berbew | 6cce62e4093016d8074a8cef431a23e86413b56290e1298e89949bda1b22ebf3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

220KB
MD5

deb4cb209f7d5d75be3d7d80e44bc46a
SHA1

e1584efccbb9069bbcc947babf1dece0a57bce16
SHA256

1d81c2d93d26eee460a7045041788916fc9fa4ecca82f6867f9898b48516c541
SHA512

be76136088a071912343552dd1c44f32236b3e7794869fc98ec8b832663d6e346a1b8c03d5751cd9577a08ed5bb17737f4b5170c5fcaa616e9271ccb36123ef1
SSDEEP

3072:ur7sYxD+4khj4ipvBC2y9foLpNk0jhINpKmdH6cltTeoqxiSqVsst4e3yMxhINp7:ur7ak0jLs7GoqoFtFxLs7Go

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjebj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4984	Ngbpidjh.exe
4800	Npjebj32.exe
4600	Nfgmjqop.exe
4052	Njciko32.exe
4588	Nlaegk32.exe
4160	Npmagine.exe
4968	Nnqbanmo.exe
2376	Ocnjidkf.exe
5112	Oncofm32.exe
768	Ocpgod32.exe
3940	Ojjolnaq.exe
4920	Oneklm32.exe
4120	Ocbddc32.exe
3340	Ojllan32.exe
2436	Onhhamgg.exe
1152	Oqfdnhfk.exe
3928	Ocdqjceo.exe
372	Oqhacgdh.exe
3240	Ocgmpccl.exe
2104	Pnlaml32.exe
2252	Pqknig32.exe
2704	Pgefeajb.exe
1924	Pmannhhj.exe
1108	Pggbkagp.exe
2324	Pdkcde32.exe
760	Pncgmkmj.exe
1080	Pgllfp32.exe
5056	Pjmehkqk.exe
4840	Qmkadgpo.exe
1340	Qnjnnj32.exe
3980	Adgbpc32.exe
3804	Afhohlbj.exe
4540	Aeiofcji.exe
4312	Acnlgp32.exe
1516	Andqdh32.exe
784	Ajkaii32.exe
4656	Aepefb32.exe
384	Bjmnoi32.exe
1020	Bagflcje.exe
2260	Bganhm32.exe
3576	Bmngqdpj.exe
2320	Bchomn32.exe
2588	Bjagjhnc.exe
2236	Bmpcfdmg.exe
1520	Beglgani.exe
4176	Bjddphlq.exe
5100	Banllbdn.exe
2692	Bclhhnca.exe
316	Bjfaeh32.exe
4596	Bapiabak.exe
1036	Chjaol32.exe
4620	Cndikf32.exe
856	Cdabcm32.exe
1208	Chmndlge.exe
1600	Cfpnph32.exe
1464	Ceqnmpfo.exe
2828	Chokikeb.exe
1888	Cmlcbbcj.exe
1064	Cdfkolkf.exe
1948	Cjpckf32.exe
2408	Cmnpgb32.exe
1808	Chcddk32.exe
4384	Cnnlaehj.exe
3060	Calhnpgn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Ghngib32.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Npmagine.exe	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Nnqbanmo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Nlaegk32.exe	Njciko32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Npjebj32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	Nlaegk32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4076	4940	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nlaegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npjebj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4984	216	sample.exe	82
PID 216 wrote to memory of 4984	216	sample.exe	82
PID 216 wrote to memory of 4984	216	sample.exe	82
PID 4984 wrote to memory of 4800	4984	Ngbpidjh.exe	83
PID 4984 wrote to memory of 4800	4984	Ngbpidjh.exe	83
PID 4984 wrote to memory of 4800	4984	Ngbpidjh.exe	83
PID 4800 wrote to memory of 4600	4800	Npjebj32.exe	84
PID 4800 wrote to memory of 4600	4800	Npjebj32.exe	84
PID 4800 wrote to memory of 4600	4800	Npjebj32.exe	84
PID 4600 wrote to memory of 4052	4600	Nfgmjqop.exe	85
PID 4600 wrote to memory of 4052	4600	Nfgmjqop.exe	85
PID 4600 wrote to memory of 4052	4600	Nfgmjqop.exe	85
PID 4052 wrote to memory of 4588	4052	Njciko32.exe	86
PID 4052 wrote to memory of 4588	4052	Njciko32.exe	86
PID 4052 wrote to memory of 4588	4052	Njciko32.exe	86
PID 4588 wrote to memory of 4160	4588	Nlaegk32.exe	87
PID 4588 wrote to memory of 4160	4588	Nlaegk32.exe	87
PID 4588 wrote to memory of 4160	4588	Nlaegk32.exe	87
PID 4160 wrote to memory of 4968	4160	Npmagine.exe	88
PID 4160 wrote to memory of 4968	4160	Npmagine.exe	88
PID 4160 wrote to memory of 4968	4160	Npmagine.exe	88
PID 4968 wrote to memory of 2376	4968	Nnqbanmo.exe	89
PID 4968 wrote to memory of 2376	4968	Nnqbanmo.exe	89
PID 4968 wrote to memory of 2376	4968	Nnqbanmo.exe	89
PID 2376 wrote to memory of 5112	2376	Ocnjidkf.exe	90
PID 2376 wrote to memory of 5112	2376	Ocnjidkf.exe	90
PID 2376 wrote to memory of 5112	2376	Ocnjidkf.exe	90
PID 5112 wrote to memory of 768	5112	Oncofm32.exe	91
PID 5112 wrote to memory of 768	5112	Oncofm32.exe	91
PID 5112 wrote to memory of 768	5112	Oncofm32.exe	91
PID 768 wrote to memory of 3940	768	Ocpgod32.exe	92
PID 768 wrote to memory of 3940	768	Ocpgod32.exe	92
PID 768 wrote to memory of 3940	768	Ocpgod32.exe	92
PID 3940 wrote to memory of 4920	3940	Ojjolnaq.exe	93
PID 3940 wrote to memory of 4920	3940	Ojjolnaq.exe	93
PID 3940 wrote to memory of 4920	3940	Ojjolnaq.exe	93
PID 4920 wrote to memory of 4120	4920	Oneklm32.exe	94
PID 4920 wrote to memory of 4120	4920	Oneklm32.exe	94
PID 4920 wrote to memory of 4120	4920	Oneklm32.exe	94
PID 4120 wrote to memory of 3340	4120	Ocbddc32.exe	95
PID 4120 wrote to memory of 3340	4120	Ocbddc32.exe	95
PID 4120 wrote to memory of 3340	4120	Ocbddc32.exe	95
PID 3340 wrote to memory of 2436	3340	Ojllan32.exe	96
PID 3340 wrote to memory of 2436	3340	Ojllan32.exe	96
PID 3340 wrote to memory of 2436	3340	Ojllan32.exe	96
PID 2436 wrote to memory of 1152	2436	Onhhamgg.exe	97
PID 2436 wrote to memory of 1152	2436	Onhhamgg.exe	97
PID 2436 wrote to memory of 1152	2436	Onhhamgg.exe	97
PID 1152 wrote to memory of 3928	1152	Oqfdnhfk.exe	98
PID 1152 wrote to memory of 3928	1152	Oqfdnhfk.exe	98
PID 1152 wrote to memory of 3928	1152	Oqfdnhfk.exe	98
PID 3928 wrote to memory of 372	3928	Ocdqjceo.exe	99
PID 3928 wrote to memory of 372	3928	Ocdqjceo.exe	99
PID 3928 wrote to memory of 372	3928	Ocdqjceo.exe	99
PID 372 wrote to memory of 3240	372	Oqhacgdh.exe	100
PID 372 wrote to memory of 3240	372	Oqhacgdh.exe	100
PID 372 wrote to memory of 3240	372	Oqhacgdh.exe	100
PID 3240 wrote to memory of 2104	3240	Ocgmpccl.exe	101
PID 3240 wrote to memory of 2104	3240	Ocgmpccl.exe	101
PID 3240 wrote to memory of 2104	3240	Ocgmpccl.exe	101
PID 2104 wrote to memory of 2252	2104	Pnlaml32.exe	102
PID 2104 wrote to memory of 2252	2104	Pnlaml32.exe	102
PID 2104 wrote to memory of 2252	2104	Pnlaml32.exe	102
PID 2252 wrote to memory of 2704	2252	Pqknig32.exe	103

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\SysWOW64\Ngbpidjh.exe
  C:\Windows\system32\Ngbpidjh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\Npjebj32.exe
    C:\Windows\system32\Npjebj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\SysWOW64\Nfgmjqop.exe
      C:\Windows\system32\Nfgmjqop.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4052
      - C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1208
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 404
        79⤵
        Program crash
        
        PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4940 -ip 4940
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
220KB

MD5
0ca713d9531f2925b210b6184c060f0b

SHA1
6f04a12fbe3623139cca8b129f7f4c57b7e6c886

SHA256
6fd8f5b8c4eb7f8a97ad728a5798c96bfce6a2e03caac60c665a1b4d8b7a3d09

SHA512
8ed02f041bcebdfc93cfe0a5806915d9f0bc9f659ca9e902625cf961aab3d95e652830cb9be873fcbbd37ba8c7e75b8b8f83fbc93232daeed220b941f416c066

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
220KB

MD5
6661d6308c74af5a1eacee987fdd4b94

SHA1
8f846509317d8662226d285063c5098b66071ac2

SHA256
ca2d1fcd0a9103a263c7e846af522b0ed81d926e5edc72ed02ea3ecba33fe7de

SHA512
a66f2267e3b84c56cd3d0a967e8a6b86f69d184844d8463a2ae59a871f05d4b07f89792434062b1ed1c26aaba0149b784470c6db3c641cc0204a7089e10b3335

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
220KB

MD5
3c1164004862d292efd5cd8f94cafc3b

SHA1
ad23e6db7183cf6f6604b553457567e270503ccf

SHA256
8cff93d5e07905c2b92d2ce2882aa1df661c4b4f1bbbb007483f376d3017f049

SHA512
658bea90f344271b4c95e2008da4c3bc54558bf6897af3c43a0403f5ec54e943c682124eb1c7d8f8d964d9b77b84b873824394e50f63ae3c1e9c137b0ad33043

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
220KB

MD5
848256b842432274b4640c7ca4844415

SHA1
0c3846d5fc75cf9508a3fed8e8707c05e20287c4

SHA256
eb4d1a0d6ef0369fe5c66b4a991e6bec976d2af6d9ca246776156e55436dc137

SHA512
48e5c5d2d69c08b7e20d0ebc63ab5941f452abf3583292c1aaf2a68a0401c1560fd5d99241891f790f5c36fd129a46bcba6ecb22b2a82a1ce24a7091df6ead52

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
220KB

MD5
510858bc8fa626ba718ba97196a56d3b

SHA1
48563c92ff0729e1b61e3025203516af346babe3

SHA256
33d58f37f9480a229be7aa9c406c80ec2dbd0e5ef8d337dc27d2ee089377e934

SHA512
2ea035d1059d6749565ce7c3eed1a15e2fa64d9a0b93b66965bf954c7ec52f29c510611e64bb3e65f5fd9d21e60df107939bab595d89193f0c2e9455116e352a

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
220KB

MD5
02b02e488939644a97c9091afe787e8b

SHA1
c0d7ad1d6b4e21102dda326335c7d5bc945ce641

SHA256
89340750641658694392b8b04fd8315b1116fce96245951613e7d759fb6d0948

SHA512
b5b7ec536decbab3f07a23e1bf99ed30d0be566adbca248d2d41365c87365acb6c06cc3ac5659710c63eaec2ff7ef72915f8d577a14b1217c751c6764e7db913

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
220KB

MD5
0bc0733dad931bf09d64a5b2f6588476

SHA1
fe64ef3ae16d5a04ce95b11a718f5e0caa96352a

SHA256
a451cf5016a668dd6ea22c3aaf8b4284bfa5dc83b08768a5df98fa475b3efa35

SHA512
5071be225bf5833fc964365eed1ea758d359a26ee25ec00dc53d115a6fe9b038851b3e4e63dd48e6a976233e5f2a6059e5bca1b2cc96951fb63f94ad69fae639

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
192KB

MD5
c91a64f7e9d8c4c2bd8d73d1815e9763

SHA1
619f19b8c4f1213488362572838eee0fed18e31e

SHA256
69cba2b1d8561956f973754e11851ff16b4540bf53edb8ff815f2933aaeab71b

SHA512
4d17cdae4c6022d4580b759f6d694a5064ad7806a804a6bd0fb2d7cbb735d7c1acfab2b38eb9933a07a21651c6c35a338bf277768747d67d0ebfb8ce91e149da

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
220KB

MD5
7e587a218fd75df4ed38092af8c03205

SHA1
308f1899db7f45065d9773dc2d693de616076b8b

SHA256
dc0331fa149568ccf671cb73e70a02706919ca08108b574b943309b8cc55e7ab

SHA512
abe31728f636eb4021cbd277b71c5fa75172709c75a8a3c941f0ea867f4b159e21487f319c911175c7db5284109588c3c76c177931befc5027878663b93451e0

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
220KB

MD5
dd0433563ca561436ff2ea174a251292

SHA1
ba36763e3d30587852d3ec8c0d26c6d822233cf1

SHA256
679383b61b1e343c370709e8edd4f25ba110ce0a66322040f740ce6f0e773aad

SHA512
643f543a7921743fde4d7ede4468ccf4ad01bd43d0a92687f62edc3946bd81aab04a9018690e24884dbd21fb2f8e844404b781bb25f27e1719121e44a691b9ab

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
220KB

MD5
24924991b35bdd7e3b9983427d04c434

SHA1
0ba84b90973a7bc8c6808b8fe6558c9e0c3240e0

SHA256
4c90ce575a772c28d448912796cf2237114f85a45015c91240d658ede558653b

SHA512
76108f1370d4501df2e71b66904445b8d18a0e40716ce88f02a2d8b8d76f46a34c7a8f0375d290d7baea08b7aeb9fb7d0c4ddbe548dddaf4b946a492f61ef01d

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
220KB

MD5
84c67147713b88ae6e129e0a941ca87a

SHA1
6bef039f9e278b0c7145680d57356656058b4e1b

SHA256
fd32faa25ba50728e7cf30100392e90400fa872d1cf9a02d439b854699700eec

SHA512
a7e5d60d6c2cba938cdf69f886073d44211343cc55b0d0cafe68d2378a090f1f314f0ac5b2938013ba721448a5c37369489035d133ac1cd8b119bbe3731a7b45

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
220KB

MD5
c8615328878d5b919562d097f648970e

SHA1
8ff4a4ba422f5860fc7ae64468a0c0b19196515f

SHA256
9fe6a5f3eec3545f910e4fb7212c8043aeeb24086fee0ef5efc650050b50aef0

SHA512
36c4527d8c57cc7aa9050066bb960ffe92ef23eef21b53249457b486ff229168091ba3378e3b22f52887b91ed54c821722a5bff5cc457bd3b60323b8d69ad686

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
220KB

MD5
23c44d72884611db9bd0bbbda365e9f4

SHA1
2c72c1d901cf56452d1175939c67de11286508a9

SHA256
a8d032f30ece1263b342a50d7399359d2950790f5a9bf913d06b5802abf20509

SHA512
49a473f7f6f9c38f739cc82c562a70f7bfe1e6572ab3202851efb6278bc16056db30d31988fdbeb0e8ee7e9fd23512866f495c1695f3808be72165445d627c5b

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
220KB

MD5
78265aef54b0faa5bb41ecd9fa6d731c

SHA1
f1290385129c1e919192682a6e1e083d9da82497

SHA256
4a34e231fccc5bc3a863bbca24535b84b64638dd370e179dd15283bbe49b25cd

SHA512
fd2b899f1c846aea277b40299a6b75e34059066dcfa66902b35bb1fddc93e8a4a2f60dcca7e8bdc407213ff70ad1f89fb20090a96789dbfc74ab68b19c6994ae

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
220KB

MD5
9677bfeeb616188d5c73ef3bef42f4a8

SHA1
89f3144a56b8c4fa8eb4acde614753233ada2451

SHA256
a2b3d42308f4827ac2fb077e38f4ebce3600da602568c6433dfc412e38f001a7

SHA512
f6ad5c118f38acdd7013b17e00fe0e5d75836e9eecfa26dafbc34ecf34f9ba3bc4843e266b8d98eb03b680abf789ea173c0e9b4fb220937241cee08daa3d6155

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
220KB

MD5
a01c3d55c649ec54446c2e5e4e837c2b

SHA1
5e64ce7b944bc96bda7ff0cd11bfe3811e4b2785

SHA256
5622c62cdca4e9f92119d6f8d65d7a99ed318d1b02b0bde1447dce4128bca665

SHA512
78e61eef966b6c30e0e9944bdb76865881fde0e1e908f35f4040c06fc6e8fbc2287ee5312b4148e8e04ee189af0edcd81205500e9635d691b4e590a069da663c

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
220KB

MD5
50e14d9910758e7243081d2f9a93ae97

SHA1
bf108570291bc13ce12220142f4d515cf3e56456

SHA256
1adb6678f3be43532b37a51a86618e7caf18819a6496ca2ad202c6c36ef7bfcd

SHA512
462fd26bc70a059e2d02c575ca6f16afc70f61b104d36e8a8b75ebc89530d41c70e4c050db61e69fc3f69d8a2d116d3aaf6b8d118deacbabbdacc40d98f9037b

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
220KB

MD5
0df393842bab72f13b07ed3f8ce6aaa6

SHA1
a47c57a30f8c7c3ce59c4c650f58706578899f35

SHA256
55886a506d98d6cd2c7fdfd30f13d1502379ef15c02ac06aa781b96c01f8a2c8

SHA512
1691381a94b4871e2be7e0d9fd16c78bde92bea20e9bbd7d7f24b3b3966fcfa19b81037b6033cdad30462a2eacd9b8a6eb0d23cfa2197b6bf1812013933333fa

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
220KB

MD5
a5877e57c432887077cf7d8746b7e192

SHA1
e1fd0d3791ea7359a20e8c2ee002b9b415e33b68

SHA256
729882009a779323c77acb9bb788013ac4587216dbc79acddcae3c673ef15b70

SHA512
d06b01f838d5c75ac253ea106380a9e12d799603a79dfc22d44f3b08c8f8546c71a005963f8ae8941fff3878b45e86b827cdf7e344d8319fd2859d6fb50254f4

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
220KB

MD5
f0bc69bb49ce87cc65f6bfcf55a462d4

SHA1
7ede9babfeae2b2608ce080479387568f44e0314

SHA256
c1cb7db81547b60562849e44a0e5fd1f3b990b3ba92cdf2e2d894c9e0e9cec2c

SHA512
00f9e1a94efb99b733e6fcfa5c987e1ed5c662e2d52e6dd82a143c170dc70350082ab91e18405c17ce389955b9edfd434c53555019f46c5f553d57407bf0d9fc

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
220KB

MD5
bd4153f6877810fb1b050d497425a0e0

SHA1
7b39fb1509ed1038556ff089fcec5c0ade53fc68

SHA256
98cc2040715f0d3c53873e9939a420af993be9e816bfb8ec77b2a759f9fc4996

SHA512
8adae989f824a7696757a4d1fe62998a27007187d1afac3591ca91069927b49cbd8091fa00a37fc703f9fde3401f9c66daf40d22f063d96abc14cee3aa0ad9a9

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
220KB

MD5
c91d3af4a0ff6e2fc789a335b6397c67

SHA1
97613a2c80e623958823c22f6558fcf3ebb1c59c

SHA256
4af67832046a5a7b6f64418c16b375078b236c8fad8611ce640cfa121309d368

SHA512
baee4784be3cd8981683fe29a8f4e97690885ae04ffc4a599f159efb86ea76c1389e068ac2687e9caaa0cdc32a073dcb779c32bb215cd087f3e9bac30fca2109

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
220KB

MD5
12360af0e0f7d03ded6fb7068a2735e2

SHA1
e953472413bb2c12ca2ea37a69be69e89d05317f

SHA256
58fc3c64275d9e6db18e71f8a14730d1271cb19e81bd29620670d74c0a0f19ac

SHA512
4a3ed82457e6c5cad0b4ad12562d7cdf27dd3bf8f795f0d79e25195467c395cb745aedb7762711ff1facb899e69bb6b3b80e05834d64a5cdd3ba53d5a3e9616d

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
220KB

MD5
d8bd6127e23955301942283ce9f668e7

SHA1
80329c537350a89e929d6db911e2a4b2bb96c43d

SHA256
1b6200451f170305acfcbaf9d9c43276dbd86db387826cfbd7113dfc81d014ec

SHA512
0fa9077014e97868aaf8623d0ae12365997edbc2370d297ccdb4363c242436effe5550403572db9a71c9b008595fe44b932d1a29a29da0554e83a82a3935ffc4

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
220KB

MD5
0cb3cbc0d91af564a84a463abdc0451a

SHA1
5bb5fc4435170a03259e6765e7bcea98949c9dfd

SHA256
fa97109f6af38732f614b8352136885993e0d7a6fcaf585fc2a07e7772c38257

SHA512
073440824cf86a89d9daaec44d4464e5634e96bdb2b88300dcb37876e2d964a25b16a6d63aa136fac2611ddc0d5786bd95b289be6531ed6e435ee258354601f1

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
220KB

MD5
6c2b7ab3f7f037200aefb315db16aefb

SHA1
f253ab2b933d89f2a505908696c8084d75daeddf

SHA256
ad9aedc72abe82fa6d7360da10f59f004ac8c65b3692812d98f3a77e4d91317a

SHA512
8b02de80e3cf65f484e88bbb77a41b1ccb71b8235c2ce98515e3568472614bd0ff8080569c41d059e75e016565ce9c045f6f336b831082ce9b8e8130d1b4b564

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
220KB

MD5
5293911b7985bdd6610870610993c968

SHA1
7b0854531e9f4de7b9ab58d542bd32be06870fd1

SHA256
ce631571db8d548b1b0f9ca06fae07823e2a11787c8fa3cf3e0ad9ba2e3927c8

SHA512
e712aef465e35a1b56aa77dea6e4d6638e38f9ed3c622ab0f57bd72c899ac5889b3b04c58f77cc3ffd131352f7652fb9ed485baf3a168a40c035af25e6e85e03

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
220KB

MD5
e39adadcb60ea721e5469c9718ce4866

SHA1
f7115c66057ecfff9a975bfd2c597b77ae063f8e

SHA256
378ee1a30814fed883dbca71661ecc16c22ae53b5021fb1f1a9afc7a0015f440

SHA512
ec235a63e393de1ab200ae96a814f64fdd440201e930a98de49476d65dc2c9e9b60a12ca5084298a43f27620a25a405984a9b9bd3bca1802c798aaafd218391b

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
220KB

MD5
9b719fb7c89cb965e11aea3b3646c5a4

SHA1
3cf00ee0b0d8066ec6b07ee161697d8a28b20e1e

SHA256
ed0f2b0ea3c1eb31f0af581fba5889092806dc2fbe754c546462862675cdc1ee

SHA512
204f559b1460e28ea9a92092ba98a5c1a6304e4c9874219b50cc4151e2bf1bf891be66dad544b568832b78f005599ecb60ba6e605de291d21ce97e1f3c16ba08

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
220KB

MD5
f8aecbab4d2dd21d6dca1a77572448a6

SHA1
0e92dd662d62178fa946ed4b1bb1810d0807e993

SHA256
ca5200662f65b2600a844f6b42d6ceb3a04e72491f2233eb2238473579764df3

SHA512
f5e754a2b34f8dfe1f80941e92b18178017a5e65f2d8831a67961a1a9955b3b96bb85db8e9dd153a8706488bb328265a589ede35c553e6a26fcfe5f0dd9683b0

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
220KB

MD5
a5c265b677ceb15c0dfbf589bf14a323

SHA1
96ba89a0b9733ac361c76486cee004cc670c4224

SHA256
3d8ecbb6c8516602ec5a4f7aceaec06863a9e2dff1ae2a39c6790be0fb086bb6

SHA512
6b5518e805764c673b293f96f80da4fd06ef8c32695d9d785270136e6c7c6696198c19ccd80c56a596337c10fcf62f8ffde3d1eb719137baf8f90346bdbf0a68

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
220KB

MD5
1fde8639fe123c867b5ab033e047ce0f

SHA1
f56fdfb66c501a82531ae2f20deeb17215b574ac

SHA256
43aefa20596cf02104ecb3c96b5edfe4a8071f42b858c8621672140922d20e3c

SHA512
7cf5ef4adf380e0afd9a545c18ed60778b4a00f163c8e6afcba101d946b192c19db01971ca3ac001aecbb23977a78acd1d9f77553583afeae0b3e88e2643a91e

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
220KB

MD5
9e66f43e4f6ad2ac36cda7c800c7b2cf

SHA1
080b6d5dfc4ed80f2967e48ebc00488a42a1ed61

SHA256
fa3a1eff203fd58b354a414021744579d7b1244267744a768b4ed5c449735baa

SHA512
ac3d859b6e0c74937ca5b77a08dc7b4e1f7c0d7ccd52837170af6bf171dcdfd4dce278cccb8d65e4592d4415004d474c54b54fd22bc23713cadd1c69b776e4af

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
220KB

MD5
d91c3f0362420e1f7c5535a9b64e5d54

SHA1
30e95f820a4a2e9ddbad366e050200a9fd80161e

SHA256
e5176d144ed6995896d05a62c72bd32c0a2e8277855d39633dff0c845cd276d5

SHA512
a95e48470ce551babb3f11b9780797a5d35a4775b312851972cc73d637fc9d7d010b57521aa774fff671627f3c0a4abeccda1d1af144346b9f5b3f281b291718

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
220KB

MD5
197c09fc16f859201fc27332e550a828

SHA1
bd75a1901eb353b04dbdf444be8cbfdea9fbcef7

SHA256
6cd298e239bb8776aa68497215a4876e79a4b08f2e22c11ef638d96cface43b1

SHA512
f16c30cbed587aa8a82544365732dd1f56b30493f58ec2dac35e955ef143fe17bf7600041bbb74d53aedc2ab389f1d1d1c10576163709c792ff9e4e1baccb124

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
220KB

MD5
066e37695ae8e18c1d086afc41f2d828

SHA1
91592cb6fd3fa75e99256bfaa1f1da6a4062d394

SHA256
4d034dca3416a80a21cb42dc70a334664f21cb4a5de62d961c166e536181bb79

SHA512
62501dfce2f7371e3fe07e24b80f4fd90e478ae4bb36edfc249570d414a58ecc06c87e6ca803dc25380988c81a4c051083c080a1d8afb0b4b432c04d6dd57825

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
220KB

MD5
791e2d8c22ba364fc38f3428008aee8a

SHA1
9b373a680b89a6d7d8f18da8a3cd2092d5333db1

SHA256
9ae4ee14423d3b28a09bcd2e3f4bf8d16a35cc0c7d0f23b001e450cecebfb9b3

SHA512
c5f555c971445a8e46748ed7cb7d51202f548de73e5280837dc86dca4227e5821890a9ae1b12a91369dd0e14067ca73a36e2078161515f7c2b6765ed8bccee52

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
220KB

MD5
1f7c60d6984182aac8f3fcb8d938c0af

SHA1
6e3aff52997a202f2e9a7ee2f6bc0e8489753ba3

SHA256
48d7345b79ecd0d78d475658337aa7202d74831cde690e7c4a01f24074e7bae4

SHA512
d92f910ce079b3185b1021aeda3c5db9f1bc75fa05562d9e864920a6e64edea6b04a568b9bda575544743d548d5aec8b5a9e798f2ef0fa6abade7092a4c86430

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
220KB

MD5
64d1ba775586795dc111dc3fa31ca3f9

SHA1
55fe20602761663e3170454bb28c1d9a0e458b7e

SHA256
5ac636cf143e84f3cb532c2e8893038104abea2dbefbab3e1df8288a08e3bcd6

SHA512
b7cfb9b03845c44fa84d9cffde0368c3071e1876bfac58347579ebf26badd5ff7e19bbf2613b858c6378a8e4c589bc87595b1e1b8960bf3fe4916c6115beffa1

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
220KB

MD5
95da0626531c4d19b49bbad3ef756ce1

SHA1
95d43a8a28dfb971bfd41673017146c03d3a0937

SHA256
e706e0d3d99264e14071328aee98839e425bf4f46311675fe0d3677d032df3fe

SHA512
496e9ae3ba697580eb3e847667b232434c7bf46fe34f924583f58e614f3ebc83e32f35a3dac3375867d86f5233790e508aaaebefb50539ba9682c136c255a1c7

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
220KB

MD5
54441bb14069727d5820444888636b87

SHA1
df60476561cae42d3bbe5a51bafd1f4918be5e70

SHA256
66f8e7a1fdd5db2b5f473ffbf70c352abb9b16d74da30ca46a3b577375f1bbb1

SHA512
a5af8e77aff88f9e12b1548dc7a5adf26ee229dbbc4c53f037f02b4dcb062bc7a6d6164a7b846511b85389a641e822c92117487c5837251f3097909196c1204c

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
220KB

MD5
69f144ec1d47bed9c017288fa922b5db

SHA1
cce45d6cda1abd3aaacc028f0c888476b284147e

SHA256
2a710bb9819e2f5bc83fb572806df7ca7427661374bc54413da58b63a0b94322

SHA512
bb4d2face732502122fe9d6b58784a340f7e77877dace14ec3e316629b865c1db2d1bbd75e98ee98ad2975269bf1362a8f4eb74bfab03794c4034be83d7b7823

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
220KB

MD5
07a89b480d2a1460e1fad8ff3d237b47

SHA1
fa4dcf6dde4420292ad7c304099b72cfed9d3373

SHA256
9a79ac0449940fbfe9c51f4024baa705e0303fcd653ccbcf1aff3df38498f1b0

SHA512
41b303544ab0f27734880e9ec9d133ba9d51f282d3ca6695eff6c7d620f336ebe018119dc642788599ac46f78ff9395fec3bc836f4e92769f8b533dc58ac8961

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
220KB

MD5
db91b51b817f6fb79a93e10e96896048

SHA1
8db97be1b8e5f135bd6c3cde3094ee13037d0553

SHA256
9636e82566ebc0e856ed4d1da45438532e2e58c94c8a5f477a7ae449d1012d7c

SHA512
78dce5bf7715b74b1e435eedb4f07e943ca31bde2c257696e73c26297fc0ec31012273cf63f65d25fe5fd5103b4ebf8e124ef4c9841ac4203106ec009e2211bd

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
220KB

MD5
bd0cb35d3a5a4df8975746d39938bc05

SHA1
26e465597bb20624182ba43142d92303f08ddb17

SHA256
af5da47896f0b67e1fa2054096579c53e2c558ce5ec59a74b95ee779d4d76efa

SHA512
ee713ffb453f2a67178f113199a56378c51b3c49c6bfa9dda1be6ef2b81bb97bf0ea82a07c1cd72561d0c38cfe3f41b162020adda741f4d034544d85c81a736a

Download Submit
memory/216-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/216-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/316-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1020-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-636-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2692-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-652-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads