf15f9624e2889e06988ee6b27e386f233a16987b4a7ec3476c3d

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
159KB

MD5
1fdc4b4ed393eb55059eea1587841601

SHA1
67083b361498f802f348d8fb40ceb8188fde341e

SHA256
32cc86e645c193ebc154ef475b3be78ceaa9ada78ae2a428780f9dd630324218

SHA512
3fc2a2d3332b5068b92d06b265472aa31afddb77fdb72994fcc16549631bf5a14fc7de68754f4269324ea75bd7422c637d72126b52ddbf14a54d27b0758d40ee

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
159KB

MD5
4fa5d2b43ea5a82a1bac700d820eb9b0

SHA1
66974de7ff0ad1aa671107836cbd1ba305d9f9e0

SHA256
94641a7b12385ce4568217490816f7769e509595fd2dcff7761a1020e2a33a3c

SHA512
eb313e3a775e6957bd9b7e61f724cf1512213719c475212f43222b9db6a9d6c717ceed3835a49cbfbf483613adaf3fd209b8908bc1fd4b1e89082b07c4c53f25

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
159KB

MD5
ea5c4ec1d5f1815e1fff3ee2ba3fbdd4

SHA1
f89992c3a725a402f034ffd276ded5a726b0bfc8

SHA256
0a7e3faee5be083b7ecaf60fca22d52792bc4161b0c322fd1bc9b9589eb57b9e

SHA512
0c7aaa18b8ffd84f600bbce0a6b986c294612ef242b0b387423b42998f0ddfb098168b1edd37c6dcae52b1b5eb87678580bf2038162f4bf175468877afd7fa87

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
159KB

MD5
ca914ad4384904f57c71e76dde7492da

SHA1
b387e5b3d3ce7ace7da51eaf17624f8c817bce9a

SHA256
d0a49245f4fe31e94fb291e9cee7df4d6b33fff28b7ffb0147fc66a90cb04037

SHA512
8669a4481837c0af33fe978f518d6e6c28479102135a8f6f86007a1fa7198b7d1a85a967604d9b99e404724ae462a994a967bdbbadea73bd40e306f84aed7824

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
159KB

MD5
8e434c0ca5422536fe2e2a7c52afc102

SHA1
e194f0dcbe3d7d2ebefb053d47f77a728dcea965

SHA256
3526de70dbebb0f3dfe75535238c154c2d43ed28822cf5c05cc64354322fbc87

SHA512
ada3faf19ee876196cf5259e1b5a3db529f49cb31bba18b56168d9fdbca0ec6c9090b8e3805fb8c2282fbcc68f7be6ce2bae228b709a0e4a6887b2fbe8aab166

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
159KB

MD5
fda2c165f7d9ff513fa4eb1e48631590

SHA1
722ffe22a4dbe2673ce4b44a4115a26b2ca60239

SHA256
9257c86e159d13d866f22fdb99d544edb2fb95b2e580d507bcf9ee8388871d1b

SHA512
954b4e9c4e100b058a5797ce56032628b01cf1d5e93e2d47485f401d43ae0a582fe0ac1469f563a7a14fce70f26ce8b5fcc8eb64911722e0d22073fec16e7c12

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
159KB

MD5
3871a8dc431c320e03e476998b34aa71

SHA1
2d216744e1175608318ee9de6dcea95d321180b3

SHA256
a13ea5d2747caa3e590db8809059a7aaefd59362853b6c13f85ab39af92f7be0

SHA512
bc141dc9c71d00c4733cd9123711783e8b12aabb4d74c77b4d47a9d010b34070e6597447c8477da671cb05b9a90bfca178850d01e0c8ccfb403a3dc9957d3b4d

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
159KB

MD5
4507c50319410400e8810791d95bdc71

SHA1
0fb900b7bff869313c15228babd285bb51e0f2ee

SHA256
d83b794b0517f408f414ba81c97fd6aa8c6b921f2256779a2740912a2bc6b300

SHA512
b327f00ce0a56070d829ede9048e4405c7f8670cd726ddb5e9dd3bc64a0c7699efa1338bb5dc840a5e77419e05e4dd2a7ad3f95c31df6f4a347663ce7dbdaf2c

Download Submit
memory/60-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/996-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1028-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2924-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3628-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads