berbew | 35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0

Analysis

max time kernel
94s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe
Size

148KB
MD5

33543fea1c33a8c5a27457b54dcd9270
SHA1

0d0e4d1e34da72970494f3a1be8bc0f14371177f
SHA256

35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0
SHA512

f28a56d3ab22a29b68779fcf3c627dc2963220425cbcddf0e309c55fe7543317ecd1c135e6df9efbe678e52e6ec7cb0a2d9bb7409e12e4526388f298251aa979
SSDEEP

3072:hXnxmH4ZiXUq+MocY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:hXxmYQiMocKOdzOdkOdezOd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2076	Odkjng32.exe
2604	Ogifjcdp.exe
3508	Ojgbfocc.exe
2404	Ocpgod32.exe
2912	Ojjolnaq.exe
380	Odocigqg.exe
1604	Ojllan32.exe
5068	Odapnf32.exe
3152	Ofcmfodb.exe
5100	Oddmdf32.exe
2564	Ojaelm32.exe
2944	Pdfjifjo.exe
3168	Pfhfan32.exe
3024	Pqmjog32.exe
1408	Pclgkb32.exe
3964	Pqpgdfnp.exe
2856	Pmfhig32.exe
4052	Pfolbmje.exe
3640	Pqdqof32.exe
4368	Pgnilpah.exe
1924	Qqfmde32.exe
3344	Qfcfml32.exe
4132	Ampkof32.exe
4560	Ageolo32.exe
936	Aqncedbp.exe
2368	Agglboim.exe
4892	Amddjegd.exe
1036	Agjhgngj.exe
1588	Amgapeea.exe
5084	Aglemn32.exe
2476	Aminee32.exe
4948	Bfabnjjp.exe
3984	Bagflcje.exe
2632	Bganhm32.exe
3680	Bjokdipf.exe
4344	Beeoaapl.exe
404	Bffkij32.exe
3712	Bnmcjg32.exe
2736	Balpgb32.exe
1680	Bgehcmmm.exe
2384	Bnpppgdj.exe
2696	Bhhdil32.exe
2648	Bfkedibe.exe
3548	Belebq32.exe
4252	Cjinkg32.exe
1348	Cmgjgcgo.exe
4700	Cenahpha.exe
3664	Cjkjpgfi.exe
3916	Caebma32.exe
748	Ceqnmpfo.exe
1104	Cjmgfgdf.exe
2688	Cagobalc.exe
4188	Ceckcp32.exe
868	Cfdhkhjj.exe
1564	Cmnpgb32.exe
3940	Cffdpghg.exe
2156	Cnnlaehj.exe
1064	Dhfajjoj.exe
1532	Dopigd32.exe
2124	Dejacond.exe
2236	Dfknkg32.exe
628	Dobfld32.exe
2232	Dhkjej32.exe
4568	Dodbbdbb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Oddmdf32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Caebma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3688	692	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnodjf32.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2076	4484	35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe	82
PID 4484 wrote to memory of 2076	4484	35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe	82
PID 4484 wrote to memory of 2076	4484	35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe	82
PID 2076 wrote to memory of 2604	2076	Odkjng32.exe	83
PID 2076 wrote to memory of 2604	2076	Odkjng32.exe	83
PID 2076 wrote to memory of 2604	2076	Odkjng32.exe	83
PID 2604 wrote to memory of 3508	2604	Ogifjcdp.exe	84
PID 2604 wrote to memory of 3508	2604	Ogifjcdp.exe	84
PID 2604 wrote to memory of 3508	2604	Ogifjcdp.exe	84
PID 3508 wrote to memory of 2404	3508	Ojgbfocc.exe	85
PID 3508 wrote to memory of 2404	3508	Ojgbfocc.exe	85
PID 3508 wrote to memory of 2404	3508	Ojgbfocc.exe	85
PID 2404 wrote to memory of 2912	2404	Ocpgod32.exe	86
PID 2404 wrote to memory of 2912	2404	Ocpgod32.exe	86
PID 2404 wrote to memory of 2912	2404	Ocpgod32.exe	86
PID 2912 wrote to memory of 380	2912	Ojjolnaq.exe	87
PID 2912 wrote to memory of 380	2912	Ojjolnaq.exe	87
PID 2912 wrote to memory of 380	2912	Ojjolnaq.exe	87
PID 380 wrote to memory of 1604	380	Odocigqg.exe	88
PID 380 wrote to memory of 1604	380	Odocigqg.exe	88
PID 380 wrote to memory of 1604	380	Odocigqg.exe	88
PID 1604 wrote to memory of 5068	1604	Ojllan32.exe	89
PID 1604 wrote to memory of 5068	1604	Ojllan32.exe	89
PID 1604 wrote to memory of 5068	1604	Ojllan32.exe	89
PID 5068 wrote to memory of 3152	5068	Odapnf32.exe	90
PID 5068 wrote to memory of 3152	5068	Odapnf32.exe	90
PID 5068 wrote to memory of 3152	5068	Odapnf32.exe	90
PID 3152 wrote to memory of 5100	3152	Ofcmfodb.exe	91
PID 3152 wrote to memory of 5100	3152	Ofcmfodb.exe	91
PID 3152 wrote to memory of 5100	3152	Ofcmfodb.exe	91
PID 5100 wrote to memory of 2564	5100	Oddmdf32.exe	92
PID 5100 wrote to memory of 2564	5100	Oddmdf32.exe	92
PID 5100 wrote to memory of 2564	5100	Oddmdf32.exe	92
PID 2564 wrote to memory of 2944	2564	Ojaelm32.exe	93
PID 2564 wrote to memory of 2944	2564	Ojaelm32.exe	93
PID 2564 wrote to memory of 2944	2564	Ojaelm32.exe	93
PID 2944 wrote to memory of 3168	2944	Pdfjifjo.exe	94
PID 2944 wrote to memory of 3168	2944	Pdfjifjo.exe	94
PID 2944 wrote to memory of 3168	2944	Pdfjifjo.exe	94
PID 3168 wrote to memory of 3024	3168	Pfhfan32.exe	95
PID 3168 wrote to memory of 3024	3168	Pfhfan32.exe	95
PID 3168 wrote to memory of 3024	3168	Pfhfan32.exe	95
PID 3024 wrote to memory of 1408	3024	Pqmjog32.exe	96
PID 3024 wrote to memory of 1408	3024	Pqmjog32.exe	96
PID 3024 wrote to memory of 1408	3024	Pqmjog32.exe	96
PID 1408 wrote to memory of 3964	1408	Pclgkb32.exe	97
PID 1408 wrote to memory of 3964	1408	Pclgkb32.exe	97
PID 1408 wrote to memory of 3964	1408	Pclgkb32.exe	97
PID 3964 wrote to memory of 2856	3964	Pqpgdfnp.exe	98
PID 3964 wrote to memory of 2856	3964	Pqpgdfnp.exe	98
PID 3964 wrote to memory of 2856	3964	Pqpgdfnp.exe	98
PID 2856 wrote to memory of 4052	2856	Pmfhig32.exe	99
PID 2856 wrote to memory of 4052	2856	Pmfhig32.exe	99
PID 2856 wrote to memory of 4052	2856	Pmfhig32.exe	99
PID 4052 wrote to memory of 3640	4052	Pfolbmje.exe	100
PID 4052 wrote to memory of 3640	4052	Pfolbmje.exe	100
PID 4052 wrote to memory of 3640	4052	Pfolbmje.exe	100
PID 3640 wrote to memory of 4368	3640	Pqdqof32.exe	101
PID 3640 wrote to memory of 4368	3640	Pqdqof32.exe	101
PID 3640 wrote to memory of 4368	3640	Pqdqof32.exe	101
PID 4368 wrote to memory of 1924	4368	Pgnilpah.exe	102
PID 4368 wrote to memory of 1924	4368	Pgnilpah.exe	102
PID 4368 wrote to memory of 1924	4368	Pgnilpah.exe	102
PID 1924 wrote to memory of 3344	1924	Qqfmde32.exe	103

C:\Users\Admin\AppData\Local\Temp\35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe
"C:\Users\Admin\AppData\Local\Temp\35483b35a1b7f4a7a1603ad3498b3f6fd90c0349ec79c8ee569dd590c56adbf0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\Odkjng32.exe
  C:\Windows\system32\Odkjng32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\Ogifjcdp.exe
    C:\Windows\system32\Ogifjcdp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Ojgbfocc.exe
      C:\Windows\system32\Ojgbfocc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        61⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 408
        72⤵
        Program crash
        
        PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 692 -ip 692
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ageolo32.exe

Filesize
148KB

MD5
490871520e9c5ba2589aa2e34c3db5d3

SHA1
aaa99e8314a47579d8475d8d37a0fd26b1ffb736

SHA256
45fbb22533e9a2c969ca49585f264d0c0ada9a55a050dbb603c6ec8903fe1c74

SHA512
ac232ca5224f2d860884eea36f6b6da4dfe64e0f317618e6e8725c051bb2163da5b6f1d800b34a95c072aec41fa5ed6c652f3b60c468ef10ed580d24ff97288c

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
148KB

MD5
c5422a8a91ec40bd3c0966f84f943e96

SHA1
c6c25167ca2d48b9500d9c31f8ee4cbb57faa745

SHA256
5a5a4349578299e509e06c305f90de01f3886a3bd13bf4bae3ab929539afba96

SHA512
fb75d13a6306444408156294bf7602428db914e0e0e790b4d86a3f9614256f756981f4e98da01cbe25cc0d9529915f80e5368fd347858601fef8d5686c30ef5f

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
148KB

MD5
9ccf413086ea528aa0a70ba123723e48

SHA1
ac1fdf10933ce56b757fceca458cf0e978f03930

SHA256
3411cec60309fe1f8f2089340b1e9a3a7ae2d7c8f174db04e01005eeb2830f95

SHA512
69b9ff6463814a24caebeaade6059b8015bf9fbe83adffa2f4d8c17153e66f7e257f1cd8f6d07bc0ecb0d3947226bd9be03105af46e8399caa089578cf44a3c3

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
148KB

MD5
c202be4a1b525f9d42eacd1b5e6e4676

SHA1
2d1e0263187511cf68f53e77e2d63244a2f509d7

SHA256
dda3f675679226d4b074ddfb3724d19c833d934392a44a3beb014a1079f8a22a

SHA512
2193a589efb8996ae84180604b8ec5631fd08276041dba7800257a7caec427e25f193fa960bd0ea945201e317240a2cd8bcf61d6b5c8135da84c282f7cf37f70

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
148KB

MD5
e2ec8e76151b380572069f4e68de5d70

SHA1
41ed29ca05ee72db8d04d4bfa263a0a0593ec6b9

SHA256
4707a27c4be656280f3d277aa6b20eaa273ebd2df40e9a29053e3fa2556d658d

SHA512
004de9062e09dc16e0e51c02e84137d0f87b8b9802cbcd10fef8b4c326d2872fac478f39a5b5b3326ab7d1788a67d4d22324b67fd6683a1d8715e41c1bd79ab3

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
148KB

MD5
9e864414ee1c4b6d710fefefefc31be4

SHA1
ebf99a933f519c3ca6583a365f703cb13a4f6bd2

SHA256
e27e816ca372a770e1458d582764979313167ba064e8304226bb6ea2dc4a1403

SHA512
a554e7ca94fa5595892639f5e390d2a340e016b61ee759f53227fa2d55a743c509107f13c6aacfcc2563b6c684245ae4d7c2c77444d6758935bdbc2b4a7f25f8

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
148KB

MD5
946cc64c9aedb40ba7c05c21594e2c8e

SHA1
6bc10276935948557683b329adf33899c894589f

SHA256
59b881f2d0915d9869c4232465f503b9314d683079915fd9161049cd2d44a56e

SHA512
448339f8f023412d3f2b42608be32a747fa90fd6e267b9deb459a5d986d1b0c25d2d62581eef9231d4bbfe159aee381985a99de09d0c058e36d0bec86bc576b2

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
148KB

MD5
9b025550f8707ec03e67f135e290fd23

SHA1
be58b3aa1f37f58dce880a0d6560558786c801d9

SHA256
2c6a86d3ae935fe3a69e95de8600d96f4ece671eba93edcaf3aa4ef7086cf6ce

SHA512
84937db6dcfc330e297fe62b3016312677beed5629b23d89dcf58e0e31e3b9f6cb15ad9ebe5c39bf0e1eece1403601ebbe8e4eaa11c53aa78d270060f437dafb

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
148KB

MD5
2923dc9f3cc61224500bc465908a00f0

SHA1
0330a65cd339a0b659fc2d5c646b58bae83fd345

SHA256
42743c43f5477a8aee5a751c15869f8e02bfdabeedb8892e907c67dc5d900893

SHA512
0b3b9fd4fd8d67f0aa9a766eadaf48419a8d59ff6ad52146cdf4408a8819f473cc33a20a5f0c2af7501a486bdb4260d090024ae6cba8f955582280ae6eff43f4

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
148KB

MD5
a0c3dc93af8488a806c85591fc0927ed

SHA1
d3c91847d7e34c500edb66ede7c607fb2b6651ba

SHA256
ea601242ae7bab74e14b1985e4848d9442ccf346276107452eed42bc93fb2350

SHA512
854edd27c6cbbf593f3bd17c602d437b2362915926b09b706033fde86063f91e42e831b54f65c33a7cf65429a719fa3437a5a781c7b65d669f12792f1f8a8722

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
148KB

MD5
ff4abcbaa182dda5846bc38c10bccfa0

SHA1
7a4155f9a9152f5286786591563521c0ff18095b

SHA256
2c71ff82075f28ad98fef72d31fe7b603753afa4367e96b15e7355e4ac8aa433

SHA512
96b1976b419c47d0e3dc49afdd023ea43e9b60529dc3211472a06c6545a3f97fbd7d163ed13270156145b9da1af1a70f879df5f561bb072214477be04f0a4091

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
128KB

MD5
08f929e7f9bf8dc8da53a81d1f4e5f4e

SHA1
96f6aa11c1c8c7481f8e7413b03754d3597680ce

SHA256
7ba66913841f712cc89ddaf9be07d0344c439b5ad34493150eb663b5c97d22a6

SHA512
e50494cf8c4264115b0a0ce894d3061cba12cfcb3f3bc10372424b68fb4319f6414e7b12f8431fdf5527bb55abf27d9d4464799b88fa08a0febfd4f6f22e0f58

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
148KB

MD5
9d292121e3bab0a28c50bae1d5855139

SHA1
b408f0ee21e66e615ccea106bf62fb14cba291db

SHA256
77edb3c95a2dc544df5e7ae8b9390c68e83f9067d271f6c315f10eb74439fde0

SHA512
bdc0ca088ba2c3bf95c4f436e1b7fa47835d073422ce30d71106ab2a4ee349a0d274e4a9fe51679e9d74e1fae59296f7c702aed371eccac2830463917205d4bc

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
128KB

MD5
66b4ed98fada3c3b2896025ec30e6e1f

SHA1
5aed9b6822076c6ab0097963819dbbb309f1cb57

SHA256
864341ac44be20e714db7d38c4308dbbccf7b0efa850860e32023f1bc56ad9cf

SHA512
26875b40bbf19c3a5320d9f84efc13c25506f75f5b4390e93e48715b0147148972b6fb0ad0008047315175d0c36ce7408460ba75c1c84f73ef9ba44acc8cdfac

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
148KB

MD5
475b060f2bccc0f3ff979877ae7e8c8a

SHA1
571917d50496170fba455dbca1c4d020102acdd2

SHA256
e01964327a5ea863f34be19efbc97052459ca40e1b645dc22ed7e83974249473

SHA512
cd07eab282c6563a8c4729c76026866c4a613f8db326f5ec5918f4ef5efb43da3d437024a3f753342d63f85ca83d9bd4c45a4731d7cf8c1672ec4da90e6173ec

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
148KB

MD5
314723467c0f5ba23c0163f09b59cf04

SHA1
e4dba8c1a342be5a78f6366eb26fc6de0b16ce64

SHA256
1392325c7b3cf597e3cdf5659e4833e45a45d85cb5b87a8e7388c87661d1c6f3

SHA512
fbd94e48e0a55d0d595acfa2a01531da07bb51e27cc63e7f4a5d1cf27d99ec53ea8951c26a3bd3488dceb07a82e7bb451a45157083f561c5d47cb7a5a8dab9dc

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
148KB

MD5
2d9b29f6987a0ac9a6b58aee62e4958d

SHA1
52ead13ea831f5681a54c749ffd3bed2ee581285

SHA256
0e377ff8a60e5c59cbef83ea77677abdeddbb2ef8f95c3636831e2db58fb7022

SHA512
f8291f2c5cdf6d2c59b35313bfad964f91dc1b803ed7ad644d3d69eb2e52e872e9845077e869939d32058e8c294f5a5e7bd76894eac2757114bf8b75fce1d610

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
148KB

MD5
5a30acdf54af3cf1558358275044b95a

SHA1
8178cf418ba6ef2f447c2b4ebc55ccc6bbd16da5

SHA256
183e6c7b2c4c9f0e5fd8a7d2c609f60e709007afa21b9cca5a8db3e7ff6b4898

SHA512
1ae71d3f858b1681b96d29e91238063f6307bb9babc05c1c60c9b9f1cedd67ec00a5a156821df4858c71c695c6c5ddab7842737ef2c703f27a96566f62a8c297

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
148KB

MD5
6ff93415826358e08a108b7deccd8fcf

SHA1
6e1b4aff1e2ec8ab6b6c0b7eabd59e09972cd708

SHA256
38f334a075b26b11690a042ca9fcefede60be5ba992f455f079c215acc7b2fcb

SHA512
e0675862ee8a12322bfabe8ce26029c2e6cd753dda837d96b022f5f23d2ee2a1eb4e1166ff3bf1ea476ee8f4a3882bc8ac37a2a99247cffdcaa0a74107121d93

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
148KB

MD5
a3400904480d77f520d6acc0547f5cb1

SHA1
97f7343889a287211edf4fc5d7870e40813322d5

SHA256
631e87f0a74e8d4b14dc15c0be662ed63979bdf0f4afe1cff585ac43edacc72a

SHA512
e054e1b7d669fd0146b77a7f3e9df305c8348b633fc944f5541d692e0f4737d50d365450b1772393fc1b165ee00f67ddef298b238981fb45455c045eb6c28cef

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
148KB

MD5
89ce650c7d86b9ecf9f550fffc89ef1e

SHA1
5e90c5c0949a79472e5a8bae4b7285cc567c3de2

SHA256
ad848dbb1bfb66a55944bbe4eb07125b41b06a4c0b6b57421585e44ccb527293

SHA512
3a3b4d8e2b878035607b87c87ee042bcdf852a090eeb0a01c44b2b4556954da502d35a7c2e30935d9da798a250c8eef4ddc75600c6f3b81e15124e67f40d1e46

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
148KB

MD5
0e8540ee39a5e51e1d352f3bd4fc1194

SHA1
6bf5b0ceb1c80296616c22475bca0741aaa59471

SHA256
609aebf1a9060002d1e0b4a38b5661a60a5ca9570fef5d1853b2c45d885df7fe

SHA512
b3b663e221a18a8d531c02d97c7a5aba2014daffb208dab85b7fe7cc1f418fe10e9d6efee896e2058efbc07ffb55ee30eba44f92046530d00c545ce6c6d51931

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
148KB

MD5
16bb0844d47efc56de0d740d1961b1a6

SHA1
220c059367eb9240059684768b0bae93411a2633

SHA256
78911e51f3b817e5971d66dac15d307f29151ceac663f2ff986d5a224dc89555

SHA512
cbffabea8a1b4965a8a1b228df379897c36af6dbbffb54d7e2a48daa355a3a620d1219ae1d0983c6ec75214775d7c1464427f50cf9fd054ef4f01fd0702bfd58

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
148KB

MD5
cb85206e0336b976b8f061af93dd7308

SHA1
836f4c7e2505b2925c01d9b111a432c1f59f6d7f

SHA256
78c0ecede2c5e492f36e3a7930e37dd3405ed04388202b0d681c4b2663e085c7

SHA512
b90544eb1decde0d2a09ee947ff4028db72a188fa9d8238c8879cf811537c7ea4b1f30f2700a0d9c3eea3b8bd9d6776086112a04e78524fe099cd94a7ad7c750

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
148KB

MD5
a7b7e7761abe7c04f82a764d65815597

SHA1
852cdc75b88c7d5c7196154454c92bc8eb50f5b8

SHA256
70193e87212279995c43df19f339d0e65dbb362e1a951a0df914bace12325cbd

SHA512
08651b6c71790f57889ffdc1310447a48b471beccd518fa6f84f722d817324bace8c355b0ccc35f54582c24fed8fad700218672cf97ec6b1b973f46b4ba59676

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
148KB

MD5
10db3055cb9a58c0c649b01e7b3f17c7

SHA1
0625055cbafeeb22f193ad78bbb186122ec978e5

SHA256
3199cff9b7bf75aef9bda7eaff504c64ad1079fff5b346ee79ea847bd24a4c77

SHA512
933b9aa0f3fbaccc40a3a47b67cc44f5a222b0838dea8e8e93fc5e8dbf7e16b26503297c3945e654fee24e9b1474b77b4ba5b769e7a463fd422b103d0348beec

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
148KB

MD5
9dbe8552bc4af7697ecd76c15652d79c

SHA1
6ff8f0dcbbcdd2b363612b82aac69cd6c846bbf5

SHA256
cf2a54d22857d9a60e9c5670307e082bc76630fb9b07d0ab7df04ced87b99e86

SHA512
02fc6d24b4796c87e52457bc295f2146e06f9925020055f5f5f43c5bb9ab042862e53a213937f03b68a551e0c80fc06aa59287ce03df56a8246f05df777c2b1a

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
148KB

MD5
7e23a6294ddcee55b5e9c2867422b360

SHA1
9032a72b28d7ce668ad97453c227193a4b8e3605

SHA256
fc2ac08b25d235c9bc2147a963eee42a0fc678bb11db28b448afd3cba934325e

SHA512
b1b82d5aed137e3af70c7b6479da14a23af16895d1e7ace6b01bebf9b61eee455f7ecfbf3619f66e2436fb9c99a6b7b81af28c1e41b94c52a667a92bda565a87

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
148KB

MD5
0956b7230798d31bb34ff990dd65f7d6

SHA1
8c749502ccc51017c72cf6daeb83c1da71b61ebb

SHA256
478665b29b6f1ea1e326121ddd1adfd4a7557cde96bbf891be2bd317352d04b2

SHA512
e38c7be7a1538878dca80018a2cb414d8f72a70bc4259967cf3ec81421b72a3f651d5db07c7de51b4d9f5a462b760a905bc6443f2871e36bc17fa841bbfbb010

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
148KB

MD5
fd9b831f8cd8ba1a4deee108273b3328

SHA1
d963ab56c3c19592112b46afd4b492c5c8152678

SHA256
20ad4647685d9c5082be97e796793dc1d4cca99e8c38de34449ebce898e858b4

SHA512
32093f6da57ae8c0781c8375827daddc77cfe4e05ce892069903c2ca8567addd21193725abc00fb97f00cd98c3159317e1151c780425b13c96e4cc4a3a081434

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
148KB

MD5
2219a59c85f566322e6681aaf610fb05

SHA1
8f5c0e8b0441e2a39411c2a037d90d8921b93f92

SHA256
33ff562f4c7d8322b288a5a0ca298f85fe988101bc9597dcda4a900951d2bdc6

SHA512
ba6e545af441be0171cebf327110332bffe64cefbc03987e3768f4ff28f920ccb9bc176dc61bd217ef0ff42c249579ec5ca28a8b8d9a9b3d4cea3c318ce552b8

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
148KB

MD5
a4e1ee0d0a8c9fcb2ad5dbcb35ad79be

SHA1
99306df84318830eddaa697e4b362b9d0ec3ef0c

SHA256
5497b1343b40da27fe880083a4496e5f1dbcf99f23363c1415d835db549ef45a

SHA512
30bddbb56de97d97df4266442fea67570884bfce228b4d9dde143be564b15538e0c1440e845a6f1e790e306d136e34f336e46ce0dd9d4e1386dde013a3e1eb3a

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
148KB

MD5
95c9d5ee640435eb4b0e79f6ff711702

SHA1
499c4d78ac4294a87da95f9c00f277ada6c31e92

SHA256
d378a3f739ede479bec382bbd7f3e3d7784cff1f6492d92eea9fc1a5e59c7472

SHA512
35fbd0ed10cbdcb1956f63cf2716dbf64d89d439de95d6c8c3dcb88d1fc93b18f3cd08947b972e12479e6fe30077f37634dd06e16badcb24e1c3a0d952f65142

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
148KB

MD5
b88eeb4bebe78cc615ae2e8179914391

SHA1
ad7091a7662d4027b2251868578fd33cd16089be

SHA256
f903896806813474ed8ce5449a02b88233d046a53b494185fed3bcc1f4fe35ed

SHA512
a9eb6f71ca5b8d3a05d4a89fbc2a42338575bdff22134d0f3e9b0f6c7f9e46dd550a5c07d5b347e8561b63eb071f3dd13e6626c90736dfb3e68b51efbd9f4cac

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
148KB

MD5
04f19294f972b76fa020c7026ce7a644

SHA1
43efe42acf1719b5668794f81f969ca0e9a7d6c9

SHA256
0a817ec1d95d41b7d30f69f21cc9dfbb93b60d88e831468c2638b73cf933f8fc

SHA512
0f111dc4eecca54abdaf181e695ac85a2ef37dc6ec16480c63e35cd52f4ddc342ce41942e162fd46951c0904d442629f2ccc74af453d5b9751268e9891b63c66

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
148KB

MD5
c84455781e3a592a935adf3cd96ba7a4

SHA1
bd4d405ff9d09b21bcb7e1e1988415ab2ee91741

SHA256
df825593e0be8871058379420dd627bb16027d939b7c929a0b240ef710d57353

SHA512
a7e7342ad8dc1a141b577c7c06e165101ad52690438e266775c8d5ff8b076a459ff06dc0dba7c8fbd45ef42b82454924d63a6fcb7b26dac27e05855700747508

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
148KB

MD5
1ccea052ab88775bb72e91918222b876

SHA1
51ec1c8d19a352179dfc8ca3f721c21ac6d29e76

SHA256
f66899dc149a73e1d6ca7fbbec256d86b17f178f2eff66f3f8c5d9611861b70c

SHA512
529a0287b311ffb8a059ecbfd7e19acdbc83ead74d14b0dab1bf76e5fbf91c9f9e1132b6c214878fdc4b791440e6348c7f942dea4ceb6b00c5d07dae548ae22a

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
148KB

MD5
470622288b5960f90a31a7f987fbe57e

SHA1
3e5c74d8c3b33106ff9e5a97897ce840d4c2c657

SHA256
b6f32e09035bb25e9879b0edafd69b2d8b75bb861d043923a6dd7ef22ec529a4

SHA512
7cf4ed095a942280f3a4844bb0ffd000831137bf5022f7d8e6c910d05f751fbff090224047ea405e4596ad0998cf68fae1266587a1960bbb99c92fdccf38e712

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
148KB

MD5
c2b82f356df5a7762f31b2dd97aaedf7

SHA1
c0c5da73d887bc509c7c3988f0527fdc359142a2

SHA256
54ede1096ba701b29d56e19a739c5e8c632e38ec1886472d0570379bc44fd5ce

SHA512
560cc22aefb0cc86120a3a7f547d4bd5c382631d4fd98a9f5de8f5ef0c21cbf5bdb3cbc10276f4c26c1a8cadc94d79fc53745cf083b5d73f42f45a7155fa44fc

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
148KB

MD5
de696f11e94f7ea336f37361f07b675a

SHA1
ec1557b8d186b2ae4dd0a719a11bcf90379d8781

SHA256
711193a90f8ac19286bbdb6c7315accd3e9bfdb613b1694193da2c3f96b3fd0f

SHA512
12c44fe009732491aa0ba79717b9fb5046b50b53f92cb10b46ca11c5d05ce293d84bf9737d200b200f72fe3119bb80d388ad5ba879095fd20ee6acf4f1ca0a70

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
148KB

MD5
b6fef6238bafbb423973370695ab2d71

SHA1
2fbe0335ee157e86cff22f5a3b495c27fe969e52

SHA256
2f73217415ca5dd5ac16d3965c57fd5dec5d6a95cadfa75b4a497c6316cacf19

SHA512
b2d9d4e064d0aaea3c8f7c1315a13cd47fa3c526ee81246de5ede2dff4a1bb05a909484932d76f3acc7e3b003c0907bbee41a8240e8f469f748f25b08f9b716d

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
148KB

MD5
2f2135924c1d57507908082384b93648

SHA1
6314af4cbed1ed3677ab306b06fb482197dbef9c

SHA256
036c90f463f22bcd92a5a490b2899d383b50e26e2774d1706326a7cabb726d21

SHA512
5650fa48727c3f65955190d72c6c1829ca9b7925328eea08be284ca03d7f209214485b8739905604758f8bd8f1daeef2ccbb67e6594b665a9bcad3e2b43b83d6

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
148KB

MD5
6746075a88dc8329363b2fe77c2c2796

SHA1
b7b99ac0c02cf8fcc366dca2ca54954c8f2d5aed

SHA256
beb305e48834d53203f47ba100fb383c6ee671f8bb00697eb78b1ec3e832a117

SHA512
a3647b8936532ed9c9d0edadfcaf9682a785126c901e624ede421e7e3d36783018b388bcb7a3bc1cb5076686461038de1e69d244b5cfd3562e55d9a9f456cd58

Download Submit
memory/380-48-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/404-287-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/628-437-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/628-503-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/692-488-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/692-485-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/748-365-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/748-527-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/868-389-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/868-519-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/936-200-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/940-489-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/940-483-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1000-461-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1000-495-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1036-225-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1064-413-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1064-511-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1104-371-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1104-525-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1348-341-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1408-120-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1532-419-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1532-509-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1564-517-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1564-395-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1588-232-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1604-56-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1668-491-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1668-471-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1668-493-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1680-305-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1924-169-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2076-8-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2124-507-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2124-425-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2156-407-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2156-513-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2180-492-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2180-473-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2232-443-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2232-501-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2236-435-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2236-505-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2368-208-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2384-311-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2404-32-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2476-248-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2564-89-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2604-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2632-269-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2648-323-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2688-377-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2688-523-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2696-317-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2736-302-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2856-136-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2912-40-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2944-96-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3024-112-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3152-72-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3168-104-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3344-176-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3484-497-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3484-455-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3508-24-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3548-329-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3640-153-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3664-353-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3664-531-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3680-275-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3712-293-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3916-363-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3916-529-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3940-515-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3940-401-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3964-128-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3984-263-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4052-144-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4132-184-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4188-521-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4188-383-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4252-335-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4344-281-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4368-161-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4484-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4484-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4560-192-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4568-449-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4568-499-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4700-533-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4700-347-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4892-216-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4948-256-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5068-65-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5084-240-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/5100-81-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads