berbew | c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409

Analysis

max time kernel
94s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409N.exe
Size

74KB
MD5

d72c9fdfe2c4171dbf6f383bc57ae190
SHA1

cb4f95ae4c824a07db8362b6d7f4d81ed98ab45f
SHA256

c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409
SHA512

ce6d7c9bab2829c287b9b4784e743dc2ded678a1823fe3a07fe685ecc626ccee4bd09fe670f6e25919b489fdcd52ff6ce8786c3e7c8dcc3fe1d4611ec8153e51
SSDEEP

1536:w0zgzZynnmIvMTFhx7FrrHWigaMmEKda7jUzoTqNPx:9gzUnnsFHZ9EMdNp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3692	Ocbddc32.exe
4568	Ojllan32.exe
2488	Onhhamgg.exe
1828	Ocdqjceo.exe
452	Ofcmfodb.exe
2444	Onjegled.exe
3964	Oddmdf32.exe
3396	Ogbipa32.exe
1484	Ojaelm32.exe
2272	Pdfjifjo.exe
1400	Pgefeajb.exe
3224	Pnonbk32.exe
2188	Pmannhhj.exe
856	Pclgkb32.exe
2388	Pfjcgn32.exe
1492	Pmdkch32.exe
4800	Pcncpbmd.exe
636	Pflplnlg.exe
4520	Pqbdjfln.exe
2844	Pgllfp32.exe
5052	Pnfdcjkg.exe
2968	Pdpmpdbd.exe
4496	Pjmehkqk.exe
820	Qmkadgpo.exe
2296	Qfcfml32.exe
2208	Qqijje32.exe
2980	Qcgffqei.exe
4584	Anmjcieo.exe
4100	Ageolo32.exe
4356	Anogiicl.exe
3052	Agglboim.exe
408	Ajfhnjhq.exe
2852	Aeklkchg.exe
4032	Agjhgngj.exe
2952	Amgapeea.exe
1832	Acqimo32.exe
400	Ajkaii32.exe
2948	Aminee32.exe
1888	Aepefb32.exe
1540	Agoabn32.exe
1568	Bjmnoi32.exe
5064	Bmkjkd32.exe
3348	Bcebhoii.exe
3568	Bjokdipf.exe
920	Bmngqdpj.exe
4080	Bchomn32.exe
2060	Bffkij32.exe
4304	Bnmcjg32.exe
1152	Balpgb32.exe
2452	Bgehcmmm.exe
4928	Bjddphlq.exe
4816	Banllbdn.exe
2704	Bclhhnca.exe
1460	Bfkedibe.exe
4464	Bmemac32.exe
4308	Chjaol32.exe
4412	Cndikf32.exe
4072	Cabfga32.exe
3612	Cfpnph32.exe
3276	Cjkjpgfi.exe
5012	Cmiflbel.exe
4868	Chokikeb.exe
3068	Cjmgfgdf.exe
2664	Cmlcbbcj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409N.exe
File created	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pflplnlg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2400	4204	WerFault.exe	171

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 3692	344	c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409N.exe	84
PID 344 wrote to memory of 3692	344	c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409N.exe	84
PID 344 wrote to memory of 3692	344	c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409N.exe	84
PID 3692 wrote to memory of 4568	3692	Ocbddc32.exe	85
PID 3692 wrote to memory of 4568	3692	Ocbddc32.exe	85
PID 3692 wrote to memory of 4568	3692	Ocbddc32.exe	85
PID 4568 wrote to memory of 2488	4568	Ojllan32.exe	86
PID 4568 wrote to memory of 2488	4568	Ojllan32.exe	86
PID 4568 wrote to memory of 2488	4568	Ojllan32.exe	86
PID 2488 wrote to memory of 1828	2488	Onhhamgg.exe	87
PID 2488 wrote to memory of 1828	2488	Onhhamgg.exe	87
PID 2488 wrote to memory of 1828	2488	Onhhamgg.exe	87
PID 1828 wrote to memory of 452	1828	Ocdqjceo.exe	89
PID 1828 wrote to memory of 452	1828	Ocdqjceo.exe	89
PID 1828 wrote to memory of 452	1828	Ocdqjceo.exe	89
PID 452 wrote to memory of 2444	452	Ofcmfodb.exe	90
PID 452 wrote to memory of 2444	452	Ofcmfodb.exe	90
PID 452 wrote to memory of 2444	452	Ofcmfodb.exe	90
PID 2444 wrote to memory of 3964	2444	Onjegled.exe	91
PID 2444 wrote to memory of 3964	2444	Onjegled.exe	91
PID 2444 wrote to memory of 3964	2444	Onjegled.exe	91
PID 3964 wrote to memory of 3396	3964	Oddmdf32.exe	92
PID 3964 wrote to memory of 3396	3964	Oddmdf32.exe	92
PID 3964 wrote to memory of 3396	3964	Oddmdf32.exe	92
PID 3396 wrote to memory of 1484	3396	Ogbipa32.exe	93
PID 3396 wrote to memory of 1484	3396	Ogbipa32.exe	93
PID 3396 wrote to memory of 1484	3396	Ogbipa32.exe	93
PID 1484 wrote to memory of 2272	1484	Ojaelm32.exe	94
PID 1484 wrote to memory of 2272	1484	Ojaelm32.exe	94
PID 1484 wrote to memory of 2272	1484	Ojaelm32.exe	94
PID 2272 wrote to memory of 1400	2272	Pdfjifjo.exe	95
PID 2272 wrote to memory of 1400	2272	Pdfjifjo.exe	95
PID 2272 wrote to memory of 1400	2272	Pdfjifjo.exe	95
PID 1400 wrote to memory of 3224	1400	Pgefeajb.exe	96
PID 1400 wrote to memory of 3224	1400	Pgefeajb.exe	96
PID 1400 wrote to memory of 3224	1400	Pgefeajb.exe	96
PID 3224 wrote to memory of 2188	3224	Pnonbk32.exe	98
PID 3224 wrote to memory of 2188	3224	Pnonbk32.exe	98
PID 3224 wrote to memory of 2188	3224	Pnonbk32.exe	98
PID 2188 wrote to memory of 856	2188	Pmannhhj.exe	99
PID 2188 wrote to memory of 856	2188	Pmannhhj.exe	99
PID 2188 wrote to memory of 856	2188	Pmannhhj.exe	99
PID 856 wrote to memory of 2388	856	Pclgkb32.exe	100
PID 856 wrote to memory of 2388	856	Pclgkb32.exe	100
PID 856 wrote to memory of 2388	856	Pclgkb32.exe	100
PID 2388 wrote to memory of 1492	2388	Pfjcgn32.exe	101
PID 2388 wrote to memory of 1492	2388	Pfjcgn32.exe	101
PID 2388 wrote to memory of 1492	2388	Pfjcgn32.exe	101
PID 1492 wrote to memory of 4800	1492	Pmdkch32.exe	102
PID 1492 wrote to memory of 4800	1492	Pmdkch32.exe	102
PID 1492 wrote to memory of 4800	1492	Pmdkch32.exe	102
PID 4800 wrote to memory of 636	4800	Pcncpbmd.exe	103
PID 4800 wrote to memory of 636	4800	Pcncpbmd.exe	103
PID 4800 wrote to memory of 636	4800	Pcncpbmd.exe	103
PID 636 wrote to memory of 4520	636	Pflplnlg.exe	104
PID 636 wrote to memory of 4520	636	Pflplnlg.exe	104
PID 636 wrote to memory of 4520	636	Pflplnlg.exe	104
PID 4520 wrote to memory of 2844	4520	Pqbdjfln.exe	105
PID 4520 wrote to memory of 2844	4520	Pqbdjfln.exe	105
PID 4520 wrote to memory of 2844	4520	Pqbdjfln.exe	105
PID 2844 wrote to memory of 5052	2844	Pgllfp32.exe	106
PID 2844 wrote to memory of 5052	2844	Pgllfp32.exe	106
PID 2844 wrote to memory of 5052	2844	Pgllfp32.exe	106
PID 5052 wrote to memory of 2968	5052	Pnfdcjkg.exe	107

C:\Users\Admin\AppData\Local\Temp\c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409N.exe
"C:\Users\Admin\AppData\Local\Temp\c18ab8a45e1e0a651cd69dc35cfc34d3f33cd89111876edb176d9bcaecb96409N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:344
- C:\Windows\SysWOW64\Ocbddc32.exe
  C:\Windows\system32\Ocbddc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Windows\SysWOW64\Ojllan32.exe
    C:\Windows\system32\Ojllan32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\Onhhamgg.exe
      C:\Windows\system32\Onhhamgg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        53⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        66⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:724
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        74⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        75⤵
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1640
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:684
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        83⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 416
        88⤵
        Program crash
        
        PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4204 -ip 4204
1⤵
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ageolo32.exe

Filesize
74KB

MD5
0b2241bb16f1720c2e94cdceff8aa49f

SHA1
132b049f1eef2672c05713a431f3e85934563c8c

SHA256
db04267c4398eda76878184f20ed1c36ef197d288bf6e2002a87da7aac40ccd8

SHA512
30f074343b5c4dae63f74febe796d79cdf08ea33308ff3298f02c1c8954ce9c45a6413d327952e944ff816cfeecb20f411c362f606c2ab2ae1170981f6bd1874

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
74KB

MD5
99a4952d223e1e3b87760125f6f5cb3b

SHA1
ae41711b4f93350dd84d3750a4e6bbbccfb7f7b4

SHA256
e27616a135641f31d3d7519fc2cc23b66e86ddd67587ff2587f1179d7ece233c

SHA512
a48be03f7050110ce044f57d19e0434352ac2e3bb637efcbf2728059c2fa702d7409efd8f38dd01de816251260478b4d9024180282006de8e38029de99cc576d

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
74KB

MD5
3e75a3082b57b5283a392764322383b0

SHA1
068cbfcad845c17e2b7494f522e4dd1606d00c72

SHA256
4d2fbad9f3f0d2e80335c0e5c9db0a565150254ba622614dc9806fc9389f0072

SHA512
19d7580aa25aca0b22b7fef41a79f5a3d5fdc3430d4e3fe4bcac5e090896ddb7333055018b67a91df2f1a53dca2ea4e2e239bf5ccc1d59227e44bf646186d6f6

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
74KB

MD5
5a134548f52fe75660dd669548651ffb

SHA1
0364871242f1dc5f227ea621c0ce4182df2f1cf2

SHA256
07fd41a2d4376969a4e86b63548250ef95bd9413c03a65a7eabc150920341b5b

SHA512
29982c4cf964561ca396cc3ae7d06ff02d0d03fbe13739e437ffa3b83e36191d44c0cae1fa489d18294b3fbb01345a24b8e78aa63a02df926187befd0e4d0412

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
74KB

MD5
d69338ace80b5a6d5cdeeae8a923415a

SHA1
68336a99ff65f3d7e1b9a820f95d704c436f8aa2

SHA256
6e6e8f0ce0b40f362a82da2dd91755e1a1d01bc45c41561eed162ec44d4235ac

SHA512
77ffab61111f330c5ea17f392ccad28ce922eeb17420a7fd2069c1f2cb5d9efcf2d664b5d6c13506e80fc9669eb651fc4d61957965785106aa81c0e238e700d5

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
74KB

MD5
9ef52a73ddfbbcd40d64896fa3aaa28e

SHA1
d4128016b62ca1d339c48cda3927ce5b6ebb64eb

SHA256
c827e31fb9a44ed519fe55ff66a211b9822395a1bb760afa6ae9d92dae7df005

SHA512
8f98891079b6d2255b7f86dfdef65aecd7b20efe448f1fa1415231312613ac25b28fa883e847f9b96fa4af23132d14b93cf2643423d5e001f137513e6fe600af

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
74KB

MD5
2463fbaf57a659232bfb0f90977830a8

SHA1
4f51fe67f7d241ed1b141b0c20704a24d9aa8562

SHA256
7b1172cd6d32d6bc33f05c879fce7b7fdf9eedc4a0760783abf3bc3e94d0c9df

SHA512
afd13d6e5e0138d7c1f2e217c404a8d7f6775d1701be599e6c21e1d609ee190889bf143bce71fe388477a6fa28006670588d3f09e8b2b12cc76acd7496207250

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
74KB

MD5
c1ccbebeb0229cc4a63fa210139da3f7

SHA1
704efc98b012ec9f0546fbfc540c87f914bc5b46

SHA256
d9e0791f36b61363de98671c981c325065f1d21411bee185acea9d2d02b0615f

SHA512
0dfc8da79cb48e84a3c6e5c29c755e1b47cf2f4f587858f2fbb2c60ba830e98ee04dec7a92d08a445501dccee76f923577a2d8c85ec962ca0adf4b625daeff23

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
74KB

MD5
581f8d26eb611ebc0aaaa5266fb3f28a

SHA1
bfb8f4039b3d5c15154b0a6572923a0744c94c04

SHA256
1801c9e57238d97f3b7605318568cfb86cf30649c839544c76f89dffaab759d2

SHA512
8a5553b9268e0fe43099816a593eddf9043599b8ab33e363003a955a5c3be73a5e28a33305f00760f6380ada8efa57245f6106dc83d5c7305bb9d270bf20bcb1

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
74KB

MD5
6352256e1fd59856dc18ab748a63e34d

SHA1
4ef2bfd531cf943857f9b6df6f1c4182168a0874

SHA256
c9e87d38ac1574b5d7d446ff1a2ba45a43c41586fad42f800829207d39d46875

SHA512
37102f71e012ac491b49f9faad802cf8a264a03af502b09d342bc8692ce9ebda590f8bd882e4d6bb9b63720711704e28007dc0c836c6ea6d1ccf492848c0d920

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
74KB

MD5
f3581b7ee5ccc125079307eaee29cabd

SHA1
112d41644dcc05c893823f3a36dd02596a7cbbeb

SHA256
6f42828069ca465a212e90d415efba3af070cbf8c6e604330d18747f812d11e1

SHA512
ed9b7cf7eb6064cf8aa8ea4932a2b2d428ea92d01627e9375fca927a2575183db9f12417442f35e2e07040da8e3534b4159ef56310e7534b81ba5f3a88d4fcdf

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
74KB

MD5
5183b6d85bf6ab05b8709f9287c708ac

SHA1
3a92577932c5a6216cd910bd91e0ff38afbe3f48

SHA256
37120a1b96f240925bf06c27d361c439dc89a449f363970dabc7dfbac00045f1

SHA512
a3eaf9014689df9edb3eed33dc77ea6a98da53c79329500fe05e308e002b7ae0bb9a6b9b32c1f96a995a59511703910a209f556210a9c9648ff96243de2cca39

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
74KB

MD5
868a2827b2c741c83cd70c0f5eaf12e4

SHA1
1cae3532ee99c02b5a5e5658ec2503b7d110669d

SHA256
7eb7272fa5476de872ae7f44f0ee5f2ce195bad1e0db605c6a2d6b335c2b1fa0

SHA512
fa2ce483663f11cfdc3df8fd955f51d5bf56b7a273643dbce143db6020f7cc59a97119ba772251901e3720ab7b3a26e42886b17d05a4e9fd0831b1ec076837c0

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
74KB

MD5
22fdc7aac7af5791f264e25f18c957e9

SHA1
f318f7bf56fb3346be683c7b9e0e8d4182871f51

SHA256
bb678f1257d60eb6c59371db6b7a36b866ce7129126bedf546d2b1963cbabc53

SHA512
2abb22c9a59fe395b136d5fdeb6c6504cf6e992fb15e6aca07f64270d16365c60d3a47ca979c6b4b083f0f7c3d1e258900ab89f56e17bca2139bfee1aa2b226e

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
74KB

MD5
6c06ed74a4c059c2af7e646f0c027d3c

SHA1
c5ce595f97ccfbf7d4b7c727f5c013ec1fca9906

SHA256
0c6201f2ca1a02806ac843f688c844f95db0021413cca57eccfa35c48337d1aa

SHA512
b72f65772d4068b0fe95f2d862f3908c591877c554bb5c62ba34834f075a653cd9ffacc7fcbd536f06518ca731350940bf55522293e131bc5a1444b87f8febbb

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
74KB

MD5
77cee7a08e5e4f534d7f9356e719ef57

SHA1
d6fc06cdd83dea93f682c0bf3c5786541b5f7181

SHA256
fb8854bb98bb2331f023107abf9450f5de48fd196a4cec7e595f94426903d19a

SHA512
917774aa5dfef24f0e5a8a674ae58bbe05a435cefb6906dd304bdca70918c59ad6bfc842adac74d6875fa16e2c32dae8f0f91468d4e9583b1eff02e61b6fa36a

Download Submit
C:\Windows\SysWOW64\Gcdmai32.dll

Filesize
7KB

MD5
e9a90f88bdf6884ab0a80ebed28f188b

SHA1
2e66609ee32f2f396fce557afe06727b978cda6c

SHA256
fa093e65445a46520fef9fc74654588044b89b72a3e82ae6df0e7a779cd5660b

SHA512
707315674a47b92be4039a71251605e792b60645dca372ed139a7ec27c333827aaab717380319bfc9bb05515ab224f9e0d7f6f33eddbaa06ab2aba1ff2ea2cde

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
74KB

MD5
9a44890539772c079b7ea4aa60ece705

SHA1
f2408e797d4d2ede74f6db93c4837b0757b47d85

SHA256
860727d9643e7e3515359e5a253b0d97e89258b378ca731a897aaa3a97ca83c0

SHA512
499c01e47edf1574a781bb56f904c2b9f193e5adfae8277cc38e45efe1aea9cafe9373718fee84017c3aca172aa7f57d4d50bae36ee35791eb97b089fe9062cc

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
74KB

MD5
0fd702b5420a3b37f645cd8c9fcc8543

SHA1
e4590581dd0ba6d4018c1d5b95bf2688f90fc016

SHA256
144e11021fdb193d2ab59d06c6e2558d1f9513f40ea248d909b7d7b725149516

SHA512
41fe450048b7550f17e5aaf9a11e2c13dbdce40bf7fa308edc7763ed61eebcbcb5cdcef551b7293e0c42c736ace3f58db00805378d21718f50f100a7e45d25a4

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
74KB

MD5
c19bc71f860a70866b49908ce4df16f6

SHA1
eb9f19bd78f573ff9bc06abee09494e7c1b5bca5

SHA256
140ed158dc66e156f514f9e85e256a7ecbab1605e48056b441ba7ac9b39c7817

SHA512
84ca688bcfc3309223703f1616919530d094cd2cdd2e56e86320e489c2583b044684338a2fb05a42ee4dc63d935c22a2018b41f7c5e1be69a22e7412fd747dcc

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
74KB

MD5
0d2af252855865cebb451e820432d005

SHA1
b85d97999dedba93b4d9cdcfadc7cd2155d7fdaf

SHA256
6542ca285b5d48730649060202d6ae92eb6e893188ebd9402e3b06996efd3ecd

SHA512
8a6befdac222cb558880a90c3168216416ff3548503666caec303a408485b6ced7689e531f5607a0e8088005f6e49c9a6b0030246dffd86b293771974a6f77ad

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
74KB

MD5
73881604fb4cb01c1ee224265d3cdf1f

SHA1
cb997618cb5a6f0a93e8082d0974932ca4b6bcdb

SHA256
e7f18edbdc4a1545b6e57fa8b19c367aafd27a451f104b82240b9cf3df913113

SHA512
8a70239123dc0b89019e46915294739962835b2c36b5ade65ab563cbbbfae474876f13472bf6681efe80b85b1e190b5166d8be3e990e0f61001d0218929e0052

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
74KB

MD5
81e10cc7e6e3ac302a7da6507d53bcf8

SHA1
98e3d49292b276f528a0ae11a1a064f43f871c7a

SHA256
f57c4f6ca22faddfe6a0f047a21d82d695a4c115f6511d13033faa2f0011c7d0

SHA512
9376b44283fb1ebf84a3f910c09d702c7a91aeaceef788c1f3f5ccc480d062d7a85c96a681c53b2a65e089b6d6981cbf3ff90a4b394e91b6965510dce1d1397a

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
74KB

MD5
e0647bf26b3d2ca2cb289d87aca68e19

SHA1
f1b8a9760cebb17e16331f5f4131365a75d18915

SHA256
266704a25b99afc2fd37f44adde2ba8d595d29a9ae912288a896f3499e9cbe5b

SHA512
63a0eabe30d8efc40aa0d7c203c33d701fbd88b5ef554d0cb3576e6ae8bef3cdb73046e8fa0d4e8c5c9d4e8452c29f1fa341a55d5bf6791bbd1802b2a53873fc

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
74KB

MD5
b8c50462c0cc20c9c032ef4e461b276c

SHA1
29d2b74624a75fe196cef896ce64bc95ef342039

SHA256
4634e7c2d1a382b00c1432c264e01675de7b7d1a41e243b501336446d2a8cda6

SHA512
12c264b5d035e7938239ea08d74bf1a0490444c05e004ae589da378ec2a2e96fbe466c6df0716c12aec29d08627f7f8ecf229e0653228c9f82ceb27861f76392

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
74KB

MD5
38d3f36c5db79a922333c2338596c604

SHA1
842b770bb9e61a52b43650e452be8722e53a4f38

SHA256
358a2e774cdd2f21391257b851b3c1de8cb40226eb7e4e2803e93326642aa620

SHA512
55c6bcacba63c54ef47d4e7f1b69d933982952e3e57d35b889b3f5ca52f548e2c28319ad555a6c15ad80a9d2822964c73f67956fb988f2ace4453a5c730ee174

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
74KB

MD5
8cf091637ec2a10e332ecc8d6e1a076e

SHA1
29b300ef7ab994f580f85691005ebf9f1d645ba8

SHA256
1b959a787407dba63434075645f39b878c4c9752ad7de3abdc37fc919961894a

SHA512
405ba59d85c58a5949b5d6a7a5597c143f40c3fe609c61964ff558f9bb35a9dd01f0b07a5265bbc21c76c67875052b4e01b54a9536a5f3048da80264e1cfd67c

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
74KB

MD5
dc072247437cc8babb23c050e2fea4f7

SHA1
7cf0e9f8b9f440dd97386b2f34f5057ec7298f69

SHA256
7b2e65e493c328e5c4d7bbdf56eb7f20c46fe41d5d50b55ee0d2671a5ce7bdee

SHA512
b9af0affc83ebe19322b4046840e1364059f9cd23f8664f9822489889317e25f55ee8812547ea71fe3feaca643e0979052ded3fb881edd1822311b05041de20c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
74KB

MD5
b84decf6a2cd9420e76e8119065bd490

SHA1
976bec17d994019f58c3f0731310e09077a96b62

SHA256
dfb9338781f8ded67daf0b444ff406e571e91d51581480a9ea81adc3980c46e5

SHA512
7ebb99654e494b5b1738c90065a5a2099d9c62f3298b25db564f9f99dd08cbece72e5b4f04b637ca060a00d394557638c6c46a876d4b5a305fa5c8ca6f06684d

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
74KB

MD5
4ef4c3332455aec479ba210dbbaea75a

SHA1
27a6bb5a7cc623752e681a69998446af2a4b1b12

SHA256
25acafa600fd15bbdeef8025cb70d2c8cbcb0df18b90d7516d632310f3a1ab0f

SHA512
a3fea853168b878a14d5b7670e51f43df06dd4a4677f11b1047534fa5a3f9298a8c0ffd98fa281a8d4e9ddd3fd1669920738dd4787fb3e174926e426b29b9a18

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
74KB

MD5
ff471d305432dd551053440d35592b15

SHA1
c41df54b8a8d6e89895e85445ab206f0537b08f2

SHA256
0c13c0cb92e77a516b8f9c3618a4c733faad7c7d80609124f6d97b5fdfa1f3a6

SHA512
9a54603f7201e987ef7da3adb275bdf61205955b3a8be23fb3ee9881111e7863921bf533a4823d586020b4dbe8df83d17bed115ff9b61d80458db82d92fc93e6

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
74KB

MD5
0ae32326124ec0d84bbd02d7d8655e60

SHA1
09b690cc58f54a60a4f997f2a08b31fed421bfcd

SHA256
acf3e99f8fb0c670d77c4aae9b407333b7f8b46f56cb4c517f4a91368882c285

SHA512
9b049b8b42f958d1adaf03962959e6a99908b4238f5ffba8dd78d633179422e55632cebcff0ee96ae41538432d7fe81d903167d126e1df93a20c877f34916766

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
74KB

MD5
4d79385dc405d4d99ec67f61a9888533

SHA1
3ca15de3887b3263ef1a1d26f00c57796d9bc969

SHA256
d44328dfeb12852852f950d9ba5e05fe1b42786663d27e0a53cf89dfd0b27fae

SHA512
441c58dd860dc35a9b002d0bec05c012dfc1f49d27034e8135b787f9dc2181b7a41cfe188d6d6d66474f48f2b4f0579ae788b43c8c23860306a767c80eeaa2f4

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
74KB

MD5
68a916ee0897395c07373247ed243102

SHA1
6a8bfa58c56ce6c2cc28d426d9c58806fce258c9

SHA256
013453430c49a4de49257b02aae2312b38591fede5b35264563102d073bf8590

SHA512
d5ac524744e36938b2c1103cae893db56914e4c5b76856ecafedae8b19db5f2ff2224354df911769da80e9f30f77c656b219d2cdac1bd110cff7314259726be4

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
74KB

MD5
98d2dba2955e88bef331eb2ff168d9e2

SHA1
f1109a1caeceee387a047b6df75b3ed7d7174ade

SHA256
2835bec04bd6184adba196a7627548343685f60c302765956b799125dfcf9caa

SHA512
255cf9f39d196d771f71bac7b0d1163984b1e4abf4ca896a21183abb9b6d03ebc1717697c729e3562a2e876c61dd21cd0b21e627c1eff30b1cd53053d980fcf2

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
74KB

MD5
9d5ae50c9835900ffccba05c49c5552c

SHA1
4c9fe1942a51453f42b5ccffd8a22e1783b9b3f3

SHA256
902c5c556054661c2f1148cfef824d6ce717626a5aecd62166729e7da77fa725

SHA512
11fcd75149bb06beb4cc394ab3229029f01de1265bd534809724cb30acb6d592804edb8a441dd9dab1b11a830261892aa59c5fdd29507c96dbb147737ccded23

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
74KB

MD5
4f1dbc555fd19b24d78941d2f192450e

SHA1
7844056d6f7fe01b742479003bf5d511f054a079

SHA256
4f04c7d216bbc20b9a6d539df997b15e50d115de710793c8d30c6bd295f9dc9f

SHA512
e43edd165650f414162c476f2e70003e215c8defec4aa88e7ea00ddbf50f4bf3dcd75c5d61b538de8ddf64527e40de8716941c193fbfc4572b287414dbeb11b0

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
74KB

MD5
68dd0a3ef7f505d33cbb00374c90f250

SHA1
dfec00dfa71dbbdfc635d547454ee190ad85adf4

SHA256
5368a3bd02e212b02c1f347d5032d0fe01c9bc8eb89dc56197472d7b1673f98c

SHA512
2ca681cc113d99ff4ede6ffc0395d89e12453c93aa0c2ea5d33cb6c80b72954a99cf43a222306641d990c99e7f425e2c38c3817a5dd1b5c762f540e7194d696c

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
74KB

MD5
fd0464f4558de584d343e5d2f08f90c1

SHA1
7e75cc7501357291882ee79c5a3c8e06d6d3b3f4

SHA256
30b7a3811fb0e8d157f6a380b455318e1727d8d9aa50a5c09e74f2f079dfc904

SHA512
ca92cda92fc6b6aea85d4d997553b8edc7a6317af2afc0e21958ea1fdfd44d465e207a4e7f2e648916f326715034306c556cb0a870c531341014dc3d1d3334c0

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
74KB

MD5
c58bee10ca233ecf20aa3d25eb53b073

SHA1
47cbfc96c1f1efa596ce55261cd8c68633924456

SHA256
0054136263be52f255fdae9d636383e0b19a39f9d2fbd5840465adc27cd36464

SHA512
4e6a43d7ae77eb8953355f652c77df9e4b3e6b204313853834be04ed7fa1257245aa2b136d54e3970748d802f6ae416e0f39c2fa21c296c98ac268a5952c50b6

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
74KB

MD5
cce6d820e326b6a439de1120363989ad

SHA1
2696e72c0ebfde457de95b0865178bfab5ba9d4c

SHA256
aa302447d763611761122f98ddb77d2f4a8df52daff4e344acab973ec23a2b67

SHA512
cb49a5d99348f4fbed50bb1a44f5dc4f53e865397ccfd2071f0223d94d7de1e5d7dffaa3383961d5ff680b6b2516663766426aea49cb35316bef25f15ccc3478

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
74KB

MD5
7fcc0916a9c384278017af940718e93e

SHA1
b72e4a912cf7c45a79bff48a63125750a59b36d3

SHA256
64fac53909ebefcf592f4aa30cb79a0402be1415bec919cfd946a8a509d8b779

SHA512
c525ba64b3d5e792a535a4f375b41f5d2375f91ae0c38656429b89c8e94b588dc5a70a052c540f2d2059b627625b8fab1473cf6f79ec47b3ce694ca0fd9c0fd1

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
74KB

MD5
a1883b1707c54261c400c662d77980e5

SHA1
82a093639b44398189048688626609a1702a2bc0

SHA256
9454a9edf309bdc655ba9c15355c8a85db187135b3f58676e1186bc090fffc76

SHA512
0aa691bd7ee6080dabcab878532d59e07665a23d7d2708a3435df5cebe3998172844b4b98177a557bcc9189e7a6a444741ca03b467b0b619d4762a9b1796539b

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
74KB

MD5
34a716c347827861f147d71ad06af675

SHA1
8e611b0346158195390275d6053f86b70bf37bb2

SHA256
679cce50f62fb5670d44946d5a917c71619269e0a2313a36f2e57c161708769b

SHA512
58e1f3db8df250c01664087878b84de8eaffda55e245f45aece7a3795ce80abbef3c716087ad311f6b75178e7bc2249c4ec10560cd5879f48ec23f0da76ff9d0

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
74KB

MD5
54fd5ba8a7a5f6316bf9781065c7e02f

SHA1
149bbc807fae838ae891ef6f6cdec14bb727bf4b

SHA256
09efeb12f4e29a10a220e43e7aed65bea184765a91d046cf216137869c873c72

SHA512
43b261f44600bfb238e564c94f6a5cc85f33aaf43027f6d964cceed28c2e1ead5f08608aa5599827d6d536c8eae8c6942090dee86a9dfeb1009d54bdd482631a

Download Submit
memory/344-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/344-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/400-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/408-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/452-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/452-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/540-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/636-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/684-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/724-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/820-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/856-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/920-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/964-589-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/964-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1152-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1400-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1460-388-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1484-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1492-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1516-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1540-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1560-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1568-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1640-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1684-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1828-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1828-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1832-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1888-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1980-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2060-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2188-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2208-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2272-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2296-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2388-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2444-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2444-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2452-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2480-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2664-452-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2704-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2948-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2952-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2968-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2972-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2980-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3052-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3068-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3108-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3224-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3276-424-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3348-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3396-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3568-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3612-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3668-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3692-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3692-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3964-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3992-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4032-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4072-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4080-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4100-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4196-464-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4204-588-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4204-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4304-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4308-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4356-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4412-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4464-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4472-566-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4496-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4520-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4528-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4568-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4568-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4584-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4616-502-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4684-538-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4800-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4816-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4868-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4928-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4976-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5012-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5052-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5064-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5084-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads