berbew | e209f7484cb5be2e8eeee6fd9d8d8bc6a076f2320b93172661560c1fdfd15ca4

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e209f7484cb5be2e8eeee6fd9d8d8bc6a076f2320b93172661560c1fdfd15ca4N.exe
Size

288KB
MD5

dd46ae66d304cafb0e2c9d2bea1be1c0
SHA1

e6cee8d9649890a8d036f4904d07de4af4f67c79
SHA256

e209f7484cb5be2e8eeee6fd9d8d8bc6a076f2320b93172661560c1fdfd15ca4
SHA512

5650de11d61d300653b262942d7b6a13aa5370c1038d5de1ebbc58d1d50f74bf4bed6a6422f3465c5042e4544933d6ba8f2952f34f27ac43e58df41c94248a89
SSDEEP

3072:idu7DCyZe/AB/Cn4ihUfX3ep7LDT1Yx07KlFYzqpCZSLMi5lQvuIbuzj1DukJFvL:gu7DNUIBZihUfe1Ll+wGXAF2PbgKLVN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
464	Npmagine.exe
2328	Olcbmj32.exe
4972	Oncofm32.exe
4408	Ofnckp32.exe
944	Oneklm32.exe
1468	Olkhmi32.exe
4280	Ocdqjceo.exe
1844	Ocgmpccl.exe
4652	Ojaelm32.exe
4416	Pjcbbmif.exe
2868	Pmannhhj.exe
2344	Pclgkb32.exe
1788	Pncgmkmj.exe
3252	Pmfhig32.exe
2444	Pfolbmje.exe
4308	Pdpmpdbd.exe
4704	Pfaigm32.exe
3984	Qmkadgpo.exe
3264	Qfcfml32.exe
1344	Qddfkd32.exe
2948	Anmjcieo.exe
1088	Acjclpcf.exe
1692	Anogiicl.exe
3488	Ambgef32.exe
4612	Aeiofcji.exe
5024	Amddjegd.exe
4492	Aqppkd32.exe
1260	Aeklkchg.exe
4696	Agjhgngj.exe
3700	Afmhck32.exe
1544	Andqdh32.exe
3220	Amgapeea.exe
4496	Aeniabfd.exe
2404	Acqimo32.exe
3020	Afoeiklb.exe
2688	Ajkaii32.exe
4216	Aminee32.exe
3768	Aadifclh.exe
1876	Accfbokl.exe
2200	Agoabn32.exe
1652	Bjmnoi32.exe
3856	Bmkjkd32.exe
2732	Bagflcje.exe
4052	Bcebhoii.exe
4528	Bfdodjhm.exe
2412	Bmngqdpj.exe
3916	Baicac32.exe
2568	Bchomn32.exe
4476	Bffkij32.exe
4868	Bnmcjg32.exe
4916	Bmpcfdmg.exe
4824	Beglgani.exe
4796	Bgehcmmm.exe
2472	Bfhhoi32.exe
4112	Bnpppgdj.exe
4908	Beihma32.exe
1320	Bclhhnca.exe
1608	Bfkedibe.exe
1620	Bnbmefbg.exe
5100	Bapiabak.exe
2096	Belebq32.exe
1016	Chjaol32.exe
4628	Cjinkg32.exe
2184	Cmgjgcgo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Booogccm.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Mjbbkg32.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5316	5228	WerFault.exe	175

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e209f7484cb5be2e8eeee6fd9d8d8bc6a076f2320b93172661560c1fdfd15ca4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Npmagine.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 464	2808	e209f7484cb5be2e8eeee6fd9d8d8bc6a076f2320b93172661560c1fdfd15ca4N.exe	83
PID 2808 wrote to memory of 464	2808	e209f7484cb5be2e8eeee6fd9d8d8bc6a076f2320b93172661560c1fdfd15ca4N.exe	83
PID 2808 wrote to memory of 464	2808	e209f7484cb5be2e8eeee6fd9d8d8bc6a076f2320b93172661560c1fdfd15ca4N.exe	83
PID 464 wrote to memory of 2328	464	Npmagine.exe	84
PID 464 wrote to memory of 2328	464	Npmagine.exe	84
PID 464 wrote to memory of 2328	464	Npmagine.exe	84
PID 2328 wrote to memory of 4972	2328	Olcbmj32.exe	85
PID 2328 wrote to memory of 4972	2328	Olcbmj32.exe	85
PID 2328 wrote to memory of 4972	2328	Olcbmj32.exe	85
PID 4972 wrote to memory of 4408	4972	Oncofm32.exe	86
PID 4972 wrote to memory of 4408	4972	Oncofm32.exe	86
PID 4972 wrote to memory of 4408	4972	Oncofm32.exe	86
PID 4408 wrote to memory of 944	4408	Ofnckp32.exe	87
PID 4408 wrote to memory of 944	4408	Ofnckp32.exe	87
PID 4408 wrote to memory of 944	4408	Ofnckp32.exe	87
PID 944 wrote to memory of 1468	944	Oneklm32.exe	88
PID 944 wrote to memory of 1468	944	Oneklm32.exe	88
PID 944 wrote to memory of 1468	944	Oneklm32.exe	88
PID 1468 wrote to memory of 4280	1468	Olkhmi32.exe	89
PID 1468 wrote to memory of 4280	1468	Olkhmi32.exe	89
PID 1468 wrote to memory of 4280	1468	Olkhmi32.exe	89
PID 4280 wrote to memory of 1844	4280	Ocdqjceo.exe	90
PID 4280 wrote to memory of 1844	4280	Ocdqjceo.exe	90
PID 4280 wrote to memory of 1844	4280	Ocdqjceo.exe	90
PID 1844 wrote to memory of 4652	1844	Ocgmpccl.exe	91
PID 1844 wrote to memory of 4652	1844	Ocgmpccl.exe	91
PID 1844 wrote to memory of 4652	1844	Ocgmpccl.exe	91
PID 4652 wrote to memory of 4416	4652	Ojaelm32.exe	92
PID 4652 wrote to memory of 4416	4652	Ojaelm32.exe	92
PID 4652 wrote to memory of 4416	4652	Ojaelm32.exe	92
PID 4416 wrote to memory of 2868	4416	Pjcbbmif.exe	93
PID 4416 wrote to memory of 2868	4416	Pjcbbmif.exe	93
PID 4416 wrote to memory of 2868	4416	Pjcbbmif.exe	93
PID 2868 wrote to memory of 2344	2868	Pmannhhj.exe	94
PID 2868 wrote to memory of 2344	2868	Pmannhhj.exe	94
PID 2868 wrote to memory of 2344	2868	Pmannhhj.exe	94
PID 2344 wrote to memory of 1788	2344	Pclgkb32.exe	95
PID 2344 wrote to memory of 1788	2344	Pclgkb32.exe	95
PID 2344 wrote to memory of 1788	2344	Pclgkb32.exe	95
PID 1788 wrote to memory of 3252	1788	Pncgmkmj.exe	96
PID 1788 wrote to memory of 3252	1788	Pncgmkmj.exe	96
PID 1788 wrote to memory of 3252	1788	Pncgmkmj.exe	96
PID 3252 wrote to memory of 2444	3252	Pmfhig32.exe	97
PID 3252 wrote to memory of 2444	3252	Pmfhig32.exe	97
PID 3252 wrote to memory of 2444	3252	Pmfhig32.exe	97
PID 2444 wrote to memory of 4308	2444	Pfolbmje.exe	98
PID 2444 wrote to memory of 4308	2444	Pfolbmje.exe	98
PID 2444 wrote to memory of 4308	2444	Pfolbmje.exe	98
PID 4308 wrote to memory of 4704	4308	Pdpmpdbd.exe	99
PID 4308 wrote to memory of 4704	4308	Pdpmpdbd.exe	99
PID 4308 wrote to memory of 4704	4308	Pdpmpdbd.exe	99
PID 4704 wrote to memory of 3984	4704	Pfaigm32.exe	100
PID 4704 wrote to memory of 3984	4704	Pfaigm32.exe	100
PID 4704 wrote to memory of 3984	4704	Pfaigm32.exe	100
PID 3984 wrote to memory of 3264	3984	Qmkadgpo.exe	101
PID 3984 wrote to memory of 3264	3984	Qmkadgpo.exe	101
PID 3984 wrote to memory of 3264	3984	Qmkadgpo.exe	101
PID 3264 wrote to memory of 1344	3264	Qfcfml32.exe	102
PID 3264 wrote to memory of 1344	3264	Qfcfml32.exe	102
PID 3264 wrote to memory of 1344	3264	Qfcfml32.exe	102
PID 1344 wrote to memory of 2948	1344	Qddfkd32.exe	103
PID 1344 wrote to memory of 2948	1344	Qddfkd32.exe	103
PID 1344 wrote to memory of 2948	1344	Qddfkd32.exe	103
PID 2948 wrote to memory of 1088	2948	Anmjcieo.exe	104

C:\Users\Admin\AppData\Local\Temp\e209f7484cb5be2e8eeee6fd9d8d8bc6a076f2320b93172661560c1fdfd15ca4N.exe
"C:\Users\Admin\AppData\Local\Temp\e209f7484cb5be2e8eeee6fd9d8d8bc6a076f2320b93172661560c1fdfd15ca4N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Npmagine.exe
  C:\Windows\system32\Npmagine.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\Olcbmj32.exe
    C:\Windows\system32\Olcbmj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\Oncofm32.exe
      C:\Windows\system32\Oncofm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        29⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        54⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        86⤵
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        89⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5228 -s 416
        95⤵
        Program crash
        
        PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5228 -ip 5228
1⤵
PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
288KB

MD5
df540b5c0b10cd6515e709117efe7d1a

SHA1
4e4561491e4dedb8caa345c33f53a39ca86f4b5e

SHA256
1d2e59324e5b6ef80706f2d3ebde9b7d65bc75586e7efe30a3bfa9bc4406c413

SHA512
7bdeccb0b04ef70345d61997bf56b297c7bb06de56ca3fcdc27e2ce2f5d3b08d135547a64f333da8dd82c555b540da585a14033ecd2b3dd6934030a10843193d

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
288KB

MD5
e5ffe605addec2a6686470f5b4d73bc9

SHA1
a3a66cddc9af6a2deff7e7ea348760a2351081ec

SHA256
4bb792790b6ea900dc765c10903afb946d9878627faec76520ed63de69bcd5b6

SHA512
c6274780dbe702a0e4f16dc6ccb357b1e4b6ce375d3baac1df974908064c29a595f063a8a9986fe264408f0d3bd96cc09e74795cf4fdefa85c457d1728b2862a

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
288KB

MD5
1df18af9857c30c86b170e253541c972

SHA1
b10de96457273b64f17d2dcc8af4589af04d95ca

SHA256
d8ffd3ae84c1bc42e436a53c8b5042e412a832dcbc76b28c3f248f4a2ebc402c

SHA512
0ecac5c0b83e8919d3be5696d33d3a1abe384a54bced8002d41d92a46acf457d66880b94d4d40c2315abb45e0cc3bbee75fde01409296452a6b9814cc28e5024

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
288KB

MD5
5cf137f752f767fb4cf9381822715a0f

SHA1
b7e58addbce0452b55c2c7d7818e58041ffb2e2c

SHA256
2e71230c98284c7b503b6e66201750b07a86170ea08610393af556f9e2a7d02e

SHA512
4a3295bb503b70cb5166d5f93d050223988709a0ce2d1ca5fd797fd98bf6284a20338801e10277e115f88f62d556dc644df7493d245659c5484f0244558fddc5

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
288KB

MD5
7ba760cf4231171847ee7039b90b5f8e

SHA1
b5f29d9624362a609e7cf576af25bd8d28e9bc4c

SHA256
71ba85b9da7d3dd896304d784f994c1b60303089b7131c7396d863b4167d6fb9

SHA512
2892e49982efd349ed92ef7c2db8d74ace9c0a639bc70137168c959b7db4aeae89e5bd767d49867a0bb863d9fcd50aae45934891a65d5423c33a9f4262d5b72a

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
288KB

MD5
0ea5b18ae6bac2145b54214689454eb1

SHA1
d5ec0f3e6a069da315bf8ec44800aabcaf9ed959

SHA256
8d778031cc12164dc504873f51cb60ff5dbab20be67295fc620ad7631f33be27

SHA512
725cd40c7f928a29b0f3a686c169aaff2d0edf4b12475a38fe69722df1a2746457e1f9b48df53c7df477cedc0d7123a047f6cf410c90fb3ce11f89f4224bb51e

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
288KB

MD5
adfc3fdb02ee26e4442e2df41968b26f

SHA1
ee610bdf33678eebcd28f311a50994b7a3894b62

SHA256
b90cbb5e769fe5efce5049f7052469f523c661065c91f5228774016978ebd1ff

SHA512
5c542ac1b32de8c981a5b833c3ae29037c8b5550acf6ac786930bd9b33d78647e291a7f8b31a49fa2347a0da8d96828bee0c468e7450c985340342aaaa787e8b

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
288KB

MD5
c4ce289d39c24eb1a8f5534d7818c702

SHA1
d57179d091d5e4d7b00e24cae776acd0b1ae9c21

SHA256
2019511bbea4573f5ce53ef085a069c9c5f393b47926d1d185b8c11d31483078

SHA512
d721e59911a944afbdf0c78dc71fa4258f7dd27f1badd5be69af6fd43f2a6565b974d47361d17016304fc3629cff3a60452f4de06cf7dbb77301be8f9a504d37

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
288KB

MD5
6081a0fd0224eb44036b0158171a4db8

SHA1
a75261fba9acddbe28ba495127ba7cc89b2a9af8

SHA256
ee4bc7823b98b6eab56580aff9a7a6e01db44df07892a88adb2b5b496ba377bf

SHA512
43c62a839432cc479fa429b9a7cdcaa4b2014b7f05ce61b949148ad08cb67cc52ad1055c92a63aaf8f150f44b3a85c24452f690481b1fc4a763c1475bbfed3b0

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
288KB

MD5
1ad8a160e92f278873f5ec1731ca32ff

SHA1
30e95c4174d01776867ebb6c61f3caa298ac7a86

SHA256
01af73a750c18598108b6c8b654b4b8201928817d8d509a18bfca85e77148f9a

SHA512
7959eb677d6e656ca3166da297d5943905b04d46f21bf56f3872b80b132214a73e0d338292cc7593d36303acecc1338dfcb0ca61cbe7bb36411ef0ce0e214c66

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
288KB

MD5
4809583624d43a358bd98cbc937d9580

SHA1
5715ca61116851c063546bf6f0a7bacd3ccfc586

SHA256
f82ca59a4ecbeeb642d6343f90aabbf561108cf6958e8fe17d35475e561a6d45

SHA512
85151dc2193d03ebba62ac4e2704a1186bac5d698077b7de1749cd90fff0e687a3100b388c58f750f072a0a140f09526b9d8a46d0366fca103390d94792e7b99

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
288KB

MD5
f5873811f0e4098e537d7c6c70f66952

SHA1
8a32f341cc5bf7ade75c004b760b74be8e4fb07a

SHA256
3107ac94458be4e45cc444f2a35e1a591a73f5c30eed28d2d2f495e32beb80a0

SHA512
a5dbba927628c7fecf10b3e6417782039d303740c14878817b59460ca32c2efa728970d65d839c5a2d13c3a1fdb7fc28a839b71d60354441fbc32daaac50c307

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
288KB

MD5
2508aa8cfc1b9aa2129c4c20af3fcb8b

SHA1
726ea962457025e93a4b3b5ac8ba764771a090b0

SHA256
1784bdf147d4f86acc2a85a1b966a0c76af1a0fedc2e5841433b4fa7fe82abdf

SHA512
13c55b9066346e9a9e181a7180019f196dab1fdaf956410070b659ccbbed72c09a644fe7bcbbfc7dd11393381e4d8a0253f4c0007a8a4061835968cc9d1168e7

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
288KB

MD5
717ce003d698273f18eaadd30d4eb376

SHA1
3e9892ab454b3cec95236f195fa41d0e1a4eaba4

SHA256
4c027155ae34c9d6ddaecbf345afd742994e8302ba5a5acd349c6beaf7efcc14

SHA512
6832e66f1d5d6d2edabae8160a02c880c67ce928ec5020729e87c39f040acc13a6560ad3c21b8f612443fb39b2dcf7767cca4b513233003c4b8d7732c74f00d1

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
288KB

MD5
edb72a740d8530eb421ac524b275098a

SHA1
3929bd37008c93b8c9eb1dead764818b7c1f3121

SHA256
fc59d9597f59781865aea2f2539ab56a231b9fd0769d15bb8a7387c2ca4780d8

SHA512
ef60aded5208d0a15cd57bb22f0aa90b41f30b71495f1f99167fe09dad638db53b91505a113c0243a2a978e4b1ea2f1cdd7275ea893dc5fceb7db123e0cd2c31

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
288KB

MD5
f3eb07ca6ea52938e4459a443fcf79dd

SHA1
9a36e91adb79cc354f081cc501b09381836934cc

SHA256
b0b2ba34c3b4dcaaf8f6bcf98d48205c76090870b0fd2418d26cb3d9a8e52241

SHA512
a2c1fff87b1df85b851eb318b4eb39dd50de7298d6d31e35075db2b430c6bfcc19819e8db4702f46a253a43c8f9003a7a9220a3c97964d0edb62a5de5a9344e1

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
288KB

MD5
e576ce67329c97c596b92622668aab92

SHA1
661220c85b3c30e726b93e9e0127e3c63487b409

SHA256
c8109a16fc2a3666132e42a5bcf73e0d174ec2c911484a56c3bf2527acff47a7

SHA512
a7f429880f81867c697ee44f98d97e0731997f3b2438bd947f8b20131302972e70263a0c957c7489d5e8538ce308f62ae24a5f27e9df8d853f0f11b4dfadaae9

Download Submit
C:\Windows\SysWOW64\Ladjgikj.dll

Filesize
7KB

MD5
8e880268a16b0e08dbd6c90d0d2bd656

SHA1
cb6a56663555a02ab3adbd1820a82e643be46565

SHA256
d1be09f5e199e6fedd148f0ba5ae1f383c65bf181a6c83758346ffe5c94d6203

SHA512
246c2eefd7b1b5f1a94b8edb3954b92c9c0aa985e1ae49f1785c137867e2a876a2e9ccb673987933a3953d91da871070b993d8de0b55cfbc26d6ba83d1dcc9b3

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
288KB

MD5
674f5518adf4fefbac24c1939c2e2e6e

SHA1
8a5a7d48d00ab5b862546de2c45ab540d147657c

SHA256
854fd5f79b626208270867d6dc7e2bd88390fc1c928035d2e13f0258a77baf79

SHA512
2840a3296757660c469d8005ade4acbf0892848f00fb3642d04f06014821c5be6b164ae77fc392250e38a929c4d7f0fc92651a2c1e5838ead922379eecf8917f

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
288KB

MD5
89dba5f3c8214a9538a01af5565329a7

SHA1
763782bcbf38a3a1f83021a7edc5b3330a6c37ff

SHA256
2711d0b2bd2027df2349a3495ede859e8ed08729a985f435904d7210d0162c5c

SHA512
3b7c824d7cc7a340a72eccd4d6c85ce242f683f46c12b46a56d22a5fdb0b8ea4d73eec69a3ce191b02424c8d38ced9da2257cf276846d23bc8b9ff8701abfce3

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
288KB

MD5
f7ba72ed13fceec8d3cc91867ed0fc5d

SHA1
0a9ec49a5bcb2f230da95a156a45d3e92728e191

SHA256
99b9fdfc610855a5058f82eb033635090aa3487bccaf924b334ff81f6667cbd8

SHA512
411e8a7ab3ed923efba16d02428a15dc7a3700a2ebaf1c10aac2ad3eafa1cbd769ea84219b56832cddc20868cd0ba347ffb13e11d6fa3b3a0f3cce7dce2ff970

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
288KB

MD5
78a58f96cdfeaab5fc94914995b2637c

SHA1
adb2f4df2618cfb052d6eede411f0a61ff47bfce

SHA256
5fad4db6135c4c73d59cbad322a81f9f33bc9d6a9938e7eb0f861b151b2c0df4

SHA512
8a46802549785f082b6296abe308ae5d52eb34c878b33c79436ebc09abdb007a513acad27e7faa75a143f6542e6a58fe898fc6ad7ecd06654834d939a1a8ad33

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
288KB

MD5
4edf78a15a8b501d8ae4cee4d413d3ed

SHA1
8d6804fadbe72c5d7e7c2f7f27fba7703c47984c

SHA256
f722f741cdc0247693ae5e376748c735386c294a50c5075631856681d7d5a310

SHA512
23f8fbd03a981d0d71a0b6adf8739f381c97fbc32117257c7cec8e3572ae2fe108891732328c07d95c756eae63286a53362a6eb4ebeb6f35120a804c4cf849a9

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
288KB

MD5
a598a875e950a5ea0a987475bd83d06f

SHA1
50adbac24ba32e4af8e623136b676bac416ba69d

SHA256
91f087084197fb60e01f0fb2feca4d9b6c45745ced9d8704b6450a7808eb3352

SHA512
7cdcce5ffb761cd920f60e04a30bbdc9d531b2ae1788a7e7d05908262a0d1cb6119dc072ab71dabc640e7520ebc5568708a6a1dce95d6c78cd69a463d097d2c8

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
288KB

MD5
f22cb2b5b858ae52f8aeda59587cfdcb

SHA1
89fad9e1db9f087ee74b6895b626a0d77bec96d6

SHA256
10973c37259cc1f2b941a3e581547370bd461ed559c4e2593de4c26829bd091a

SHA512
38b72d1a67b111891143ac3a5c075c8303c3763651226288def8f103ee2dda2678a7b287578b18ca931052226f10294aefd04564d6316834a6b3e9b365172d68

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
288KB

MD5
3ecd7109690fc54c1e4717cd7a2ad527

SHA1
c712d11767ffec2e81b6ff5c3ef6e1f62e682a8d

SHA256
daf9a59f7eee84de18fd37f8ba97acaa0008272b8a342d05acd670ae1f2caeba

SHA512
abeac718970f2b8ee338a7f30ba1e3e8b1d9cbc3436bff9af322752e97e3d8dc90111db1307fd9aecc30c418cf242c580febe291a7d450ca88a3c9ee8f068671

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
288KB

MD5
6f28abcca325c58540c42a546248b69a

SHA1
c07478b131a47a47e286f57f2aa1e5ea0ab3f8fd

SHA256
9a1b05579965af75f490dc6ca067e2ebcd41241cea69ab244136e28f1692d177

SHA512
063958eb85ac7a44fec9da098c262f1764da4522c7511bd61d04aa3957cdb6cdaa13d12125e0d80d60d5b76922d1bd95ef2efbd525b8df9123fab15c8b0446e1

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
288KB

MD5
223cac7d18accdbf44617cd85afd8f27

SHA1
6b3dee3bdde8589e0c859ab3fb4e4f42e2ffe96a

SHA256
4ced9a60972f003985f048f71eda5e0116f6dd3eab9ee8d09289c98f0f981d71

SHA512
eb754abd7b6400dd0c4b7a6b216f78edf422c33922e79b444a808689fb739fa6c76a348735152f5e0f5b1cf6f44d92fbfc437e0ddc56708eb643cbccbac16a14

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
288KB

MD5
0b1fcbb85c53c9f9efa24acf467fd9bd

SHA1
16a2876b86d72bad56bdb4abd9681f5a249a079f

SHA256
f1d6f65c8fa5321aaf98b2b0a0d7eeb33125867a2dad0570353094d78aaa0e1a

SHA512
d7e061dec4fac570b7f54060c4980fbbff10013af62da651159eb81b4479b67d0b12a36b52d18e6665b09bbc2625fc99bf53460757fbd152b64b5e857e67890c

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
288KB

MD5
fee010b16f75bae42935b118c0c433ae

SHA1
d96ceb7b368e3e97e9df1c140dd223f6b9e8fa93

SHA256
0c35f675b287d2789676ea6de697533bccb9ad11280b6357dc041e278d414769

SHA512
3ede2eb85b0d2ad966216a6c5b768e4f4b3b52597935a71c705955b9b720dd55ab34f327491f623ceec58a08fc35838e1838aa6a16954c22fb2cdf49c10f5131

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
288KB

MD5
dfff9ac7f2a3557bed5f836e747ce1eb

SHA1
c0a3f9de86fe553ea0b32884793e5c8eabd07c46

SHA256
c2838e7d42b4dd9eb3650f4fd464159b9d007f2453753ae1d0b19f8236ff16bf

SHA512
c1353ec849877f9f2d685516cc49366fb2bcf13cd6951232d5e2d86f2cdd4465318ac0e0bb1e2c97b639a18572a03a75bef6dd13e55bc2c5426c19c76d6f3fd9

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
288KB

MD5
85a5ce75569ecbeab1366008e53d9cef

SHA1
286847a014326c3db65a85762c00294bd6f9dd9b

SHA256
9bddd34c1b08687b9436a215b652e69ab59433fad1f5957a0d6dd01944b666a4

SHA512
20fcb29134a90d74a90d6f1642703aed684e4648948b0d9fa3f2aecf4b349c7d078972e33dc43956a1e55f3aa46c748833b88293da9c080172109f8580d88502

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
288KB

MD5
4ca7c038341f817d0b79800661c0e324

SHA1
d2c6f533ba185345448efd6aff5e413f8ec9f9ce

SHA256
4aad7c65c74076382c19e6c420ce4ab6e34021ec5d0370e1bb16d7c39ebb7315

SHA512
9aa98e10e8f16799f4fbe318fef0303e1ac9436ba8b3c4432de188d46f5ba9ff427d053039494f68c881163c33ffa5a7f58009cb7a639611b5ff4b36fd217c7e

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
288KB

MD5
47b382480ef7ab898c15e69e4bd6ac41

SHA1
94c8d850d555170987aa2c89c1ad35a536b8bfea

SHA256
135d4a90998cdc253080f14214485ab47e7b40f664ecdcb430553c0c4e96c5e6

SHA512
2e7ec91d5024b7b8dfc229def63a4255061ec6ad30301e3f395c9d4f03551b8d6f50274e9d0ce5328a67b115293347870c72b5f6cb72da9f60b78946f3629916

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
288KB

MD5
a7bfa0851db4fa8100e538373866e5f3

SHA1
f6968e8430ba910ad49e34c177a04e64e60c9a4e

SHA256
a02828b0a6cf46a2208e1250147dec2992bb2165259b0fca0b4c3644007ee075

SHA512
50e9636379d46f8ef723ea6649ef2912860a840837c1f37c0b6b9f6e249de73dedbd38957d676fe2184bf618f9c5a4ec6ad7477de33a06198505c02eac77766b

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
288KB

MD5
3298c2e5f5eed221f90b63eb0583e3e3

SHA1
490140a56cf89614f28531be5321d6dd30526b27

SHA256
f2f94785f7c15f684160e469fe2c336ce72102354ad134cf9a732b5fa516793d

SHA512
5da160ab751b7084a8207e1b2ac03e710bd125bd8e6fca8f2a7ec8a6f8d8199d3513b8fcee81934a20fd884ae03435023ffcb4f9b7d361465065a65676dc8ecf

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
288KB

MD5
df67ef446793394103b6c231dd8fc133

SHA1
c6b6c8a5232c4961d550755226111a98f51676b2

SHA256
d2c2bbd662cd27ea01043f9a85c2e8d634c172e34b4be1b28f5ea09b4f6e4392

SHA512
d800dda56eab4a4bfccc017233a95ad3d9e7cfd08d188ebb93fda6fcd5cb678ade36aa76b6adde5b2cefd784ec5e0c37818918efcc759528c5d07df8bd392852

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
288KB

MD5
29a40bd5b499a989024b88b1b14bd8ab

SHA1
b117b4f0fd2fc5b66572a19baa5ed046129e08e5

SHA256
be36955827e90527aad6c26b5c047eb47756cade4b4771a812c233a3d51b12eb

SHA512
6fdf5c0466ea115cb62ecce705e805aa99b528b9e54ca094fc369df8b3bc88ab81411cf65774bf7b19596a38ff194288021254c23e2650c606b95567a347373a

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
288KB

MD5
b863b8370023d7d199da751a03f9d205

SHA1
86822eaa0a48593ba49c174882652b394b243316

SHA256
0254efe5e003fcdb036bc945dec070cb820dd85b35433ba3ef3ed53b2fcd2751

SHA512
3ce38b7ee32668cd2a998681ee5a0e6a4d72efcff0099a943d560fadb114bd06d9b62e4a86e7e2363020d466db86dc7d6c6e35abec03034b114d6f1565c1a97d

Download Submit
memory/116-628-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/464-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/464-536-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/904-630-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/944-569-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/944-39-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/960-632-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/960-558-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/972-499-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1088-176-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1168-493-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1244-531-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1260-227-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1320-403-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1324-551-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1324-634-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1344-160-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1468-574-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1468-47-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1544-252-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1652-312-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1692-184-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1740-463-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1788-103-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1804-623-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1844-604-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1844-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1876-301-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1996-487-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2016-469-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2032-636-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2032-544-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2072-537-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2096-425-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2200-307-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2328-543-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2328-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2344-96-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2404-272-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2412-343-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2444-120-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2568-355-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2596-517-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2688-284-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2732-325-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2808-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2808-529-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2808-799-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2868-88-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2948-167-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2952-457-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3020-278-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3152-451-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3220-260-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3252-112-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3264-152-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3484-523-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3488-192-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3516-601-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3516-621-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3700-244-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3856-319-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3916-349-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3984-144-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4052-331-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4092-600-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4216-290-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4280-56-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4280-602-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4296-515-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4308-128-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4408-557-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4408-36-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4416-84-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4416-613-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4492-220-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4496-265-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4528-337-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4612-200-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4652-611-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4652-72-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4696-235-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4704-136-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4824-377-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4828-475-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4840-505-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4868-366-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4972-550-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4972-23-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4996-625-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5060-481-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5100-419-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5132-619-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5180-617-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5180-605-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5228-612-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5228-615-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads