berbew | 57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe
Size

640KB
MD5

e9990af3caef34a043db8c46cd3e14f0
SHA1

1bdb5b7db44d2093091a06181df28708aac4d0f5
SHA256

57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8
SHA512

37330f913eda27d0df6a52b59ae449e64b50755db76e85ff3cf478ad4277aa7ed26dee3cbcd0911d2f8d76396efe860f28cce22910cbea0f6c93a84c1b043a08
SSDEEP

3072:xWd8GPhzaMRYQfIdAx7nx4f4+xGkIs6COoU60EaBNNVBZ:Yd8GPhzafIIEnR+AkOCOu0EajNVBZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4740	Ncfdie32.exe
4260	Ndfqbhia.exe
2236	Nnneknob.exe
4092	Nckndeni.exe
1216	Oponmilc.exe
4504	Ojgbfocc.exe
1004	Ocpgod32.exe
1652	Olhlhjpd.exe
1020	Oqfdnhfk.exe
1220	Olmeci32.exe
2616	Ojaelm32.exe
2436	Pdfjifjo.exe
760	Pnonbk32.exe
4088	Pclgkb32.exe
2320	Pdkcde32.exe
3180	Pgioqq32.exe
4248	Pcppfaka.exe
4820	Pnfdcjkg.exe
2288	Pfaigm32.exe
1952	Qmkadgpo.exe
1336	Qjoankoi.exe
1536	Qgcbgo32.exe
4020	Ageolo32.exe
1488	Agglboim.exe
1756	Aqppkd32.exe
2936	Ajhddjfn.exe
3516	Amgapeea.exe
3456	Aminee32.exe
1684	Bmkjkd32.exe
1836	Bganhm32.exe
4844	Beeoaapl.exe
4276	Bmpcfdmg.exe
3292	Bfhhoi32.exe
4356	Bmbplc32.exe
3680	Beihma32.exe
892	Bfkedibe.exe
2480	Bapiabak.exe
3692	Bcoenmao.exe
4424	Cfmajipb.exe
3076	Cmgjgcgo.exe
980	Cenahpha.exe
1360	Cfpnph32.exe
2844	Cmiflbel.exe
4808	Ceqnmpfo.exe
4396	Cjmgfgdf.exe
2408	Cmlcbbcj.exe
4348	Cdfkolkf.exe
2556	Cjpckf32.exe
3132	Cajlhqjp.exe
2192	Cdhhdlid.exe
4444	Cffdpghg.exe
5036	Cmqmma32.exe
768	Cegdnopg.exe
4680	Dfiafg32.exe
2572	Dmcibama.exe
2484	Ddmaok32.exe
3204	Djgjlelk.exe
1940	Dmefhako.exe
2804	Dhkjej32.exe
5096	Dodbbdbb.exe
2496	Daconoae.exe
1744	Dhmgki32.exe
2812	Deagdn32.exe
2840	Dddhpjof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ncfdie32.exe	57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Debdld32.dll	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ndfqbhia.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nckndeni.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3224	5072	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncfdie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbopgfn.dll"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nckndeni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncfdie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgepdkpo.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 4740	844	57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe	82
PID 844 wrote to memory of 4740	844	57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe	82
PID 844 wrote to memory of 4740	844	57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe	82
PID 4740 wrote to memory of 4260	4740	Ncfdie32.exe	83
PID 4740 wrote to memory of 4260	4740	Ncfdie32.exe	83
PID 4740 wrote to memory of 4260	4740	Ncfdie32.exe	83
PID 4260 wrote to memory of 2236	4260	Ndfqbhia.exe	84
PID 4260 wrote to memory of 2236	4260	Ndfqbhia.exe	84
PID 4260 wrote to memory of 2236	4260	Ndfqbhia.exe	84
PID 2236 wrote to memory of 4092	2236	Nnneknob.exe	85
PID 2236 wrote to memory of 4092	2236	Nnneknob.exe	85
PID 2236 wrote to memory of 4092	2236	Nnneknob.exe	85
PID 4092 wrote to memory of 1216	4092	Nckndeni.exe	86
PID 4092 wrote to memory of 1216	4092	Nckndeni.exe	86
PID 4092 wrote to memory of 1216	4092	Nckndeni.exe	86
PID 1216 wrote to memory of 4504	1216	Oponmilc.exe	87
PID 1216 wrote to memory of 4504	1216	Oponmilc.exe	87
PID 1216 wrote to memory of 4504	1216	Oponmilc.exe	87
PID 4504 wrote to memory of 1004	4504	Ojgbfocc.exe	88
PID 4504 wrote to memory of 1004	4504	Ojgbfocc.exe	88
PID 4504 wrote to memory of 1004	4504	Ojgbfocc.exe	88
PID 1004 wrote to memory of 1652	1004	Ocpgod32.exe	89
PID 1004 wrote to memory of 1652	1004	Ocpgod32.exe	89
PID 1004 wrote to memory of 1652	1004	Ocpgod32.exe	89
PID 1652 wrote to memory of 1020	1652	Olhlhjpd.exe	90
PID 1652 wrote to memory of 1020	1652	Olhlhjpd.exe	90
PID 1652 wrote to memory of 1020	1652	Olhlhjpd.exe	90
PID 1020 wrote to memory of 1220	1020	Oqfdnhfk.exe	91
PID 1020 wrote to memory of 1220	1020	Oqfdnhfk.exe	91
PID 1020 wrote to memory of 1220	1020	Oqfdnhfk.exe	91
PID 1220 wrote to memory of 2616	1220	Olmeci32.exe	92
PID 1220 wrote to memory of 2616	1220	Olmeci32.exe	92
PID 1220 wrote to memory of 2616	1220	Olmeci32.exe	92
PID 2616 wrote to memory of 2436	2616	Ojaelm32.exe	93
PID 2616 wrote to memory of 2436	2616	Ojaelm32.exe	93
PID 2616 wrote to memory of 2436	2616	Ojaelm32.exe	93
PID 2436 wrote to memory of 760	2436	Pdfjifjo.exe	94
PID 2436 wrote to memory of 760	2436	Pdfjifjo.exe	94
PID 2436 wrote to memory of 760	2436	Pdfjifjo.exe	94
PID 760 wrote to memory of 4088	760	Pnonbk32.exe	95
PID 760 wrote to memory of 4088	760	Pnonbk32.exe	95
PID 760 wrote to memory of 4088	760	Pnonbk32.exe	95
PID 4088 wrote to memory of 2320	4088	Pclgkb32.exe	96
PID 4088 wrote to memory of 2320	4088	Pclgkb32.exe	96
PID 4088 wrote to memory of 2320	4088	Pclgkb32.exe	96
PID 2320 wrote to memory of 3180	2320	Pdkcde32.exe	97
PID 2320 wrote to memory of 3180	2320	Pdkcde32.exe	97
PID 2320 wrote to memory of 3180	2320	Pdkcde32.exe	97
PID 3180 wrote to memory of 4248	3180	Pgioqq32.exe	98
PID 3180 wrote to memory of 4248	3180	Pgioqq32.exe	98
PID 3180 wrote to memory of 4248	3180	Pgioqq32.exe	98
PID 4248 wrote to memory of 4820	4248	Pcppfaka.exe	99
PID 4248 wrote to memory of 4820	4248	Pcppfaka.exe	99
PID 4248 wrote to memory of 4820	4248	Pcppfaka.exe	99
PID 4820 wrote to memory of 2288	4820	Pnfdcjkg.exe	100
PID 4820 wrote to memory of 2288	4820	Pnfdcjkg.exe	100
PID 4820 wrote to memory of 2288	4820	Pnfdcjkg.exe	100
PID 2288 wrote to memory of 1952	2288	Pfaigm32.exe	101
PID 2288 wrote to memory of 1952	2288	Pfaigm32.exe	101
PID 2288 wrote to memory of 1952	2288	Pfaigm32.exe	101
PID 1952 wrote to memory of 1336	1952	Qmkadgpo.exe	102
PID 1952 wrote to memory of 1336	1952	Qmkadgpo.exe	102
PID 1952 wrote to memory of 1336	1952	Qmkadgpo.exe	102
PID 1336 wrote to memory of 1536	1336	Qjoankoi.exe	103

C:\Users\Admin\AppData\Local\Temp\57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe
"C:\Users\Admin\AppData\Local\Temp\57754483c6b9791dd00f0abe32797849029a1e42829990f2129fc00125358ca8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\Ncfdie32.exe
  C:\Windows\system32\Ncfdie32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\Ndfqbhia.exe
    C:\Windows\system32\Ndfqbhia.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\SysWOW64\Nnneknob.exe
      C:\Windows\system32\Nnneknob.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
      - C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4808
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        67⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 424
        68⤵
        Program crash
        
        PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5072 -ip 5072
1⤵
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ageolo32.exe

Filesize
448KB

MD5
0246eb9c91fb16a384a0cb8e1d44e6e1

SHA1
cf9ae02607cb6199154cf7765275394d422c67e7

SHA256
a10b06ae9ecb96450e8f7f413b767086b3f7d4f07fe512ba5aaf161e1c49bc4c

SHA512
39e879d891434570efc0e7445ff5368707589038d34e3df5f8d56df2431cdeafe5f7d7d1e14586c965c7374d293c6a8b375764839a9b59c33e088d020ff9bb7e

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
640KB

MD5
1224c43553caf4876e52e473a19dbaba

SHA1
07600ae9f5ed5a8372b7e83e9d40f081cbb8efcd

SHA256
3c2bc71c198000c66856f646fafc50d9dc2a43a1d42abf1255bb9d9dddc8627f

SHA512
aaeb77b36602e4a1465d63f40f6ccedb537eb7e8f1046c7cd5cb093d81c84527e26072ae637f990ff5063359f62f17a89c49c802b2e53256eff5793ff7689604

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
640KB

MD5
55e00a4b7688d1cdf54381ab62d71f70

SHA1
da479511d66ca2a903fc7e7d32eda774e0d9f951

SHA256
1e1164ecde47391fc2bd24eaee308db2e7e27179aec6cb8e331b743dd6967dc8

SHA512
face77990d7592754dc68ea0d55ca0f0eadcecbfdafd199883af39a2f5dad4fcd8fb42c71391ad1dbb79588f3f6825a4c1b2fabc90a53dfd362d062ef4e9443c

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
384KB

MD5
35177c128214d9653f4c1590c6e128b7

SHA1
29fca042044f5903db7d3c77ca2640fae10cc052

SHA256
586eb1baad0f25ed5fcece505080bec7b735bf0d58aa9094105f1ded5299bc2f

SHA512
3e4a0cfabad4bc0d2051eac113c615b112df983630f7abc15469e4876769ddb14691b21b89e664fde43ceb1d0223c7acba42a735d692bcbef4949914cd9f8af6

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
640KB

MD5
bf6ccb445cb737292eb62108d1f16ecc

SHA1
fcd7fe12995d190a9b40f673d2db86f3daaefca5

SHA256
3149024db1a9abac86c964885fddaaa6e239b92f39f783fc5abc513bacf53076

SHA512
2ec529673497cc8510a32327f50fe309d789566e6b67969256e19cc8889545c81f92136671449cc373dc35eb7f472389b51827cd111a87ec875403da30933225

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
640KB

MD5
9b5c6ca0eb2d02b3dcd5964c477fac45

SHA1
dfecb68d08dcb42f1b17a4589565a950b91ef294

SHA256
5aceb780d67ec910cbd6eb19124ba89935574283f8d233b088474aca1a997240

SHA512
0fe873f633c38902e61296f1b95b5f565f561bcbdb95d6a868ce063b2993cb18d028d3081c4b633303064ea67de3c383e5a43e6c79019098c2a15ab302415930

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
448KB

MD5
aa3f740d167446864f2e4e726a1f786e

SHA1
1d1740853586f20219ee6e429203ca32cb76ec36

SHA256
98667ba8c4876a74d6095b14be72291c4be53a252472e2824a0418259f36ac0b

SHA512
e54fec9f50a6cfe8666a3d54beef93bc02d25c07f476f8c1178cc8471f5fe603c14a97cd50b9b9bd84bb33248a7638d5e3b7c822a8e67a6448761e2099ba09c5

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
640KB

MD5
da3500b63f95e6779991f569258341a6

SHA1
063045b701ff1254c10df2722a64b0501f15fc90

SHA256
e540c93e8710fac98f84a5be83425e6e88dfe95af141f506308b9eae7aa307eb

SHA512
923a2c3e11ac906270a40ab3374f81472e86a1733ffaa46339457ba4bcca9c04910c157319fa361b791b2b3c159388a452843a26bd8df102095340ef909152b8

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
640KB

MD5
3f926e383b9b017c9c84660b91625833

SHA1
5bd0af93596dab954d5aecc83d19a34cd3ea6f91

SHA256
a710ec48e65a64fb77929d098af24233b8cb53d1c70e7d122c2a3ec25645c3a5

SHA512
ed94333ba2abd2a28249f071af403a94a0836b1a56a524067056953f3cf4391101d5197f5b428093389cfd9e6d8a3737c096f51e2b1793dc279373512b705353

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
512KB

MD5
27379666ad01747dc13b37d614feed86

SHA1
d0feb5b350909ceff1e224f56f8d0e99a3ce55c6

SHA256
b897a656c4dd338f6a8a9c40d27bbe62998ec1c824eef2c3e9ad8084ef06f0ae

SHA512
22e509da696eb1d4515c77024b4240f505932132064f92d8615f497d799074befecc11be972575959c5ff0b474f728bded43bdbd2eaeffd10c7b474ec13932a1

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
640KB

MD5
60aea9dd86c64d19b3bb71ace216189a

SHA1
0a830cbfbaf889580e7194fe830b69c16fb8809f

SHA256
d942b4dd92ff5fdc2ee9ebe681ed7ff97d9d94f0feb4962252badc1765790e34

SHA512
8cd5b50af8a812e8a61b4d123dd02e8114f96706f83244017c960678295353376fd538b64fe943c304ff0da599e5f2a4270089e428773811272c9597f6d453dc

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
448KB

MD5
10cf954bf2b4d72f023552d9a5a43f71

SHA1
cc5ebd1acdcf63df6e6b82cd747433373d0f40d4

SHA256
5161258b38b5fd675988cbbf75317ba2d4a44d89b28bbbe619a875f864634036

SHA512
d92d84b42d43d9f55947dd2a25f63f2bf8c4ae19a9716b77c3938bf1e5a707f1eae48bdeca04fff5cf9efbcd540ddf7c9788729e8f91f53aa03371ab225c57ec

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
576KB

MD5
62d0ad183014cd2164f6888c91207901

SHA1
ea86358075b19ce52a82b6fb7b566d12415c8690

SHA256
fa63b1751d83398ba4d37e94765046026cfe919178270969ede329dccd7b7b06

SHA512
fc6b2d7276d63da6e396e99d0aab91f9b583c3b9c50892aa144c0f61e696bedb4eeca137055b7dcc1224f952682d316d59adba2de4d7561fe4649bc202927545

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
640KB

MD5
6efcbbd06e72268c772ad4092669cdb0

SHA1
0ef51b4447e454ec9389c430ade02c147c6d5130

SHA256
412300a98df516f2446d6e2764fec4e51ba5b01e4d45421febaf0a810f228881

SHA512
ee1b8ee5fa0bb86cc23f257ec1199cf2265a764f2390ffeec1f4080f6edf6bf37643a963888e91174557c84f5339401d6483f73f7bd6f581b6169ff9897b4bfc

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
640KB

MD5
265a39d1c8ae6a6e0cbfd3327e2aa1b2

SHA1
15bf8c7f3e77d3584e8bedbc3dd063fe5e52f7df

SHA256
1eded83a9b1920a7e5c2dd6d8d474ae2434a20131d1529f0174549cd16ca4f6a

SHA512
b4fdaf750973532b549899461028c1dc1bd57eeec6ac67987fd1fa281a53377464623ec11eb7361ac953a28d2ace548a7e6ca3745c9531fd9d1ea2b315aa9b71

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
640KB

MD5
d263038889fcd9b0b97700c51f6b7391

SHA1
f7ce91d005dbb02163ae86f70f9f3b90ea7ec67c

SHA256
2fb06e6344bfc5b5629acea8de7e25add460338e682fc22e8448ef8878cafa6b

SHA512
c7b45bc4df18cf56f6d934facd39bd2a8f467eaf60a2d78e0cd71c9c218525fe7bec08565f255f002981e1d34b30813ad16770e0b06471ff0b965598755c578c

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
640KB

MD5
32e8229726677222f518547ca90b4769

SHA1
f628d6f44909baa6f694fc9e747c12c19b30e309

SHA256
f791bcfdffc367c658e1b6d518f44a6861def75c78203426108e883342616aa1

SHA512
2b23cb19e7e89e09460e296259534c935f164df426af4d29d6c87583d200b0bc8a5f255380d29cb3e9b04d055738734626ab708375b60b260ff68ebb1c5a792e

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
640KB

MD5
13257234c735c4b6577185d2a6b4e249

SHA1
d2df49ba2da1e4d28dc8583e22d264c7727ea198

SHA256
9b7b2e6b8270b955fba02d35f1da34a6b829219ab972fa06252ec2165a7e4407

SHA512
3b967c7702da3912775adc763be62ef171d5bd3d051204994ba4eef910034750850cc0b15297e6acaa5efc792de3df51166a2ecd7eac7acdec5f49f1b02fc7a2

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
512KB

MD5
999b892e03dfc72be7f45a01777b7b4e

SHA1
17dc7cd02f1143224dd7af74388d32cb09164caf

SHA256
033aceaae6e75a4488a4d340d2b6d031572b628abb749f2278f9e778d7751bdd

SHA512
2ec26af531fc03a7fb236e8796dc67d2130ac8f5806acba809c0ca4215b395c19c6a2a54066827b3ae71b56f6046b01a790ac2bc9761110e2c6d30f66512cdcc

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
512KB

MD5
be95c07034a674bf1af3dc82c0e60f56

SHA1
040e8f12476d4e6bc02878c5b2aa1857f892095f

SHA256
f82471800ea3ec324eeaea2a55f14c8b7afe208de544ae1cd2d9a742cde46e6e

SHA512
44d634561a7d5b22b33f585f997adc732ce742d3e10d9c2876c8724d19c0f74799495862225f5d2b3c6149bb67483bfef156ec15fbf3a150feaf21d498715316

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
256KB

MD5
81d5a7bfe571f52355ff4f7545bed0c3

SHA1
09f1888f1858157e5712bd076ae659bd684f8664

SHA256
d9c6761a3a5c120c5c1b29e8f2022bfc2c20da3e3d5889dbb3fb3f32f5f747a6

SHA512
3ae922cae57419d5a933df8b79918bcba0179162e343c846680ff14834302b4b3348e6927e044006f38b395139118f827b50c2ee9893eede918b989f99d6be50

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
640KB

MD5
d83891dffa41c48a1fddd04459c7d267

SHA1
467d08b04510ee099a3426dfd8798709c238b36e

SHA256
ee53e1d35375dc547de36b4a16599949ed9fce4ea6b0d3a0447b95df7563c1aa

SHA512
0ceeca4ad894d5257472447b12a8c4d6c6bd9066b8b78ba784a77117bc65079049a6e9ad10207f641f78c70f1943acc88dc82438f05a1162319b02d78ad5e5b1

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
640KB

MD5
325380a71047613cc63f5ac0956565d2

SHA1
be8379615f272267c247814e7e345c0d7a40b696

SHA256
78a6024e27928176fcceafa2d368133c2b899d1f1bf060efdc869e1219030806

SHA512
6d91b347af77464428453610efc4bb2ac0095a21d79b2c18326f122cef4cf7660b3520536f277218a295ef97944debbdbde988b8f9956e45d51c60f844dc813e

Download Submit
C:\Windows\SysWOW64\Jclhkbae.dll

Filesize
7KB

MD5
ec58f4a92b9ae615e388d3135e9185c2

SHA1
5fa9dd0847002049e43eba495c3cc644182e2d23

SHA256
61d4e4cd7bd437c8d4732f4906dd7886f77e80683c124266feb94365b1ef1c34

SHA512
e8691ccbcc39ca723d9b7b0f2c8c6cc46512d719c8c4c35fd3d10fd84a9f5ce1800539b5f09f05e652db11b6ab6953d03763a5512f25a56902b3c9a461795b89

Download Submit
C:\Windows\SysWOW64\Ncfdie32.exe

Filesize
640KB

MD5
1237f85449e6e0f64a3faca1346fca66

SHA1
014d2bf4bfa8d743d0a02f2a4e014a53b0789f0b

SHA256
8b5079804eed369b116f28af0bdfb9c42011d8b1538ab83efcd22a1ae6f393dd

SHA512
737fe59350833d2306408ec6904512d168221e6a523a5fa449ee9d96d5aa5494f6942c98039f1ccaeb7083a629fb9e23ad9c6ddad0d0e129edc0f1928c122151

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
64KB

MD5
8ef39848dc770fd375db04f7d48558d9

SHA1
53dd9d2705f440d2ef42aebca0d86493c0b579b7

SHA256
36007f9dc65d35e797454dddbdbdc37a7e55654615c7f6a506e58dd90ab0d3b5

SHA512
83a7c49ed70a99ba622c26fa252180ad1c90e05c9767ed737f80bc7775658af919cfc08cbefdad7f5cb9220b73d98fd8b099e47e9582f82407af78dadb018f10

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
640KB

MD5
dfc12910e01a4af9073f40e768699a3c

SHA1
5d3719da7e9cf30e6dc81ca903483e6df8f53c54

SHA256
f7d27a3efac61bbeaf81dbf8525e28ce93da974793514b16c8116396ed5f50b5

SHA512
9cc76f981b19cab6d122523cf07fc2c45a19a3ab8cfa775862b8c630ca08c48038c0aaeea232cad5bcf07376b667a1beaaf29cae0b0bc036df663956631aecb6

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
640KB

MD5
3b5ae4a7323ecf997f747f9fd4444ef1

SHA1
16ba21cdafafa3174622560a2d6cd13261c502e8

SHA256
ede24155e49d97e8fb014ff6a045963e7989a83cb9aaa23ee02b287ccd472e1d

SHA512
7151f6bd101d3954b67f9089ef021ba4221682e13387b577cb855cc4a96eb4b9d59922809a59a75ac503a29f0cc5d135883821ed7836dec82a5c933d387e7394

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
640KB

MD5
f33f182e16add75b8df83ca690313831

SHA1
cc85e14be98c51e41537a8e21338c2698705d8c1

SHA256
ad2f2ee9fb852317653ba485bc54cddf76f4866eb402b626a07cb87cbfe71fff

SHA512
c487bb9937b58a58b961c9715ff25821e83d905f29aa387cdacdeccc2d55b874e54519d7838a8ff4e790d83c458130bbb2962fe3b38cb5a6fccf26d86fdeb099

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
640KB

MD5
2eeca66ee168f57e3e2b81177ae82618

SHA1
a30ed2f7a6d25d038e27ca405fd74e559b0c3f67

SHA256
e9df2ddd9e47a5714371a7a7c7f69a7e660218fb483e96ec0dedc18ebb5c0c22

SHA512
9bb08a076dfc5d70b7826db0ed004a4efcc465ba457cfd94920db65670ed184cc5dc21055de015a466c02ca1951b3f9aeeb26242abd57ad37356212bb54f6d60

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
640KB

MD5
a1d0ff90d123333c61ae1bbb2ea01cd2

SHA1
9d3fad742a867bf138f3a7acc3380c4e179fcf6f

SHA256
af9a75bd495d1672a13e2f47ab3a639c53461349d9c7ee8e13a1375b157e361e

SHA512
eaeeb6074a1849d467a9337c8c7af63dd5fb7e784c354e425f5927e69fd02b1bb200c6334c34cf81e2c0de1bda5b37683509d9db3c221c666b88eafc8639d884

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
640KB

MD5
25ca14b2ac0c53be59b905734017c482

SHA1
57f4d7b76f5bd4b2196936cd02e34e0688faba8f

SHA256
fa0a94caa23546b2f8e6e53f59ca8e50f39709a3be3e35bd4cafa35fa3e488f8

SHA512
49954e6f60c275a436dd38218eb8158527e4806b116e38a0864b518e9289a7083bbbb3d16cc85bfa02d8dcd99144d9bd1576b1effa7b617b6fecd52e4dd38b12

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
640KB

MD5
a3e880b733f74ff527bedfccb7d936e2

SHA1
10788a5cd846dd35df846d6c5ba2fe40548e28d0

SHA256
ea033584f3b89002ef1c02a3a4df40018666a19c9a83e4cb0b0096318969f94f

SHA512
ae7ff52d196aa250371c1e64a1469c4d1dd01bfedb4618791e780750ff5ed0451bfc9bad43e9365f64fd3c3db3ede4c406c95d5ff930473d7546701195a6deb8

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
640KB

MD5
de06eb62bf62adc48e09ee9a2c0233e3

SHA1
7273786a8e54655a29d5014f6625527813827378

SHA256
08bf5a958486016ef53c7793be7affcf7be93ab15259bd3389aa44e82556f0d5

SHA512
a2008e549f0b6e0a123d0800b663df2a70a22e9af009b39cf04a5c264a414fa4b894c919394c7a11f57ebeac7858b3f1a7f66f0afd206330de01c65ccc5d40f1

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
640KB

MD5
72d7b25abc62efb8b57a9ee9cc6ffd0c

SHA1
36696de04aa4bcfd3eb0a2e1e03e04a50e12aa4e

SHA256
3fc443d420057bd7de5f7985ae144d20a72c61382d0d7bd4e0c6b10f36a2bd52

SHA512
e182bac869f6a646a7ade1e216376a3bf10913110b6c4922e323a8ffca97a1654c429993d00bb9eba1992971542f57df33de6ca854ad00f4fe0c9964d2121276

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
640KB

MD5
4ef4ae2a44b6d1510d2d038b0ce2cab4

SHA1
39bd8b8031c33722d149aa1f1f36ee5d65578a8b

SHA256
89484995d7d4df745415b0d2a631f8f3f1d1f4d6d96d0dae276d5632ac833bf6

SHA512
fa00df18431f153612d7103c3aeb5a3d456c8a2b80b7dca1a63ffc4abcceff8de2168ad6ea0db2f36aa4c7f43636786c0cb9ab989e73213cf791de6683ebe0be

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
640KB

MD5
a8f3fb41a75ccaeca13dd6d471bb607b

SHA1
a90ec0b1900454c6bad0a8db8a32668ef824ff88

SHA256
231c5aa0a6091f346c41373b67c2766a85248b644dca6c5b9e25b70d7e60b393

SHA512
5543bcbe6b4231a374aebb97009a7d3e47c23e50fb4cbb81f59f489a3dfeaaaf1f06330e10fa2707f2ff2f0a08e6552cbafb838f1fa04eaf1d1d1e0ab1e8d501

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
640KB

MD5
2d13420a734454e86d428262f8eb7b1f

SHA1
420e172f82deedb14a3f914292a3c21d8b31ddfc

SHA256
a5af4849675c125aea88ccfad8632ccf4bb2609ec6349727d2a0bb1ddb6bae6a

SHA512
7e00289d8af46eaf671a45295ec3bbcbb0ac41db230832ab2b6eae0c5ff37931a0ac4a04d48cc2abb75b74972f3cd4bb23cb6e8bcc1c05db0ea8670726697a91

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
640KB

MD5
e4eb9c2a107da48f778bb2e0eebf2ae1

SHA1
8ff6b83272c34fba0c30e5c6e0b0e9e458de1d70

SHA256
b5c33116a299839cebfa1e1da052d73404c6bf55773e40b14ccc10e229a6afd0

SHA512
7eb014a3fd9af71550ddca689cf371f27d0702c90a85a9e8f2cdd583be3f5a1163cf5797852a04bb75bf7d7a10e8b2cf97f160c403f85a22caf12c29e0ae1f22

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
640KB

MD5
93d4e2ab2ff476ec009170970e3e12b6

SHA1
03b029a543874ce85f096c4b33256d8e4997a831

SHA256
197c7da2dfbecb98b5ca735e8ea9f352b4b00c61916190869d4824b70d7f5ddc

SHA512
4c8eaf941d0ea3b737f4538f906083e43c287b2bca3f72c7796a685231e4d89d0593fd1bd58492a926ace290863cbda56089c737185e5fb9237d573df47fc2a6

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
640KB

MD5
f818b3c3ce90e773e6f7b50de5f0a820

SHA1
8911e5b986f66108bea09db629981341469a351f

SHA256
c3441775c8e84a4f88ed1cadfb34d07d42571094947a6085c7be32a2f89ebe0c

SHA512
03d28273fa8d5f6e8dd0425e5bee6fe3b67a9475f3dde4b14207826bb550a6e635ac14efa219cb994ddb5de0c14a87f2c1d1e466a8bec5b5cb41b72e99f2882d

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
640KB

MD5
6a834b65c91a4c53fc0e65ca393d0b26

SHA1
7e973d7a4761c510920eb34f620b8e44413640ec

SHA256
a8da34f0acd8add2eab0beeff335e532c97ae63132cab17254f3346c364cb439

SHA512
d2d266fa1375a31ee3d114465186d7140cee92991d768f5917b93ff3f2d2f553bfd5b701e9e9896c9a00cf384e4201059dad4e98090433c1c4ed18992d2c5d5a

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
640KB

MD5
3f28852ca69dde3ca28890d8a01429f1

SHA1
7a8baa794ffe515b6cd440561a5c7c60c8126ab6

SHA256
47f99492e5d4e5995090d1bbd8b1633fe2e01a55d5dc7ffd2895b5c40132ea65

SHA512
75caacea5e4884824a72cb3a547c2705351bcc41185a0b2a47c89d00b56446f9e8797e616c57fda591032edd5a6962dc7bedea0a7fd0207c842f7cf6f217707a

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
640KB

MD5
53f382a2a556d8aae3a9b7841e36f203

SHA1
13423131539a0bcc5768bd425b08a551d15d9ccd

SHA256
b0b4101aff2e6f45dd00a9370e5b511399dc11641423e944e1f5cae8e7ebfdb5

SHA512
e362ac40547da7a8e7eae325a5bbfbd334efc90aaa0f06a3296f411d92dcb48f69a880916f9986a81070ae91529c25f30c4b272e5e353ed9f71a5bb38459f69b

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
640KB

MD5
ff709092c8e1a1b70fc44ffd6d74dc50

SHA1
db1970cc4437f1da1b037dae99f02f4232a7a948

SHA256
3f215509765e264f6226a42efc4897301b71f1b1eaa833e108d21620f0eaec0d

SHA512
5ef682ba1d8d3fd31d1a5d6bc5fe6b84d30af295788b61ace61b8b6a73479b129572aa509703ddd4d68177eff3bdba1580c54c507e496b0e5d492cb0c90563e4

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
640KB

MD5
f43491a665de79462826648a4a261f27

SHA1
a1e33f65d142fe44424eed35a304f7b605d53060

SHA256
857c3f6210c6bac2901eee57ddc7550a51e10721366c3d98afe255f9f2191ebe

SHA512
ecbe34c0a40e02d12cc97e882886baa0f2e675f3e039f649be41054c2e6305d1f04dff77e35e969cc5ca2decb490f3c449564c9372ffb6d2450a33a228e635f3

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
640KB

MD5
0e2b1caafad2e0e3ff0d5b986ddc95dd

SHA1
65607b9b0c4f9d963eb7e2dac7060dcbf8e72296

SHA256
b092506cc84cdaab4ab8f1f081ba968177c9a2057ca986e4f241b25746a3d280

SHA512
9e46c1b515f9dcd8e83a1b2f6497937fe70211eede3673dcf18d3ba2f1e102236f06a36819525e23f2e740866712d627d3ccb61adcbedca3236118889258cb58

Download Submit
memory/760-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/844-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/980-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1020-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1216-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1336-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1652-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2496-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3292-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4020-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-506-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads