berbew | 85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2.exe
Size

89KB
MD5

4fdecddf990b7dfc7ff5351a37c1dba1
SHA1

858fc2a11f6236d65ab4fb640e69ac8607e41b7d
SHA256

85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2
SHA512

b09ac6e6d850b3cc0cf798b3e22a54327ebc7c43a346cc6c685b3ff47093990303e27ae01dce5462ec36d150caaff01950be45632c596785f3a0189b46fed650
SSDEEP

1536:ItyW8oxKpy3QyH86FQGgfn8y70qSjnP9inGQ0ehRQzR+KRFR3RzR1URJrCiuiNjH:6yW7dx8ugf8y7RSjn1inV5ezjb5ZXUf5

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggjdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
232	Nggjdc32.exe
4244	Njefqo32.exe
588	Nnqbanmo.exe
432	Odkjng32.exe
4816	Ojgbfocc.exe
4016	Opakbi32.exe
3056	Ocpgod32.exe
4948	Ofnckp32.exe
2404	Oneklm32.exe
2220	Opdghh32.exe
2088	Ocbddc32.exe
4716	Ofqpqo32.exe
4992	Onhhamgg.exe
4300	Ogpmjb32.exe
2356	Oqhacgdh.exe
2736	Ocgmpccl.exe
1884	Pnlaml32.exe
3892	Pqknig32.exe
2184	Pcijeb32.exe
532	Pjcbbmif.exe
4220	Pqmjog32.exe
544	Pclgkb32.exe
2900	Pfjcgn32.exe
2312	Pmdkch32.exe
4004	Pcncpbmd.exe
3840	Pmfhig32.exe
4704	Pdmpje32.exe
3472	Pfolbmje.exe
4440	Pnfdcjkg.exe
4436	Pdpmpdbd.exe
4324	Pfaigm32.exe
3640	Pjmehkqk.exe
1528	Qmkadgpo.exe
4736	Qceiaa32.exe
2748	Qnjnnj32.exe
932	Qqijje32.exe
1644	Qgcbgo32.exe
2092	Ajanck32.exe
1964	Anmjcieo.exe
3632	Aqkgpedc.exe
3004	Afhohlbj.exe
4788	Ambgef32.exe
116	Aeiofcji.exe
2280	Aclpap32.exe
820	Amddjegd.exe
3684	Aqppkd32.exe
1236	Ajhddjfn.exe
516	Andqdh32.exe
1736	Aabmqd32.exe
3880	Afoeiklb.exe
3584	Anfmjhmd.exe
3312	Agoabn32.exe
972	Bnhjohkb.exe
1580	Bcebhoii.exe
2540	Bganhm32.exe
1452	Bjokdipf.exe
4912	Bmngqdpj.exe
2652	Bchomn32.exe
1272	Beglgani.exe
2964	Bgehcmmm.exe
2044	Bnpppgdj.exe
1472	Banllbdn.exe
4264	Bfkedibe.exe
4304	Bnbmefbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1896	3696	WerFault.exe	168

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Booogccm.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocpgod32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 232	4080	85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2.exe	82
PID 4080 wrote to memory of 232	4080	85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2.exe	82
PID 4080 wrote to memory of 232	4080	85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2.exe	82
PID 232 wrote to memory of 4244	232	Nggjdc32.exe	83
PID 232 wrote to memory of 4244	232	Nggjdc32.exe	83
PID 232 wrote to memory of 4244	232	Nggjdc32.exe	83
PID 4244 wrote to memory of 588	4244	Njefqo32.exe	84
PID 4244 wrote to memory of 588	4244	Njefqo32.exe	84
PID 4244 wrote to memory of 588	4244	Njefqo32.exe	84
PID 588 wrote to memory of 432	588	Nnqbanmo.exe	85
PID 588 wrote to memory of 432	588	Nnqbanmo.exe	85
PID 588 wrote to memory of 432	588	Nnqbanmo.exe	85
PID 432 wrote to memory of 4816	432	Odkjng32.exe	86
PID 432 wrote to memory of 4816	432	Odkjng32.exe	86
PID 432 wrote to memory of 4816	432	Odkjng32.exe	86
PID 4816 wrote to memory of 4016	4816	Ojgbfocc.exe	87
PID 4816 wrote to memory of 4016	4816	Ojgbfocc.exe	87
PID 4816 wrote to memory of 4016	4816	Ojgbfocc.exe	87
PID 4016 wrote to memory of 3056	4016	Opakbi32.exe	88
PID 4016 wrote to memory of 3056	4016	Opakbi32.exe	88
PID 4016 wrote to memory of 3056	4016	Opakbi32.exe	88
PID 3056 wrote to memory of 4948	3056	Ocpgod32.exe	89
PID 3056 wrote to memory of 4948	3056	Ocpgod32.exe	89
PID 3056 wrote to memory of 4948	3056	Ocpgod32.exe	89
PID 4948 wrote to memory of 2404	4948	Ofnckp32.exe	90
PID 4948 wrote to memory of 2404	4948	Ofnckp32.exe	90
PID 4948 wrote to memory of 2404	4948	Ofnckp32.exe	90
PID 2404 wrote to memory of 2220	2404	Oneklm32.exe	91
PID 2404 wrote to memory of 2220	2404	Oneklm32.exe	91
PID 2404 wrote to memory of 2220	2404	Oneklm32.exe	91
PID 2220 wrote to memory of 2088	2220	Opdghh32.exe	92
PID 2220 wrote to memory of 2088	2220	Opdghh32.exe	92
PID 2220 wrote to memory of 2088	2220	Opdghh32.exe	92
PID 2088 wrote to memory of 4716	2088	Ocbddc32.exe	93
PID 2088 wrote to memory of 4716	2088	Ocbddc32.exe	93
PID 2088 wrote to memory of 4716	2088	Ocbddc32.exe	93
PID 4716 wrote to memory of 4992	4716	Ofqpqo32.exe	94
PID 4716 wrote to memory of 4992	4716	Ofqpqo32.exe	94
PID 4716 wrote to memory of 4992	4716	Ofqpqo32.exe	94
PID 4992 wrote to memory of 4300	4992	Onhhamgg.exe	95
PID 4992 wrote to memory of 4300	4992	Onhhamgg.exe	95
PID 4992 wrote to memory of 4300	4992	Onhhamgg.exe	95
PID 4300 wrote to memory of 2356	4300	Ogpmjb32.exe	96
PID 4300 wrote to memory of 2356	4300	Ogpmjb32.exe	96
PID 4300 wrote to memory of 2356	4300	Ogpmjb32.exe	96
PID 2356 wrote to memory of 2736	2356	Oqhacgdh.exe	97
PID 2356 wrote to memory of 2736	2356	Oqhacgdh.exe	97
PID 2356 wrote to memory of 2736	2356	Oqhacgdh.exe	97
PID 2736 wrote to memory of 1884	2736	Ocgmpccl.exe	98
PID 2736 wrote to memory of 1884	2736	Ocgmpccl.exe	98
PID 2736 wrote to memory of 1884	2736	Ocgmpccl.exe	98
PID 1884 wrote to memory of 3892	1884	Pnlaml32.exe	99
PID 1884 wrote to memory of 3892	1884	Pnlaml32.exe	99
PID 1884 wrote to memory of 3892	1884	Pnlaml32.exe	99
PID 3892 wrote to memory of 2184	3892	Pqknig32.exe	100
PID 3892 wrote to memory of 2184	3892	Pqknig32.exe	100
PID 3892 wrote to memory of 2184	3892	Pqknig32.exe	100
PID 2184 wrote to memory of 532	2184	Pcijeb32.exe	101
PID 2184 wrote to memory of 532	2184	Pcijeb32.exe	101
PID 2184 wrote to memory of 532	2184	Pcijeb32.exe	101
PID 532 wrote to memory of 4220	532	Pjcbbmif.exe	102
PID 532 wrote to memory of 4220	532	Pjcbbmif.exe	102
PID 532 wrote to memory of 4220	532	Pjcbbmif.exe	102
PID 4220 wrote to memory of 544	4220	Pqmjog32.exe	103

C:\Users\Admin\AppData\Local\Temp\85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2.exe
"C:\Users\Admin\AppData\Local\Temp\85fc6e874b79dcee76b98e6fd8fb88535878a933889e6013274dc85d0de5e9b2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\SysWOW64\Nggjdc32.exe
  C:\Windows\system32\Nggjdc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\SysWOW64\Njefqo32.exe
    C:\Windows\system32\Njefqo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\SysWOW64\Nnqbanmo.exe
      C:\Windows\system32\Nnqbanmo.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:588
    - - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
      - C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        28⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        68⤵
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        75⤵
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        88⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 408
        89⤵
        Program crash
        
        PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3696 -ip 3696
1⤵
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
89KB

MD5
bb8c89ae3159f3559557197dee4ba7bc

SHA1
69eefb15ad59c4b0221f6d6812e108b57dae2520

SHA256
ff5c3d7872aa7a57e86a25cd2ef398711fe538c1b0453b62d8bc96ddbfaeb774

SHA512
fd149741e4e7c3b96cf4534f87d4aaddd6ec5ed96d4e2ff33e63a91cca945b8411d117a6064a770f10562ec6c7767058537263a9cb116be273d5a7ee1e0f78fa

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
89KB

MD5
835ff9e599310aa45abd86f8b93a54c3

SHA1
c36be1a97b0ebba50ab8ff77e0bb3d776455f5c3

SHA256
245b5f8349cb352fec116a2f07b9a92bd14f1c4d657e054763a2642e11404cd4

SHA512
f7dd48b012babad24886a20cf9cd66da2046aaa845c552fab481ee4fa39fcc2a00a3bab490bfbb13666bd7d04e04e4ade735e8417194424fbedda14f09c71013

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
89KB

MD5
6bf2bb03d61e8a17e57e2f59a88d7353

SHA1
55c41b35a4df3bdeafdf8846f9e696d8575c2019

SHA256
611287dcc449126c83aa2de9552af375496679569a45154ad904f9e4f7347d6b

SHA512
ef1e52edcc34ec0d4cb434c2a865b861a22d428ed2865b6428235a3f68bca8adb374b240c66e5c43c45009c35cbbc6c9a68b5f771588a7d8f75ff1f771651e50

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
89KB

MD5
d20bcb3122e4b919932af36c7581798b

SHA1
8f700410b6612b2b07fbfb8ccddd4f6ccd40e609

SHA256
6ad28e7472082b8584760a9b9750df9b730eee5eff47b549bbd35975c5140fa1

SHA512
bbf6015f31567dfab6e6de317d786c13962bf63d71751eb2d8c527efa4c676eb59262acf2b6dd27cd41427a99b76124ab3d3fc888b05e27fb9064b6e4fea43d6

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
89KB

MD5
cba5f85bd93d9193f12390dea565bb54

SHA1
62ade8923b2719af8b26dc88a228eaab232fbc7a

SHA256
5dba3047cc4fdb7b954b128dbba71a6c4b7fffa5fbaac650212e45afb6fa28c4

SHA512
d40db1f961a6ad958f52f245bb0514b871e7ae5fad555260441d6c724d3aa804d6ed2b8622e82aa72e30137a24bd346cf6397323f4a7b003cb1a3d95920095a4

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
89KB

MD5
538a865b92ad3029cb8ccaec0f71d60f

SHA1
8bf2320d4a1e97f77f2fa47aa165753d597eeb57

SHA256
8fa1a1a80e53dc764c2444c8f8460e01ffb558a2517f6d2da52cb542cec37e3d

SHA512
b25fe921a66fea25deb741dc2d2be8cf566e64370a9734d02df1259283bf1c2525b88487a318851a3bf0328f005ad874de99c8e8ac7ab3f02f021fb00af4347b

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
a388750f814a0321c1f50d37ca674801

SHA1
949b46cf88abfefa8c1d5c69879899f6b2b3ec45

SHA256
8139970d536d879021e9bdc583057c2c1038f836b3f164e3c86ff445af8f6bbf

SHA512
9092bfb9c47b7a26d89a0f4ae5056d4b9259b50afcea314c19dab0145318efb9dfe0a1547b6911173f2627ecdc3bc11c3ebe9ce5941d38a860f9b23a729a42c8

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
89KB

MD5
7498a91d5adb4a3ea91d49b9f581b6cb

SHA1
40e469e64a386d0ba5bd85dd806a52b54319d554

SHA256
72745135e7f4cedbfe9d29e9855b4787dd0c2f0d9a3224c2ba350c601cfa288d

SHA512
72052811b3fb2b50d577fae8b7e03f49177121bc85060784ce9b5f70b7bf300adeb464ad39487b83baade857b8874547643158727f7a59a2b87ccee7e10bc62d

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
89KB

MD5
93b9eb350ff1e74ecd55a6d458e937a4

SHA1
59a0ebf78bf71bbb02478f91d8ef79f743d5be50

SHA256
05b23681a0127077d600790a88c99737b93887af618e8eff2eef100caebe6786

SHA512
7b7a42deaf210d21453fbe1e4a1f9f2e90a46ce967b18505c836585a7b16832fc1a5bb2b5fdb56892d26c5f0aa05119866e7e4813765d256febfe125d634fcd3

Download Submit
C:\Windows\SysWOW64\Mnodjf32.dll

Filesize
7KB

MD5
530a2faf4a76581abf062fef4578819a

SHA1
61291adf518f2bdd177fee37c135f21f52a406a3

SHA256
7f5a9c5389fedbfee5eb5815f611ba7dc62d17e87290cc5adf66f657a99bf06f

SHA512
3dd1c073d1daf980b13526abc5667c325f406874348970f11170ed1bfdd189a42c689a76cacf80021682a1d721c7c39a414c6fcc7c74fc3580e3310674eba433

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
89KB

MD5
47cdc7d222458f9cdb91b428d344cb80

SHA1
d467e4965f1951ea1167e87d3cbb8ebdbd631e3c

SHA256
501f84b330024c074a7c3f4f487bb5616f512794d7236866cd13a30c98b4d5ef

SHA512
11aceda2b43a021b77bdf4b8121b77acbfa9742ca0c82aac82ad33ddfd8ca86a7cbe0b5c846cc1bd791592b4fd8867a184679734dfab15a8eaf1dd171658881e

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
89KB

MD5
b395be6537848265b4e8c115172949a4

SHA1
8193071b3af21a38f147a424dcdcd743889533c8

SHA256
bb3d747858a44b4979c5406f4566d11ea53a312f1ee27c6f4e013c4bd06aeeb9

SHA512
a99111b96696e72fba2b589a3bd0e97a410a1a89d57d89913b5cfaaac8ab22bae800e7c44d2ce377677501f3a03e7d23b764c6317e65f1fae6ced198d58f4b78

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
89KB

MD5
65b431af56c4ba26e0a1999eedf207df

SHA1
5c37684a69b892d624de1977a0bec435a6393d9a

SHA256
78b2817f25d7350e5325e3423075124166e250987b6978cff2dcf970c09c75c4

SHA512
8300c6b9153c4484ad5f607f39debfa8fd8c1eaf0dee619abbf815a58de06b0715b8d34f5d896be5cfc25c193e817d7ec0c6dfdc6022f9030961e9e8c407ac42

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
89KB

MD5
9e44f07d2744477b7561ec40b8d120be

SHA1
db1a931dbdb3d1af6e4324e1712970cd86806be1

SHA256
25351104af9b7ccabed8080cbcf9526e0593dc868724cb989836ab3eaef01f15

SHA512
4c9d282976cc780bdb5aaf6d2d6a8e3632e9b7fbbc3af98ef515e42e4565235a0c58fcf64be7d61457c19481b6a95871e48b18f08cba2c88b632ca03784ef87f

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
89KB

MD5
f999effcc2a83a349173b8a427c72e05

SHA1
b7e423f6a30379ba2e87cee021e539358209a075

SHA256
8a8067e310eb1a13bb86a1e2d8c014f9796147238958f22e799cb24fbe300974

SHA512
1564878d44c7cae78680cd82878458bef1bdfd960be30d1d0010de07fabf673144a9e356821359aed0ede426a146f7432d5f12f4e311907678ba42bbc2507e53

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
89KB

MD5
9fba810611e74da8c592e195a529184a

SHA1
280aa3cc752a54aa4c1e58b8e61438f510d0da9d

SHA256
c6a432bd9aa596b1552980360c5b89a027e5b0ae92d0eb6ffa0d893e3e18cbdb

SHA512
cc51d56bb08494a6083f1d6e45786f7f9e000bc494bb96ce7c1984b5008cab1c709943bf43eb0702a322ef491d1edfd0966f9adbd8878341dc2097ce2beeb64a

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
89KB

MD5
22106f8f95b8f0f5ed2590fb939bacc4

SHA1
d96410526fb5ac81a0df0c1ad90e1b9dcf52c8e2

SHA256
e8cef60e836414a8ceb242bd4bd79eac6b54bbebf784912539f5d82a53142ea2

SHA512
93960d2dd6b5e10032061b4276e233ef5ad5b5d281ea3273cab554f6ad4b0f157f98a57e07bc140cafce969fcc068ccebc62fbc6a166235ed5cbeca84bab7247

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
89KB

MD5
a28c13541185196ffc9ba13b9ca64c8a

SHA1
8f45a04ffe2c6396e3095fd6c5d8e5299fb0ba97

SHA256
00a35be9c4890e891bb811c3abdcba045aa860fc29cf6dff1477d04d548e6ed5

SHA512
18ab3c8857cd6f221cfcca2105d693b146d52ffb3976b1c58b22d51547ec7799cdc12aefdef1f2cda79c85c7e5f9b3edc3ae8c9a47f46bb9db750f85695540d7

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
89KB

MD5
c553ef6ee760a86fdded94fb39277563

SHA1
acb90318f43249868e1ccb8e5d737a1aba2fb9cd

SHA256
2955b5c1c9937e27dd3eebcc73a55003f83aaa4bfe34e13037eb3cbe5d17ad7b

SHA512
b6f863459223bbe4c92cecaa3a4e0608bb3bc80a1994effe3bd98bf05e6519dd5b678eb933315d7edd0176a1324f815eea42dd6a2d2966545775c52f17862aa8

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
89KB

MD5
03119348c575367fea84cde37be5ab28

SHA1
454c5a257a15633395c89447c9fe79726e11a3ac

SHA256
6a5a72313fee8cf3346f9fd998f3ef0300087640f2c8e0adba6d0ac57faf9a1b

SHA512
3036ef26d7e75d5d2cc731dbad7650cedc7c235cf51de662149048885274ce6b83a034dcedecec334069805ff3b8cbf7a94ff9b38c144379b5a76d3a35bd03c0

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
89KB

MD5
a7a3a0b08a9c6883a9b4df1ba6780fc3

SHA1
94d9eaf543e73d495eee3e58c09d201a4ad7529f

SHA256
04c3d628ec1c2f791f60b61c91311e5da9665dda2d551f9c4ef5fb9b54c31c8e

SHA512
627f619ba56c67d1468a481e1b9d754ff20d72b2429759bfd2a197bc1a0c644ce9cffa6d9a4137116c07698dd53dda9f5918722cd192da10ad3f24c9f5f162ca

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
89KB

MD5
6a78793c867d72f497d29e2d7988d8ce

SHA1
dd89fa63bf8c7bcf2d8ce3833d7b0915dab94b8a

SHA256
caf4c3e9996553da94955be74b2fd40fe2000ab580a4271300fa63d03eb0c7ae

SHA512
88a8c205890bc90f5ff9e65d3cf001dc0bd8377bb0df94c5df9a091f4c0d366694032240bbeb396b865c85107b5336bb791f83ff0b5ac3aae8592aefdbdb49f3

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
89KB

MD5
e462a4c67d04fc58219e2cfa367d98c7

SHA1
6c4a3d3e2711a436ae0846ac2c6896a1731b2f45

SHA256
51b8c8ab1eeb4ee7eb617079df1c1e7db1752becb4eb4cc84138127ac6ebb44f

SHA512
73f51504002ed60f598d903895cc45d1ee7778c2dfceeca3ecf26319101e2410e1d0da53491faf53615a7479d562b56112962e9283c9cb5b9e2c32a5f0c13c10

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
89KB

MD5
f6c504691dcd96a71f019b62d691f45f

SHA1
91697e3f96e2c6361dc3341e0463d134d1f988d8

SHA256
9e88eb522108f1a499406d6f7037af6df6c11d203d1ba5c12297db157274a113

SHA512
445a42a6026fd93c9cfa8dd4f7f2887c9866f4f56ec610418e243ac6a4b311cdd7ac3f6c2c3041a6325d91db767fa037f07acfa31895adb28f943c705512e203

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
89KB

MD5
17f5e4496e55adfdcf83ad5e17195172

SHA1
cfc46a127d979b46ca75d089d56dc000e807e50f

SHA256
529643edae4f859b2f45e31a0f271752399488946cba1d7c6a9eb7a38f9de6c5

SHA512
9b2887926a4d20822da0a6d9a57b1511f5ed9e3f99fb79ad7a5fa48b952c9f3466a27c619fbb0d6e4ebf6bdffd7061fb026746a19e0e3d3d69e3701965c19593

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
89KB

MD5
f404b80648199d975462613f6997ac9f

SHA1
20f7001edcef9f659ae1ac4ee2da323f732a60e0

SHA256
79632dbf7de7bdc69ffb33caced179c804c153ae1f66c9b70e3d84937a86ac39

SHA512
4d567a2c1eb627031427e2c82ec8cc17bb90f8db3b90ad3061e7e37b6f67a62e1f137ffaae9611efc8432d354b78c80d09ee441e5a9786be93804156f6270a56

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
89KB

MD5
215f7b59ace5957d63f1e5fe7cb9d777

SHA1
4f86eaf263ca8f1343f889f6ddf1326ca1ccef89

SHA256
cc458c63fb1a352ffbe47cbf7924b1dbb9c1d22a002ac3203fa052cbdbaa1045

SHA512
89e3f5f42884847f5dc8d1d0b59be7aef088fec3278402083d4e13c47256eeeae3db83662e6e63e667b79e4140f350e30a73c1f0170afcaf6ce883027b224ea0

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
89KB

MD5
1288d9388590be99856ecf24bba6f2b5

SHA1
93384786622fd62905b64b16aa212a3b7c5b99d2

SHA256
1b8345aab336faa67dab344484d91e2fe88cc141a3276ced6b33fd923e9d2957

SHA512
11357df94a6bfc88f92a01d4d99b1ca849c973b47791d288f3c7773281c0b45f7fc4218450605a311da1ec9bbb03408c142d056928840575381cfe77a541ffb4

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
89KB

MD5
89bbd0f7c36899f2038a2c0ad118c210

SHA1
86aa03941e387d6da58251fb52cd960fcbdd525a

SHA256
0cef2a613d3641f19ce92c8d8c47584862514bc324d472b171e90844408e75dc

SHA512
de1610f678d84a85193a066e819a075c4b4f2a6407e156ce35249a2965f3b0ffc62d7cd975fcb5c562f1b3c0f9c5cfb31e2acac9325d995ccd5066f195f3bf74

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
89KB

MD5
697a3303147e82cb12646c6d09759d7d

SHA1
807176efb3c98b0d56287d99713cd81e18654058

SHA256
e1ab2c3f46bd56720a173e54c04beb9c9ed69c70fbe1885dd288338f18ada160

SHA512
565f005da26aafd6cc4bae2df4be119fcd6404a121133c9adf8d0ccbe93a59f52cd2d22f8b63d1688b9c7d849928d93f91aee8976810a74a96a2aab96e25fbd9

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
89KB

MD5
8c9fd77f630b0b5788771cb1d574ab04

SHA1
7aa5a8fb5e3d5535bff49ee2f0766b971cf79f95

SHA256
c93d9d9450bf9ecad50a08268e8c3021c0f0f82a65b9deeff33694dcc42333f4

SHA512
0367c9ac9efaf33dbbb6c89ac539127d592aa0edcb5d6709c5acb12f220d75aede714c2ebafba2001ded3ddd6de138f0a0d2b06da207572302528a78262c52dc

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
89KB

MD5
4e61d25c30b7b632927197cdf8b90e09

SHA1
757400f62ab0f69746965bc14b9b466c4d99df50

SHA256
74bdfe806219812301e7946f9f0b26dc2b60fea523b1fd04e2f95c3dbd7af3b2

SHA512
b69e6e5c1aece83b12d3cea32cca41bf956f5db3d62da29c5f12ae3c021d512c1e4371351613a79b81f651d353b4d5518c11f7ddfafbae02046dbe44f2032483

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
89KB

MD5
53437047b230f07aee9a659633eed52b

SHA1
6140dbac205bccb113127041bf9dc8de48f3fb50

SHA256
cf83e3dd94dffe232b8038c04996fcf1b0bd0d89caef8d2a12e79019f55c0182

SHA512
8e2702a2f08f8cab2c84e614d58b3d726269731c24f79f2ce04795bfaf2f22205ce423a286752bee6de0db12e2775b3fc708a5dd529b30210a484abde497b23f

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
89KB

MD5
36e9ca8c5cd7574290816bef304dceb4

SHA1
f99a32e07dc08312db302ab1b9637b42392bae04

SHA256
094e2c233dc1f005b6f578fd8359243f04ff0f66432fc80724621512b7cfcca4

SHA512
d949fc0911a2817bcae162d1b52efdb4b980edb7c30363e4f663a98671179fe2303c39c738e8add2abf9809cc83e34e76f5c36bdeef480e2611a3eae030f1257

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
89KB

MD5
4ae4b58a756b53c8e791899cf88c5d7d

SHA1
703618eadf1c1881d462258fb22603eb4a8ddc16

SHA256
66b6b2694a608372e70115493f7734a934747f839d793a8513ca5d73245ae3de

SHA512
f4a0d302ad97b1bfb45d8ee8e093e1705e105b70eed5a220c1663aa8ece3a5bd6146da0c779015438789f5ad377fb3c6a5cb24b333781b53d87f576f2d509ec7

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
89KB

MD5
1921fd25047618a6cef9bd4107c700f6

SHA1
ade241c4930f02584631c488f6e2ce7b69d7cdc9

SHA256
d8fe0511e4b8e92ac7dcf8c4905b9716c342dce52c395ce25750e06b6b46be3f

SHA512
b596fe3423e670c537956af144a4bd791dfa4304783f7638d249b8ff5c33ec28b275c28c51981356fc9fc27daef537edf2f5d36abb02e4811f712be825ae0a89

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
89KB

MD5
9115c0d4e351fb094b986568743b4eb8

SHA1
ff8f0ced04cfd3f36d74f6b5c4fb6439ef967ca2

SHA256
576a365cea9ed89b495c43ea7dc6ce69c78eeb9caa65a0d176dff086d604de79

SHA512
4317421eae3d34a2e3af3c420ae888cb560b857166347e2595d58575073b28c649de51d4eb12c948ca7f2ed3258f728e25fc18a7dc3e9d37f7c6c1eadd70d505

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
89KB

MD5
79ae15ca38452ff94eaad81f6ba99328

SHA1
298a066f780da83f3167bc9496b72e3f5b227beb

SHA256
39fc903de8e6b109b9ab9196e8a846bd591ca3c48f9eaea69c38fab9ba73e946

SHA512
f87594c426df50fdff884abdd3251806eeae7a428318a8186377fcee612482406eecc3c21788cc83bff80fa1237d35c2aa22d7e38b0e42e406c63de09189897f

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
89KB

MD5
39d8c6b21bbd790f28b65ef27adbf598

SHA1
1730d1c0ad3c755ffc3bbe25a087c9d0d5778507

SHA256
793649d5055d0b8c9ba45564088181fae91baaaa1a7459af3b8255e3537f9891

SHA512
a74b59cf320634370fe5d6a87b77068e5387173d7f7d92a90abeaa980864785eeb3d560d160190a9a434f03e4a16914a789de804558548f091cf7ac188e9f97b

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
89KB

MD5
98056ee03e0ae8b7d6a102059f0fc470

SHA1
5da46badfbe1069cdfe492c1003b033f75f19623

SHA256
0b5b0df6ebb73d4d87b3080535ebf4333cb49753da6925ee5aac47a7c992dbb6

SHA512
6541c79423474d7c0af090f69017c19f11b2e73cb885734d2a6440eddb5cb9f5201bc30a2bdb4594537a1ab5f4c703f65510b211028612b7a47401cbe0686e69

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
89KB

MD5
9b00f4a98c96cecae783cfb5d90a1ecb

SHA1
699b4435f99fe207705e5aff83c723fa1761010b

SHA256
4963f956a75bc6b83518b4eef530091ca8f6c0251e44835f772df41acdf3203f

SHA512
9e22a2ee4ed177a7c84bc1b78ac08e162251877ed34f9697f2a1171acaccfe29d4f71fe5417b8416746b523ab36e57eed92ae72d4fbdd5a4d7552cf9e4f733a0

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
89KB

MD5
9d9b0b82e0ec977afc38d1c9117d0eaa

SHA1
de7dda338231e81c11b5e1ee08bcad4fddab9cfc

SHA256
ac47da20fd4b56cfb0548408fb2756171597bedeb3146291e17c569f24db9150

SHA512
a47d9c70ad160953c6c9d254f62ffdf954c34ba89e1d3e748fa9c5b750cee7c3d2b63f2e5d1306c9cf6dc789eb4e6d3a3da2ca9ef25fb7c29cf4dcb1501d0e8b

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
89KB

MD5
3d2a45f742d42a977eb900a93a2d75e0

SHA1
2cca341b98f4e5594455fe32e5067ce6db219667

SHA256
b1ded880297374360db4c51d7a5143b4af2490f4ae7529ee1c7ed9c184854f0e

SHA512
11a155d35e4b1149cdc09b45961ca7645165b34868481ec54e9c000619d26cb28306d4014313a0731e76c838a564cfcab342cecff17ce971958a412a7f012cf9

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
89KB

MD5
52a5f5965fa7dcf3a0d0c449807aedd2

SHA1
6ebe23bbffca7ceff3acd6cb50f52f2cb296e293

SHA256
44fe2428e0e05f7fddee5570a901244ca35e5facb67e6e32430c6ff07e6a9937

SHA512
bce2b2a744d5f0d2644f857351e80d7fbc6477e9150654f44e3fb4bfcee42502ebd8569ccc0b8a3f493cd350f000acfb0aa585f1504a50c4a150e965ecb892bd

Download Submit
memory/116-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/116-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/232-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/432-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/432-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/516-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-282-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/588-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/588-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/820-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/932-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/932-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1236-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1528-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1528-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-381-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1644-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-396-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1964-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1964-395-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2088-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2184-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2220-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2220-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2280-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2356-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2404-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2900-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2900-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-409-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3056-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3056-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3312-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3584-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-402-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3632-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-283-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3684-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3880-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-242-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4004-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4004-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4016-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4080-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4080-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4220-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4220-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4244-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-205-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4704-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4716-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-416-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads