berbew | edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe
Size

63KB
MD5

c4dfb8b703271b2b012da7f9d71846aa
SHA1

256892a1c7c03c561830a10f2ea1f2c02cccfc7d
SHA256

edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989
SHA512

e0a0134367c5a0435cb99935f97ca0c8fe793100c6b8121c9b80aef412e204aab088034d7c4318ad2a9e409df8955371c4512f798f75c53b420720d178ae7606
SSDEEP

1536:COcEGNe8DpXocnAZHHaAxZ6dQffSNH1juIZo:6E+ercnAZHHXZwNH1juIZo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3312	Ocdqjceo.exe
4792	Ojoign32.exe
1052	Olmeci32.exe
3604	Ocgmpccl.exe
2840	Ofeilobp.exe
1156	Pmoahijl.exe
1936	Pcijeb32.exe
4336	Pgefeajb.exe
4584	Pnonbk32.exe
2196	Pdifoehl.exe
3944	Pjeoglgc.exe
2104	Pgioqq32.exe
3116	Pjhlml32.exe
2092	Pqbdjfln.exe
5060	Pgllfp32.exe
5036	Pjjhbl32.exe
2944	Pqdqof32.exe
716	Pgnilpah.exe
428	Pjmehkqk.exe
2384	Qqfmde32.exe
2636	Qceiaa32.exe
4204	Qjoankoi.exe
3160	Qmmnjfnl.exe
4640	Qddfkd32.exe
2264	Qffbbldm.exe
456	Ampkof32.exe
448	Acjclpcf.exe
3420	Afhohlbj.exe
4192	Anogiicl.exe
2292	Aqncedbp.exe
1640	Aclpap32.exe
4368	Afjlnk32.exe
4864	Amddjegd.exe
208	Aeklkchg.exe
2096	Agjhgngj.exe
1684	Afmhck32.exe
5032	Amgapeea.exe
4356	Aeniabfd.exe
3092	Acqimo32.exe
4216	Afoeiklb.exe
4188	Anfmjhmd.exe
1216	Aminee32.exe
1180	Aepefb32.exe
184	Agoabn32.exe
3932	Bnhjohkb.exe
2580	Bganhm32.exe
400	Bnkgeg32.exe
4556	Bchomn32.exe
468	Bffkij32.exe
2240	Bmpcfdmg.exe
2932	Balpgb32.exe
1932	Bcjlcn32.exe
2268	Bjddphlq.exe
524	Bmbplc32.exe
920	Beihma32.exe
60	Bfkedibe.exe
796	Bnbmefbg.exe
4108	Belebq32.exe
4600	Bcoenmao.exe
2860	Cjinkg32.exe
2340	Cmgjgcgo.exe
4872	Cnffqf32.exe
4928	Cmiflbel.exe
1896	Ceqnmpfo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1476	2008	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 3312	4212	edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe	82
PID 4212 wrote to memory of 3312	4212	edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe	82
PID 4212 wrote to memory of 3312	4212	edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe	82
PID 3312 wrote to memory of 4792	3312	Ocdqjceo.exe	83
PID 3312 wrote to memory of 4792	3312	Ocdqjceo.exe	83
PID 3312 wrote to memory of 4792	3312	Ocdqjceo.exe	83
PID 4792 wrote to memory of 1052	4792	Ojoign32.exe	84
PID 4792 wrote to memory of 1052	4792	Ojoign32.exe	84
PID 4792 wrote to memory of 1052	4792	Ojoign32.exe	84
PID 1052 wrote to memory of 3604	1052	Olmeci32.exe	85
PID 1052 wrote to memory of 3604	1052	Olmeci32.exe	85
PID 1052 wrote to memory of 3604	1052	Olmeci32.exe	85
PID 3604 wrote to memory of 2840	3604	Ocgmpccl.exe	86
PID 3604 wrote to memory of 2840	3604	Ocgmpccl.exe	86
PID 3604 wrote to memory of 2840	3604	Ocgmpccl.exe	86
PID 2840 wrote to memory of 1156	2840	Ofeilobp.exe	87
PID 2840 wrote to memory of 1156	2840	Ofeilobp.exe	87
PID 2840 wrote to memory of 1156	2840	Ofeilobp.exe	87
PID 1156 wrote to memory of 1936	1156	Pmoahijl.exe	88
PID 1156 wrote to memory of 1936	1156	Pmoahijl.exe	88
PID 1156 wrote to memory of 1936	1156	Pmoahijl.exe	88
PID 1936 wrote to memory of 4336	1936	Pcijeb32.exe	89
PID 1936 wrote to memory of 4336	1936	Pcijeb32.exe	89
PID 1936 wrote to memory of 4336	1936	Pcijeb32.exe	89
PID 4336 wrote to memory of 4584	4336	Pgefeajb.exe	90
PID 4336 wrote to memory of 4584	4336	Pgefeajb.exe	90
PID 4336 wrote to memory of 4584	4336	Pgefeajb.exe	90
PID 4584 wrote to memory of 2196	4584	Pnonbk32.exe	91
PID 4584 wrote to memory of 2196	4584	Pnonbk32.exe	91
PID 4584 wrote to memory of 2196	4584	Pnonbk32.exe	91
PID 2196 wrote to memory of 3944	2196	Pdifoehl.exe	92
PID 2196 wrote to memory of 3944	2196	Pdifoehl.exe	92
PID 2196 wrote to memory of 3944	2196	Pdifoehl.exe	92
PID 3944 wrote to memory of 2104	3944	Pjeoglgc.exe	93
PID 3944 wrote to memory of 2104	3944	Pjeoglgc.exe	93
PID 3944 wrote to memory of 2104	3944	Pjeoglgc.exe	93
PID 2104 wrote to memory of 3116	2104	Pgioqq32.exe	94
PID 2104 wrote to memory of 3116	2104	Pgioqq32.exe	94
PID 2104 wrote to memory of 3116	2104	Pgioqq32.exe	94
PID 3116 wrote to memory of 2092	3116	Pjhlml32.exe	95
PID 3116 wrote to memory of 2092	3116	Pjhlml32.exe	95
PID 3116 wrote to memory of 2092	3116	Pjhlml32.exe	95
PID 2092 wrote to memory of 5060	2092	Pqbdjfln.exe	96
PID 2092 wrote to memory of 5060	2092	Pqbdjfln.exe	96
PID 2092 wrote to memory of 5060	2092	Pqbdjfln.exe	96
PID 5060 wrote to memory of 5036	5060	Pgllfp32.exe	97
PID 5060 wrote to memory of 5036	5060	Pgllfp32.exe	97
PID 5060 wrote to memory of 5036	5060	Pgllfp32.exe	97
PID 5036 wrote to memory of 2944	5036	Pjjhbl32.exe	98
PID 5036 wrote to memory of 2944	5036	Pjjhbl32.exe	98
PID 5036 wrote to memory of 2944	5036	Pjjhbl32.exe	98
PID 2944 wrote to memory of 716	2944	Pqdqof32.exe	99
PID 2944 wrote to memory of 716	2944	Pqdqof32.exe	99
PID 2944 wrote to memory of 716	2944	Pqdqof32.exe	99
PID 716 wrote to memory of 428	716	Pgnilpah.exe	100
PID 716 wrote to memory of 428	716	Pgnilpah.exe	100
PID 716 wrote to memory of 428	716	Pgnilpah.exe	100
PID 428 wrote to memory of 2384	428	Pjmehkqk.exe	101
PID 428 wrote to memory of 2384	428	Pjmehkqk.exe	101
PID 428 wrote to memory of 2384	428	Pjmehkqk.exe	101
PID 2384 wrote to memory of 2636	2384	Qqfmde32.exe	102
PID 2384 wrote to memory of 2636	2384	Qqfmde32.exe	102
PID 2384 wrote to memory of 2636	2384	Qqfmde32.exe	102
PID 2636 wrote to memory of 4204	2636	Qceiaa32.exe	103

C:\Users\Admin\AppData\Local\Temp\edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe
"C:\Users\Admin\AppData\Local\Temp\edbe25ebc1a88ba8233a9fca22aff1de4210f85481290ee71774a3afb64ee989.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\SysWOW64\Ocdqjceo.exe
  C:\Windows\system32\Ocdqjceo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\Ojoign32.exe
    C:\Windows\system32\Ojoign32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\Olmeci32.exe
      C:\Windows\system32\Olmeci32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        39⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1136
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3860
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 216
        90⤵
        Program crash
        
        PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2008 -ip 2008
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
63KB

MD5
0b3201057bc4d57feb587cf7fb4e282a

SHA1
eab462da86bf2b5a908e1ff01f327734346c0cbf

SHA256
99eee9f09b2e579a8c0a0cfdde718dcac56ddfb0df220fbd6f2a3b12bdea6424

SHA512
ba1f504c60786c6f8622d73e5a9fcf543e405095abf0c7573d5b6dfe92dc622b83be6cd89308e6403d756c0f4238c1357e9e337156463b11f6312588cee3cb0c

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
63KB

MD5
118934f9ce2a28a5058281b3305154b7

SHA1
62c9dba0ca20634db70007ece22f1deef5631932

SHA256
b8769411aa162ee981d20ab40b548df742e696939a4c7046de6e133697613740

SHA512
ca96a9a999413e77ec620933332dfa2f37d83d6f5239a67b7d1630d39997eb3e5483682d57ee035caefe95a453df0e2d159ce789f6f255d030a2afa956ad078f

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
63KB

MD5
2c6c8ddcb5e1a195df119a4a6631362c

SHA1
a64f36c86ec43664e0069f102642104338f88591

SHA256
60848ad9315006583d4954c810a68a8389ea5d7bb46fa8d37c6ee122ec6c20a4

SHA512
e93c936d6bf60297745c958bd80b50e7d9451c021cce6f5fa84424bfded16227ca80cf5a502c90c8804ec427b0a841b8fc54e2383539e89a87717b6dff33342a

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
63KB

MD5
5b1576c7f26dd7185d7fb3594651d27d

SHA1
ba6989be00e1d662b5c791bd315da836ee6bf13a

SHA256
195fcb5de234104c46ccc275d7a89ff6e4369b50c655c430bbe47474ca00a328

SHA512
28bfb565887293846519979bbd5f01a0db9b5d5630de48c7ee4b9671f06d61cf4d1bcf4d29b58f56f407b85a87fca0f0c9a32e6d15933c62ab089bf519a3c89c

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
63KB

MD5
5c255590dbb4fbddef60438c4d05001d

SHA1
559b4cd495c1850b7d675c07dc737be0d9d4c486

SHA256
4eafde857997c41f2cbe6e4a6187aa50dadd2420532bb402deb45ea6836d902b

SHA512
29827328012fdaf838454b516deac6e25403df029d28ab3c727945f66b2f8a544bb0d139c947c66a92e82fefb037adff1c591110ddb2eefb182cd3ef136aac45

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
63KB

MD5
a5d3b85bf566c0991b04b374e6a7fb9e

SHA1
fc7f9497ab0ec5fb075d44fa000379e0d21f1bc7

SHA256
2183868ffd78e780e2f70252d8b01cd249b1cb89a60d02fbe1d9135b60c20077

SHA512
997bc036bb50e1cefb865993aec10da80956f08a4a0d9cf0d5671dc5bbe7117ac7203eb094f5fea8bdb145eb56c383aeb225254ee611e1ffe98f27e8e32a4c66

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
63KB

MD5
e0a126e56d6c4652a1b844b8190fb96e

SHA1
a5f744aa4a161890e57c3c8fb30393f0ea3c2385

SHA256
80555c163abec3cd1def6feff0e01c199a2bde6766d52a5617347ce85188f1ee

SHA512
c645165c0e1fb5a032d96d9078d8b5dd57e8820f3db24260fc8b1c598362ae0d83194f1df5659c0a4dfdd15952abd53a030a7cbb5fa8db6c8df23466ed76e95a

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
63KB

MD5
1236537238e74b42da9195f81386a38d

SHA1
cd9d8ea6549a5680d3251ba9f3e263baae266af3

SHA256
b579eba565caaa434d557df704c406a6c4f014c57084e180cf994e36a6c0d416

SHA512
c74233a8427d67a4f736370062cf937cc6f389e756021fa96d04d0603907c0e60cd584e6454ff3693a3d2b6008ad89074b8c3e6cd58ebca1a79ee6fe86ea7fc4

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
63KB

MD5
4ab1a13191073f6b0c9f1fd2dee0e235

SHA1
4ee88e1209430d0918fdd19f97a36081152a85f5

SHA256
1731a4012206edd06958954a871bb67fde2aef90d242846d02ae75e57a1c8372

SHA512
075c8ef405111d106e57049d331c52093d340fac87515eaadfed557ae13109041a220646e0970450673ecd2a77d2fee6be4b7a82859a6d7fc6473f606a5abf19

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
63KB

MD5
4df4dc9cb53ce4b13ad1bc35313ef01c

SHA1
6849b5a832af509156792dd081d0ede87fac3fb5

SHA256
e75a07b5d935ddf88a46025983e3693808b3d66b4516d3806a93bbcad00b8eac

SHA512
a2d0559f7344921554439ddd143ad8835332d44212e0a792ecaad7722f532b75d2834a5f0f27f208586d47f510f8e4a7042273b44350ef3d27014abf406b44a0

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
63KB

MD5
8d4743630ce7e3ffb4cd30e2b6dff8d5

SHA1
4aacd413a2b9452f2db7307a7a5d8062529dc3a6

SHA256
90f2a3921451c9afb7aa784e163ff54bc65b47ea6c1c4fab803a0836ab33a840

SHA512
290408d866fa1061bfa76e9edba0348eec350a889df7dbca476aceabf0abfc267e5ca38249e6cf2f7516b18f145f2c4f34e3fcb4caa12d85cc2a2f7ee88e40c3

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
63KB

MD5
093a2e898978b17126ca4ed61dd683f1

SHA1
bb1324e2ed6124d562953668ccae28881e5fdd66

SHA256
9a25d7b632d325148e51188ff41d06f813df33ac318938bf4071b2ff132f2047

SHA512
01483012ced2a6c4f3480f102fccb577214f0b89e07ba8280bf90586ed87831b2886f5b65db67730db72d7c9dc6a0dfbfe154f95b4e0c0ecd8f529d23c9a0871

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
63KB

MD5
e08bc69c6859e3d4a817c3ff92e59be2

SHA1
9f04e9e9ce08bffae8764b19072098e121d9b665

SHA256
2e070ca6f26b6767d6f155978966197f4760fd13122c5fe64b91843dd999b277

SHA512
4d2a8fc44a7eeb8a56385da9ad8256522f6e1dac880189c8b1a236f647da0811c6e470f3ee250f73f2114ca92e56117c1ce64ceb4ed15e04dd09467844110a61

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
63KB

MD5
cfca6061624c6de4ecd9ec8f7507cdf7

SHA1
4123a894179d323518502a0f46a8611eb1fc3475

SHA256
e98134deba0b49f49b50be8b0556dddd67e99d240d3109d7638b38e6993d3bea

SHA512
d6c1a293c3e4db90ff62f9274442f84ae2d621e5c527c06810771de87e4f86c6e383e438671d6d5be5cd88a771c8ce6ad1d2725567f73ec3a36a6ae171338669

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
63KB

MD5
c4112b2c5e9a11516a599c89e32b5f6c

SHA1
f86094f977a286a6424da7bfab5d584635f7f968

SHA256
708251bacac5a18cee443adf41bda00ae04e550f03464f3883a5864d79dd1645

SHA512
0eab7e6433d38ff2af44cba70cdbb00f3a28c2c8ef830bc692e0f3084cee6a9af16c52a2c6dcafefcb52078652a5cb8f834624efaf55515db5d3c1cc7eba676d

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
63KB

MD5
bb9082c4dbb6c44e7a8aa290c81d3d22

SHA1
fcdf22127d22eb8552413046f8bd7afdd9aaea1a

SHA256
347eab846898b1df6da28e95c2c27dc007e62d343f3697cac9d9755c312e7b1f

SHA512
6e33c7f01ddf534d947cbab00ebd5307e246f65fdf116a8db460264fa177bfa6582763543ff26d1a10b194456fcae307dbcb143e9247ce3db54e46a49ab21a41

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
63KB

MD5
17d530521e83b9181300e62d85e475a7

SHA1
fa4df602d8877b88bac1f52f5c8e21da937c56fc

SHA256
f004a85bf61982cb243860c3024ff674d94473daded8f74c8e4ee883ad18d689

SHA512
4fd6600e7ecd57e5987c1c9a56c21c6eb36e4649765020b8a7334f7ed23bf786b7e2d86e573c7a78bf71a21704f2a92cf7c34595048d6852bdfc01f05909fac0

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
63KB

MD5
c072048b54bb4653ec9ce038ab75f828

SHA1
5f6fe42ae597a01c826e92b7bf685276a6de8603

SHA256
f13e505a44c16f68ae201a54c1ff67f60a46127cbf5f87b9e162f8006c67c7ed

SHA512
e75c3597824940cbbc09892d4cd39aeccdcdd10ea0f626133537caa5067e29944624de0e31dd1677416fbd3cd9fc0a45cab6ab1ec53784da08e365f68c0b1e18

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
63KB

MD5
4e965c7c67288846664a2bd0bde91fcf

SHA1
7e2670a3cfa6a5a25894e8546a7d6fd7bcd948a4

SHA256
50161b6df08fd0ab9054cf72cbbf9f0d2afe603a1641e05e99a1fe16557d51a5

SHA512
b5762095345bf6dba95bf212e116537973cc17845e634838e4b5fa60c456fc5f6088f3844a2b591057cca5de34925c6774ce0f831b8aec58d4c87fc82a9decdd

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
63KB

MD5
385e6ce618011cec0762d97157245b20

SHA1
9f2eadb0b380a462ec2bcf6fa0cdc03e1a09bfb9

SHA256
ec77262695b41bbb9cf668657727abf5a184496819bdc79123fe72c5c6f823ae

SHA512
53f6734a6c7d2dbc804465ae567a710e9b0d9a78f90a6c17da33beac8fde26e5ddf2f1b611ee789b13f292c7356f115eec1838be5ebe5e13355655955e7d897b

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
63KB

MD5
85a0be644493a54dd96c980233c58969

SHA1
718b37857725f16f1696e7a7f1ecc0e40ec02284

SHA256
57b547b186ef6d885bb3bd8e41f8864d00426d582d2f1591c0476d74566a5c4a

SHA512
68a5830d4592de0e46a40931b502929298aa65b1abedbf0d2c6021512ebae9604c80cb687cc6653d4ba6e083299316760298198b52cfff7d49ab0df1350b1333

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
63KB

MD5
fa7c0a5e81993bcab08667c09369cf82

SHA1
dd5ffe01621a7fe3f9f4f45361811a85a2cdd64a

SHA256
46eff2da21de6ab43cc73cf031a99a9f81682e784009219a4e10feedfc7e1a40

SHA512
def4511460e941e6d53b41299f4f9cd0d853abb3f6d4c951c2813c60249f58387bd770f1a27f8cfb6ade40362209398efff1f6231fead460508f4ded47038d01

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
63KB

MD5
598e9ac408bb32f9669afb4090f2cf93

SHA1
31ac16c016fecd429aa57fde1e38faa2f373895b

SHA256
940bd6815662d39d710d30c87a38f53e0d57d729cdf40a08122a872fdca8adcf

SHA512
8392e07f5577238fbc7c3ec690c6f79a958143a281dfbae6f43702feb73b341d325b822a9b8c423a0a03cd20e4520c72f3d4f2033afd97a04ddc24983c127004

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
63KB

MD5
b76d057592f2d96a05dd51ee981b1516

SHA1
617a26319366be92ff3af45005833dc88c243e6b

SHA256
4a1446d89ed289437c45364724358f816ba217847304db15caadb893112ca8fc

SHA512
f6bcf85f05ed5270a5fb842aa13bd7022357afb71025253ced741cd6ab683c39b473d55ef68ff474026764425ccc2d579f1d80215ad70067e5d0ca131fd34c82

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
63KB

MD5
f1062d0c38f15dc362eeea78071a623a

SHA1
d24b134bb5683c098fa00f9b7cea7bbbeb08da08

SHA256
34efc2242fd92ed7d6169eec802828b1344579f3703db489f7c8dfc6342ea421

SHA512
d7d5ad9507a6dddba026fce8a4bc4353ba4b1d2a1c76764a841924e2ac3566f7921326a7d969e68a8c251df89a4c6a05ad58f9cea044162b23cd9104114c9a3c

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
63KB

MD5
face4cae6fbf8d05bf8ca2d5d256606f

SHA1
4f6141472f71041daf56397b09bc8d8ff6cec545

SHA256
396c318367158c103252931add5098528f2aa1ea8aa2bbadf865d62d7915fb98

SHA512
500092797c61a86d3fe3c985f2a9ff7ff22263a84462087513732fc90201bb41fe60bedc8b8f7be979b745cadf17b32e48bc16bd24971e9f80cdf2d77b11e05f

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
63KB

MD5
530b300ff5551bad0861de8503a98485

SHA1
c751905a5f086c292dee7d0289b527f2b60246a8

SHA256
6a007ef3ebfc7e6db8d848c2c4554177df971bd09dd2e21be9e574078fe34f86

SHA512
7cbda403cead8d9f41886a634fb0e66757c213f832bb9980a93a55e5abe3a663aab4a2091bd2252290d820be89931bd93f83e95b811886573477588147bce41f

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
63KB

MD5
59d06ef5f8e901c4c90728be1804bf82

SHA1
6a67c2f0fc0d1958c0eba4a72c653ef584b2cfb1

SHA256
c88ec3f4e68408ecc1302c61af7839efe469b9ff83dfd86ff840c5bcbcc3ea6b

SHA512
0d76fa163a46931b9559b3d4ca36dcb7933afa7622f4c7b90efdeec92bf1decaba318b755afe1c7748fc544a21daa28bec1e5a9e72766fe02a76103c3a0ba1a0

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
63KB

MD5
200b6e07053f920c7553292254463b1b

SHA1
538ea9f54f81633adf86acd6136de0059631f500

SHA256
688df6dcb3bc131bd225b9ae6a5ef07ef50bbf38ec0aec9a6a40d3c9a45b947d

SHA512
3de97ee3f99a2574d23a0dd7f6d92207f3cc10bb2385b9cb48414df12228a645e1619f5b6b8103ac59040b17d81b0eaf33926da4081491b969897eb6caca8ec3

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
63KB

MD5
a65d4685620772d78b473032c86880bc

SHA1
d273df037fde1ac516534a60f6f65712f887f17f

SHA256
e5bbf4c5ac02c71413a79676218c6f502d5f906c5e3b081a20a0d87c17212938

SHA512
fc64ac77972add0840805e5aca302aed4aea41388343b320d9510b1a45c344f04e9276c138580690fdec83a67170ac1c3190d6e2b0fd429c7222b831977213b4

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
63KB

MD5
6d8a6a00348d2c4babc54527efae4ef7

SHA1
23ec7e0a7c852080815d74ee185714ceb5e52baa

SHA256
c9baeaeef67c15b127f38862bcfde7bfb1f6765e1894acf03dccac6291cd63dd

SHA512
0f24362e073e54ecf44bb2a6b4a504a83dd768b89c2113ed72f98021659579d678ba484e2ac4e5a0c53f28d9d88dde3b7eb74babd3164234fa63e014d8a7a0f7

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
63KB

MD5
b0f76a2e830af63c8b1206cd9c519065

SHA1
47eef56353d83efee67bbdc4556fd1506eb83df4

SHA256
d46f5f0b93c59183d94eab4bca87c859eebb9d6fc88a9dee2844ea46db033dad

SHA512
b34d655b49b59ced44e72a44f4e49193f343c3738534f603807c0547bac59ef1cf1e8028c109329c20c4715a61ab49c9457c53b374c82f0de17fefaa04af16b5

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
63KB

MD5
377cd8d09e16414088e3ad265830a69e

SHA1
b55e43c9eafb3861c4f3a7b43fe3945120ea8a6f

SHA256
5b287d247a390c47557814fa079debe4e2067b11570e09626433f969878934a1

SHA512
beca9246ae157066d46733f601c9c8d618589bb8909dd38efab37403e03e3238e87bfd9886fad74a8321473a957dc573e69c6667db6ae575af8f8ff0bf72ab9e

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
63KB

MD5
f3529d349fcebb23ee9cb5169b41c8dd

SHA1
fb24f5591ac26e45d32c5c6a8442f933a239472f

SHA256
76794902e15cfd5b71bd28b8bb4341855252cf3f139bc7f04a5bddeaa675c70c

SHA512
4decd43b0570586ff03f7a29de7a4a76ee1ee5f267f5eae63a616e6d42cc41f1fb02ddf2bdcaf5646ba7b1adb5e404388698fda1dff370b515204cf3fd5f867e

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
63KB

MD5
7e811d82d5234a32ff45cb2d842f9629

SHA1
cf0f1b1368326baf57cf87621790735c0c199369

SHA256
df66862e915b2c932b22676e281c610ea682fcd8852f581f3e4e22d0ddca6f3f

SHA512
631561dfa5fd393d8a759aa50766c75aa3af4dfad5e56de1dc3f10ef483a765229369cb4dadeefa52f7b1900c190125e6582bf2f2c492ed226fc9d091b95a1ac

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
63KB

MD5
23b19a67bd52483d05f5f3e4c9467a44

SHA1
6c90e98b8ea7d82b366ac08e5e5826d2abf8bf50

SHA256
e8e3e14c37258d4bec0a6afc8d2e58584db9bdab5662cac18e16eb3350958f12

SHA512
eec14f9c487e9069ea5077b8acbb1df519f654666d5272121833446691596e8b3ed7ecc8c92e45c556d70f1bde48742b503ac3dc8cf5677dd647aa994b6c6754

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
63KB

MD5
a631a6b110243b3284166dcbe14472dc

SHA1
b90d0b4d263e3fd808416bea862aa5a0683145f8

SHA256
bb369cfe065fc4d8a0000fe7cb1de08ca7a00b3ce1f2ad47ac57c822add54c5e

SHA512
24601f731641a5f933459fe3f317ed8876cbddcac9a3597c70db4b4cfc3a9cdfc86bd3f7f682aaf766037952f3324db38142550e8ab44f97b74be840d0f2d31a

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
63KB

MD5
971f3b8f758f3eb6bf9c6244667ee55f

SHA1
cf26188762c90854f09ef3744ae6ef826e3ad497

SHA256
d5eb21465a7300739740f0a0d6b127d4c6fb1b08ea1348778fcf402323e64143

SHA512
e4dc573d8f9a3b51ee852d556bf24e1fb712346288837d622158faa75e1c8e5a4abbab7d4f413b106c03f27d230fe467ce4565cc9a841f16d385ccd33e797788

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
63KB

MD5
685da555631b375e3caa25c2faed8fa2

SHA1
4bd90474391c50906d1cf5bff52ecb704647155e

SHA256
7cf45de7e00d533364ae609bce5c5c3906b3baad3f0b6ffa9b7eeb41b8ccea8f

SHA512
e354ef3a6c936e6ad3b6c8f6358b2e3ca3033ec01aa429db2c01ed2f829ce0585f1be931e241f6e0333227ace4d52211c723e5cef850789ffdf300ab1b17b0d0

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
63KB

MD5
c4d77941a27cd738acc636d186232ba7

SHA1
e7a98a26911ce305ecc72e5bcb89155f214bca38

SHA256
5ca1819dbc34b8dd56839f44d9c9194402c3b60ed871cc64b86f20b4707f8b72

SHA512
f4117578db626a21bf6d1e2fa8bd63887c80f279aca431832730a88a70ee9434edfeb39f616ff97b90e3f10b8de0e942c9cbb88a6fd7b47e7aa4343eebfa9b5c

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
63KB

MD5
d7bf872379556e726fc0ede2fbc2b685

SHA1
910a07f08e8d1ed9c4cb6162bea5607728fc7bbd

SHA256
a4ac15ffa665ba0d5c8067f3314cb812b5635b27d96a9dde70bce8629250c3ed

SHA512
49f79be7a73bbd7a89f5b2ffc9f33e7eb04fb3206e23f5f652eacd99844d404b0b9724b287ee9b548d18ae4a0d2a61e61d6eef5e96c42f0475c41d5351280599

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
63KB

MD5
bdbee3b49e16d4baa57ca9748fe03fa7

SHA1
7cd0b06149ffccc56dae9592b088834aba6365a2

SHA256
3a36c92cc1ec9070225db96f24403527ca6d0e21c86ae9dbe5ba6c27a0d011b8

SHA512
d3d30c1c1040c3cc1522fd69d24963aa87c5ec33f1a19d4d390b550f01ee2176c5476932251aad27f101f69b0f73182729ff4a5933715871930495e32b6c5d8d

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
63KB

MD5
6a979f0186ef56c4b206d031ae5b4526

SHA1
32b6a13ba1d250e06332fc7f044de232e86e5df6

SHA256
aa223c0b1b52090edf1c6a662a7accbeb8b2dfcfdf6e78a03bfb36fcbad25069

SHA512
409b8fe96496c754d80e07dca4073cc55dff9b13d6907f2d862f1c7b4e46854887018c8588bb2c1ed8f405ad714ef666967379867077e810aab167c0c0b741f5

Download Submit
memory/60-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/184-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/208-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/224-649-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/224-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/400-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/428-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/448-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/456-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/524-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/716-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/796-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/920-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1052-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1052-566-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1136-519-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1156-587-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1156-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1180-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1216-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-546-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-503-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1572-567-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1604-497-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1640-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1896-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1932-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-594-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-527-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2096-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-581-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-485-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2196-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2240-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2268-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2292-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-479-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2384-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2636-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-580-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2860-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2932-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2948-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3092-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3116-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3160-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3284-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-552-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3312-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3336-588-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3420-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3440-521-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-573-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3860-540-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4080-533-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4108-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4188-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4192-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4204-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-539-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4212-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/4212-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4216-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4368-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4556-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4556-682-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4600-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4628-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4640-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-491-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4792-559-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4792-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4864-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4872-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-574-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5028-553-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5032-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5060-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5112-560-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads