berbew | 883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e.exe
Size

296KB
MD5

a5465c1b9ca8da396894f86bbfb97667
SHA1

2c08c8c1a7df60940c611b4390c7feeba334ab2d
SHA256

883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e
SHA512

a159611ea59957a86cad7f01d4d9e582deea27a1ca93ccdfba71d9f210e8ab03f6504e9dcb2e323d274b0748be9ff327009c2055ccf55e2bb53fc7e952938818
SSDEEP

3072:xNF0jZzvGO43U0RHw4kS29j+JiuhYARA1+6NhZ6P0c9fpxg6pi:xjsZzvJ43U0RH8Hshh+NPKG6i

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1712	Npmagine.exe
2584	Nckndeni.exe
468	Olcbmj32.exe
2836	Oflgep32.exe
764	Olfobjbg.exe
2128	Ogkcpbam.exe
4700	Oneklm32.exe
4340	Ocbddc32.exe
2092	Onhhamgg.exe
4172	Odapnf32.exe
1228	Onjegled.exe
664	Ocgmpccl.exe
1492	Pdfjifjo.exe
4412	Pfhfan32.exe
1488	Pclgkb32.exe
2760	Pmdkch32.exe
1332	Pgioqq32.exe
3760	Pjhlml32.exe
2976	Pcppfaka.exe
832	Pnfdcjkg.exe
2580	Pcbmka32.exe
4220	Qnhahj32.exe
4548	Qdbiedpa.exe
464	Qjoankoi.exe
4864	Qcgffqei.exe
1580	Ajanck32.exe
3008	Adgbpc32.exe
5008	Ajckij32.exe
2884	Aqncedbp.exe
3472	Aeiofcji.exe
4252	Anadoi32.exe
4796	Acnlgp32.exe
4324	Aabmqd32.exe
3908	Aglemn32.exe
4356	Anfmjhmd.exe
3036	Aadifclh.exe
3800	Agoabn32.exe
1380	Bjmnoi32.exe
2860	Bmkjkd32.exe
3300	Bcebhoii.exe
3964	Bfdodjhm.exe
1692	Bjokdipf.exe
8	Baicac32.exe
3088	Bchomn32.exe
2088	Bjagjhnc.exe
4716	Balpgb32.exe
4612	Bfhhoi32.exe
4184	Bmbplc32.exe
5104	Beihma32.exe
628	Bhhdil32.exe
64	Bfkedibe.exe
2264	Bmemac32.exe
1584	Belebq32.exe
4240	Chjaol32.exe
544	Cndikf32.exe
3936	Cmgjgcgo.exe
4800	Cdabcm32.exe
2876	Cfpnph32.exe
2592	Cnffqf32.exe
400	Ceqnmpfo.exe
3124	Chokikeb.exe
1600	Cjmgfgdf.exe
3664	Cmlcbbcj.exe
4328	Cagobalc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gcgnkd32.dll	883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Npmagine.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pmdkch32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1776	4836	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ocbddc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1712	1448	883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e.exe	82
PID 1448 wrote to memory of 1712	1448	883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e.exe	82
PID 1448 wrote to memory of 1712	1448	883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e.exe	82
PID 1712 wrote to memory of 2584	1712	Npmagine.exe	83
PID 1712 wrote to memory of 2584	1712	Npmagine.exe	83
PID 1712 wrote to memory of 2584	1712	Npmagine.exe	83
PID 2584 wrote to memory of 468	2584	Nckndeni.exe	84
PID 2584 wrote to memory of 468	2584	Nckndeni.exe	84
PID 2584 wrote to memory of 468	2584	Nckndeni.exe	84
PID 468 wrote to memory of 2836	468	Olcbmj32.exe	85
PID 468 wrote to memory of 2836	468	Olcbmj32.exe	85
PID 468 wrote to memory of 2836	468	Olcbmj32.exe	85
PID 2836 wrote to memory of 764	2836	Oflgep32.exe	86
PID 2836 wrote to memory of 764	2836	Oflgep32.exe	86
PID 2836 wrote to memory of 764	2836	Oflgep32.exe	86
PID 764 wrote to memory of 2128	764	Olfobjbg.exe	87
PID 764 wrote to memory of 2128	764	Olfobjbg.exe	87
PID 764 wrote to memory of 2128	764	Olfobjbg.exe	87
PID 2128 wrote to memory of 4700	2128	Ogkcpbam.exe	88
PID 2128 wrote to memory of 4700	2128	Ogkcpbam.exe	88
PID 2128 wrote to memory of 4700	2128	Ogkcpbam.exe	88
PID 4700 wrote to memory of 4340	4700	Oneklm32.exe	89
PID 4700 wrote to memory of 4340	4700	Oneklm32.exe	89
PID 4700 wrote to memory of 4340	4700	Oneklm32.exe	89
PID 4340 wrote to memory of 2092	4340	Ocbddc32.exe	90
PID 4340 wrote to memory of 2092	4340	Ocbddc32.exe	90
PID 4340 wrote to memory of 2092	4340	Ocbddc32.exe	90
PID 2092 wrote to memory of 4172	2092	Onhhamgg.exe	91
PID 2092 wrote to memory of 4172	2092	Onhhamgg.exe	91
PID 2092 wrote to memory of 4172	2092	Onhhamgg.exe	91
PID 4172 wrote to memory of 1228	4172	Odapnf32.exe	92
PID 4172 wrote to memory of 1228	4172	Odapnf32.exe	92
PID 4172 wrote to memory of 1228	4172	Odapnf32.exe	92
PID 1228 wrote to memory of 664	1228	Onjegled.exe	93
PID 1228 wrote to memory of 664	1228	Onjegled.exe	93
PID 1228 wrote to memory of 664	1228	Onjegled.exe	93
PID 664 wrote to memory of 1492	664	Ocgmpccl.exe	94
PID 664 wrote to memory of 1492	664	Ocgmpccl.exe	94
PID 664 wrote to memory of 1492	664	Ocgmpccl.exe	94
PID 1492 wrote to memory of 4412	1492	Pdfjifjo.exe	95
PID 1492 wrote to memory of 4412	1492	Pdfjifjo.exe	95
PID 1492 wrote to memory of 4412	1492	Pdfjifjo.exe	95
PID 4412 wrote to memory of 1488	4412	Pfhfan32.exe	96
PID 4412 wrote to memory of 1488	4412	Pfhfan32.exe	96
PID 4412 wrote to memory of 1488	4412	Pfhfan32.exe	96
PID 1488 wrote to memory of 2760	1488	Pclgkb32.exe	97
PID 1488 wrote to memory of 2760	1488	Pclgkb32.exe	97
PID 1488 wrote to memory of 2760	1488	Pclgkb32.exe	97
PID 2760 wrote to memory of 1332	2760	Pmdkch32.exe	98
PID 2760 wrote to memory of 1332	2760	Pmdkch32.exe	98
PID 2760 wrote to memory of 1332	2760	Pmdkch32.exe	98
PID 1332 wrote to memory of 3760	1332	Pgioqq32.exe	99
PID 1332 wrote to memory of 3760	1332	Pgioqq32.exe	99
PID 1332 wrote to memory of 3760	1332	Pgioqq32.exe	99
PID 3760 wrote to memory of 2976	3760	Pjhlml32.exe	100
PID 3760 wrote to memory of 2976	3760	Pjhlml32.exe	100
PID 3760 wrote to memory of 2976	3760	Pjhlml32.exe	100
PID 2976 wrote to memory of 832	2976	Pcppfaka.exe	101
PID 2976 wrote to memory of 832	2976	Pcppfaka.exe	101
PID 2976 wrote to memory of 832	2976	Pcppfaka.exe	101
PID 832 wrote to memory of 2580	832	Pnfdcjkg.exe	102
PID 832 wrote to memory of 2580	832	Pnfdcjkg.exe	102
PID 832 wrote to memory of 2580	832	Pnfdcjkg.exe	102
PID 2580 wrote to memory of 4220	2580	Pcbmka32.exe	103

C:\Users\Admin\AppData\Local\Temp\883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e.exe
"C:\Users\Admin\AppData\Local\Temp\883ccb920d7afae9ad4a65c66fde8e12d55396edc9aa5e26f0cdeda8302bf96e.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\Npmagine.exe
  C:\Windows\system32\Npmagine.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\Nckndeni.exe
    C:\Windows\system32\Nckndeni.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\Olcbmj32.exe
      C:\Windows\system32\Olcbmj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4220
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        39⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 216
        86⤵
        Program crash
        
        PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4836 -ip 4836
1⤵
PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
296KB

MD5
af91a2f19681963af492398b78d8df0e

SHA1
75a90912135131ab50e41c88d42dc43bfdc3b367

SHA256
39adb07620302d9ea9c2a4e2fb45d14425a11cc7bcf02a4cff29d684f3552aa4

SHA512
6c711c0fb1e7d201ff64a8202f14c5b78e7ad99b3d14c8f26eefabbae42e02c7f820a8c71e088d311fa12f8657eb8bc8aca4e1ec64b8fbf0805fcddc6d310716

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
296KB

MD5
3915efd86449906de51ceb37a66de53f

SHA1
4fd003b927860eaad5562eed7d7cae917f1b0455

SHA256
a61b03b120dbe71bf12fd6117dfe919eaedb2600bfe33d29ef5b4b9146095707

SHA512
abcd9a6a1803eb36381c3ed9846b9fae196001adc438a6167243c3290968e4dabc941976262e8feb70b0555bcd1c95784a5db5eb538dfa2c20bbd8b186f2681c

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
296KB

MD5
87755cc07b3a38006e2be57c16f4c614

SHA1
e954fc0c2831ee8846e1a9dfa596110cdcd495d1

SHA256
10c8af1949c9e302eaa1807f66284fdb492103dde24d9020ea37be7e3110fada

SHA512
64a848cdca2313c0e706f40c8d4a7f3193ed7f84ee6ef45d405efd75bc11491425416296e0b27812bbd87d39da4886c022002ae67bb7bb7dbeb11a39b7101cdd

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
296KB

MD5
adb0a2104eb142d5226ec8291045f8cb

SHA1
07d007bde5811379a992208e7231c773278ee826

SHA256
9903b57ef055b6ad12b7ff3d640c0b4240489a99f456ab850ba72bfe28bf8380

SHA512
20538cfcad20a3a78189061044c26d6c0b72c6f781cccfd467fc9107d9a435ad6a80966a37c1a2c192c6b94dadebb3a0b9db89e70ac8e7500d82cfc17cc0bc51

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
296KB

MD5
24fd2647601b41ea612f21ad4a613052

SHA1
016f5e04e46ef56d3ed409c04cf11c371401f4c5

SHA256
947fc58d74687f5b2af01078db25778efcd0301878c4178f9d49cdbda6d40089

SHA512
4d7c0c55e73300941d0492484443af6ae23cf2263ea11d320fa1c9c4b712c2fe490d22ef7c526152123a36692c4dec5977a64d5f78c2279ade7134b9702e8166

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
296KB

MD5
6b82e2841a2e57f1871d58c9a6d64060

SHA1
c5b553e5dc024432e8a21644ccf00eb81a2a903b

SHA256
a163b78898535f9f79f46027c6b5d4df51d453f210a49de0962513cef7dab347

SHA512
b4992db86f993afaada8cffaebe8b87d243af6d97916b4236810bcc77d4a3e4fbb756fe28a74893985cc7e7dce6ca8809d9340b7445203cde46b937590e851ec

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
296KB

MD5
0c1902d4780588539c2a1ccec38b97f0

SHA1
249e6858523787aa5502566fdbcdc85b101ecde3

SHA256
f81d9f33955c5b180c1b71ee1caac949bbc6c8f062029ba5b56ccc9f56a26069

SHA512
8d29c7e4cb95203fdb5c6cc1e856b8c4e284cd48071ee521f9caa2e4fcab6192b6ec1bb1a0806a609eddbf733030fdb5ea89f5440fe14a726b4010575bffbdaa

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
296KB

MD5
8bbf2e2b2e8e39e9d52452d5c4607dfc

SHA1
aa177a725831220aa3abd20b8246547eef104af3

SHA256
cbac4a7e1c2c3892e67a77f46181350c803d5d33a7766211df4af41e72a94bd6

SHA512
beac55ccf80786212610b84cfc11c2e584976f7be7592f7c61631ba250d9667912d10d555fc1fa196213604f1c3d82e984c6367b4660ed617f4b039c19589138

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
296KB

MD5
2deabe49e8f43af24feaac0f4f272ee6

SHA1
24eb860662aaeb476a5760470a6a1dc389902971

SHA256
bc7438948e3d0080d834cc24ada09c716adda1049adc653eeba491969e681a10

SHA512
113e177a3c2f343dde1fe59ea4af600884650e50e1cd97995fc96d84181917d595b8cf4f7637f79bf9ea0ec43eacecaece2b80cb7426eb8b24736ab6f5f0c075

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
296KB

MD5
f93ce1a52b10fb9834f83d15be079a57

SHA1
eb8ef75e3500489481186c72fff4657d7e0abd3d

SHA256
833c9cedce96349adbdc8140f6823729a3598cc12af9cb898e1a65859d2ea4cd

SHA512
0ca03b5e5a229c50ecab4d45e25f89d1fd1a6a3cea08ed685aea95e4e88787360eb2d43ee82b142d416d1cb207a577da4ad756c952482ca5886b5e58159c7a94

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
296KB

MD5
d5ca03ac0675671858227de531762269

SHA1
4e144342e5805ddb991cf87bcb004f2b8dfaba0d

SHA256
607980b8138087dd2ccd51b2c6204dc668587834c2ca9c54726027ef2a1015d5

SHA512
963a1dc735d8ae5b49b8ceb1cf33858669c72a2ca870f2abfa35d89000fb520ebc73b9eb8147594de2beee6718121b84859ca485e6ec103ba64870aaf0c86b2a

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
296KB

MD5
96c3d83ba3847fd4d333f77dcb95fdda

SHA1
dca369e869be0018859e6da1f90ac10c224371c7

SHA256
5ea33ef1a65319171014d6b89850df0563f8651766eeef181d5bcbf696115225

SHA512
1658600eb59793baf3fd5a9a52e6c70c78033c566d24cba06fabdc0586e77b2cf7b3a202a61475e2e946c1ac5515fd64b46f96f1788dd8d01a515c72db25bee8

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
296KB

MD5
e0d2b90cc36f03c3c10c2eb3abef9a66

SHA1
33efecfe9b3afcbb194fc9e342b8149aa0720671

SHA256
a6f6228d62998f5aeffc3f30678362bff02029535be56ff8f0ac04ccb4897651

SHA512
a606a2b23f646eddd2d17430add43164a85d4b6cd2fc300d0ba17910d7e4d44cd5e829f16992d3421c458b348d3a0a01b119fcf817a86ccf689dc27d613ce592

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
296KB

MD5
45e57494a1e7dd441ae502fa0480b482

SHA1
a8f1934bfa0e0a9f541b6a6c6d4b4a89155a4fcd

SHA256
60f106927406f8afd5f7eaf7cac3af6f91122f0cd582202cad94113daed035d6

SHA512
ef13d0ceee25bfc6fcf981bc7a0fbad9c0b3a670169d0b8a31ef650b8adaa55c367080ecda8aeb00cfae4b43ab4cff081e3a234ee81e7594740220959430b9fb

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
296KB

MD5
a0894302467b380de1856226ce418323

SHA1
63f15a68075a953c19bc2ed192bd5d80d5d3e09f

SHA256
d77bded518bdfc95f00b8118ab4c2e0aee4a3518b4e619cc71afcfd107a117c2

SHA512
66ce4f69c26a16e65f5424e0a48a48788cc3846dc71b11e556ab7565d3f13b2a586ab00fdb9bd8d27eb229df63fcf65621c86cb6f6b39041b05180c34d35a491

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
296KB

MD5
ad5c45a1a6627ca0ead1215f211c584f

SHA1
e62c1f9fd4acc6c3156f07b3fdcc4d7b84b793dc

SHA256
488c27a9dddc3fc4158dc85e0d5b499416acf31dd076e6bc24c891a4f06f7ad3

SHA512
e7f82a8d508e915f365cdcec5d00f930322ccd421717837a44e29ef41c540cb7305af026f13b5ef9fd50859a7a461d929c3d2d5024bb719b19f6e10528ec11de

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
296KB

MD5
76c8a9033d8313824d7f72e0d412af18

SHA1
87421bcb76f9a2bdc0aeefce9becac343e0d1e7d

SHA256
d05e033c3edafaceb512acc524b538d55f52295e143d4fd6a2f7d1434ebbbeec

SHA512
b9500c3487e36e5a1aac29dfa3a71f7cb3990e3837fa0895e74dac9da1a2e61e0c61c1465ad0965d2a8d7dcb8c5b79b4d6b8f6a8a7c393818f2f8de8e37a310c

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
296KB

MD5
49f35bd83480d12ce85d73496ac53d7e

SHA1
749b7d076973f39762a7c2012d0ca7b398f3377e

SHA256
a234a4b187987000717f784201b57a2c49469b360717b98fe2ca91327cca2d0d

SHA512
9c7ade2b46523b90c3fd9eb6acaad808e656f9015f8ada28e2cceb050498b0cef6a0ffe995b7ac9e0f6c18178516615cee474425b49d3cebdb45e652600f2ac2

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
296KB

MD5
0d7b5e365ca40cc499e29112beb873cd

SHA1
e5795ee50a2d51803d1b5fb6ccfd9c3d06cb842f

SHA256
c6d4df11b73b00ea49f882d4309c06032b76e70b17734bc689c740980b3b5ca2

SHA512
99eca476d7f8169da5c58e0186a3fc26af088165a7fae72ced0590a89945172bc1e8e559317608d23a4b078949fb409c2b3b0b3b5c989b40430b908bc4d14f3a

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
296KB

MD5
d39e68e168b83d7e72a53912a2f73304

SHA1
6e3997d833bebc2d5e1ac3976cc39cf925f96666

SHA256
2224acc88b3870b3fd5340157826013931eb0e0eaf79f1e95e4c221ec53df91d

SHA512
f51f07edb0bec6214e4743a148a1cd3967b06e71167253d8d3e221c2704105fdc260ec0062ee10bb8441f1bd7f220654140f9db4e57e2d471bff38d60d423176

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
296KB

MD5
342a3897d87f763824f3fa5840bdeedb

SHA1
8a3f6f90d1dd4003658f99419c0dabbb4543c712

SHA256
919af44cce97c01c60a4750d035be13cf908b1d9ab2548623411b6beed07949e

SHA512
d022bf45695e1aa4dd79b00bb6793ff83df3c1a38468739decd07c16c9a53a526c25fe0753a17b2637b7c8c509b003307423432749605a8674072d8cbc965479

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
296KB

MD5
f90eeb1976a3dd4b9db21021978f2313

SHA1
01a8d1658cccfde12f95a05586836ec61da16cd8

SHA256
31087ac0d4059c04d1ac55c8de9c3e328114e441dd1d72055d5be42bf79bfb4c

SHA512
fca760f3edbd49f0d729ed19e94c0c51666b83592e8bf8f15dcb8097554c3a8b1b14f537bd8b6b0da774c4c00af08860712a416590cae7cd4472cb5ffe5faebb

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
296KB

MD5
040f0bf555722351470b46fc5d08c7ba

SHA1
61474322ffddc7601f5d861193dd0227330d2af6

SHA256
f739d7f8b663454347435a148e8ec45d9f989fc9d8385307ce43dc40e623e7c5

SHA512
78792f0bf6d1f86907debf70c666cd59cbcdb2792b8fbdc3cb42935be73f98d77af14933f789837d32c232893fbde9293cf65fc20bc86c097f624177fd72809f

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
296KB

MD5
8264e5424af150704543950abc1db179

SHA1
853c3f316167434ecc4bf2ed6a996750b2762f30

SHA256
a5843bcda71fe1ea0de87fd1d2ec1c05bcc326c38ab42cbca8686feee343c145

SHA512
d1853f379841cd6845aa239f8734c3736deda782cf3555b24071dc79d9ba3c436f3c7a935cf4e2fa6615865f7f0e2b771aa50cdab01ce6285230501e99c555bd

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
296KB

MD5
3fef0efb1e95497d99dbb2f57614716b

SHA1
53e9c95dd02f294deada58a6f853eae28d9986e9

SHA256
024ab86a53458c1c65848b426af87e09a15bc083a8e80bfee1aa372bbf397f97

SHA512
99087652a1575970007481af1cfeb7bc9f44483c0e265d8b723fb017fd53c0595fbc28f3eb8978a7e265ad1cd350fd9e32a568febd60d40c0b6be2c59a585103

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
296KB

MD5
14a08eb4aa09a45a622f34d1947b6e5c

SHA1
5ab16eb73964b65260a1a3adb48b5aa027e25b93

SHA256
c5d36dfc77b3b4561557b4f070f2ee45374ec136857c98820f6f8634441fd371

SHA512
334fb74089131f93c00c03933166c95608660b23f49653327176472ec7fca58438814381f4991d2b3e277bea0c9ebcc9563690ac55298245b184c61cdce8812c

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
296KB

MD5
579b8ab69fc3903cc9daedb3975bf366

SHA1
17fdc3c001614ec48adf576c502d43d3d81fb89b

SHA256
93e948287a52a87bf52a8ed7b89be462cd98d543ee9bd734f8bd9f0089fafd42

SHA512
5d82d45b9803d0f8a57c9aa349b5c77f6eacd8f6ae8bb1d6c4c02a762485db2ba65ae225a50b5967dec54363cb473dd688a50167b006d18d8b5e6b17bbf64c73

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
296KB

MD5
68e8d32ae52af69843a202d7005834e8

SHA1
9dbd8571b9cdc7d350a8039b28f49f969ffc9acc

SHA256
a036c4f35a4062e04741f11c5533e053750f28921c886d3a9e9f75bab680bfb5

SHA512
1cd1611ba725abe3d254271de5df0e252d2b7a2849af0ea308bd11ecb993b6a4a2bd5d631433a5322d29de9217bcf96a0471cf06d6ecb6988ffbab7e3cbabba0

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
296KB

MD5
02de26638dc0fafbdb4ba79d1468b658

SHA1
331821a5dc16295c90896f03ce88a6a669ae1716

SHA256
194943b3ec13ca4ccb45351e9cf9826cf0398204a50d164913bd7189a0d2edfe

SHA512
a09255e55f8ca7d72e0d77db620317b929e33199dde2aa713e1c130769ed42631bb123c816ef07d790819b67513a07c8a486c8c780da42c7069553fcb941f6dd

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
296KB

MD5
de4f12e55a7d72615a640cf5c6b949cc

SHA1
0ccc93875b3e6d11f2a218ecb395ca9174b29fda

SHA256
04250e9a3c8f90a324cfd0ce2bff5291815170a6ea9b01f9c9488c85d73f16af

SHA512
30e2054cacf52716b10d51453aba29d162a9755c4d3e9eb9ea0d186266770ff888ba3dfda2d5a0b84910384c15bb1bccfab3a6468908b97836781fbc5e08aadf

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
296KB

MD5
6cbe8cef601e8de5ad130775e268b82a

SHA1
38ca4653cce0fb45cf3091d3d1b1dfa5a5f45fc9

SHA256
2a2548bf0db7b9bcb194e4f2db87cbd787176ade98cf8423d99a1cae646f0a8a

SHA512
60f0c9e176ec0dab16d3fb1de111ea28530854c76d2bf51e74ba41e1e7e1ed6043e643d8236b9892b0ae127e504a16efe3c3844c5109663b0df119498ab190d3

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
296KB

MD5
2915eaf52aa6b2a334471b4b60c69bee

SHA1
fc3a5dfa7162c871b8cd91f1b84cdd4a9cb7fe25

SHA256
ae76c66862a44d7c219a9502c72378bea530e3f6f9318b31fc4673e6bb94f723

SHA512
5f23acf946476e02bf3813dc98bc93f56990a1181f2b5104c87774e5f48702732ad74945e24fa405ea22ff0e21fdc4159d7b13c50075ebdc2ea743869f32dff0

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
296KB

MD5
29595808f7634692d3e78c72b3bc0a7b

SHA1
f0448a246a633c97b4a5944afd3ddfd63bd8ef0c

SHA256
31619c63ea4c8fbb642e19b89697328481d08b1dc8138eca8d4c9143a4e5de65

SHA512
0e34750f012c7138010f4817281dd0581285851a3fcfd0fd7ced585531f2beceb5cd68c78c969363608faf54e6f61c5aebc0b51c7dfc404054cef13d4fae3c26

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
296KB

MD5
ac016a2db64ab2e5310c78b60afdf16a

SHA1
70e97d9930ae596ebbd2c2ca4cef7ec6cfdfcbf8

SHA256
94707e9928a1d7bdc571e30cee1e2cf311e831efaf694d816581d98016bc1663

SHA512
4a68094d576b562d40e2179776cec84335bf5a911f2a5a0787ee7892533e43fbca5603badbf90ca2a72659d59accc6eca580f2c2daad613a8ea9719db6941464

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
296KB

MD5
bc7e9f4198cbffa3bdd6e5781aad9c43

SHA1
4c854f194c4a4ea42c8cbaec41c91b939f0d0647

SHA256
4d81e7551742ae59e563ddadb39218965a6bc2202c8738ebf125279ad7a25f20

SHA512
5ed34e0f19c12900fa5e3f1b40bb672a4ff1a5a0d4ecb75162bbd0913048fc10d3063bae61f6b611c91eea7aebe79c4ba005c07f3a6ed464b0b788782fdb8769

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
296KB

MD5
f8b09767597b08710a61b00bc1921c85

SHA1
a4aba2ba09d1dfee181e627dfb8dd1aba60ae054

SHA256
e40b4966f173d09b7c5888dbd28097d28f429e03226dce218e707da6b6396b45

SHA512
ec4a570691d900bbadbe097ba6bca9e300b61ecb7937a3d522054be382e911ba46baabc354a9af74ff151a29f70d9ac4945845f5f3d57e53476487fa82bed0da

Download Submit
C:\Windows\SysWOW64\Pkfhoiaf.dll

Filesize
7KB

MD5
f285f2bb2e0936eec85fa1b85c2f4692

SHA1
882b2ab6e86aab505da3e4ceef82e05221c46a37

SHA256
5ad04d173a2e1b7f371eae51a4e08d0c3a669c79211ad1a084c1d63cb920a133

SHA512
de05bab00b2dc8b622c3b5a7fa81f854c999a05149fb35ecb9167760c55fba649b4ed1ce9dfa2e90b9326597fb44ff1d37e9a467132fd5d4e8d2df64b2d0a0e4

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
296KB

MD5
6850539dbc6886a331db1bb35fa6291a

SHA1
ac943b141dbeda2d878e1491d4f5b831ccde1cb6

SHA256
f4dca935be5c6393f98487d1fe8b7d423c54d96fed4e73ced6d54d1ff7aa3848

SHA512
75964882a75efa23553f6e66a2f2cecedb0439fab7469e501f80da6329504beff2ba39d393a4b255196e213f81d90c3beac3136d37a2c8d0e285af1f631c76cb

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
296KB

MD5
105b311224124fba607482f045578442

SHA1
8b9420912dbe5bb895e3e66cb63bc13741020ed0

SHA256
4c8363a55ec0035c2c6fb3e073cf071fd2772fb3e51347fbf3761d5f5f9126f7

SHA512
7edc3dc47c374f4c60c06ef987dcd2fe69d0ebd7b8bb5f345f4c2deefa16d2b592d2c3c80324d6a8ba948a2c2fe105e9bb752a1d858191bcaa26a0f8ab15ac44

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
296KB

MD5
ca257efd547c53de3ecc0df35341da51

SHA1
586f00efeee020e78490aa245dd3966419d1c1ec

SHA256
8d7c285bc0b41c60b9599bc1ba6f309281a0e0e8366b2a1e5213dd5d1724c84e

SHA512
cd9405c98ca43ec3aa1bc87b4c026c17300e9d5b47776be6676f209357bbb01f1f56d72a41e8c5e93295783511f7c59b3ee7a1f0473b281ee04e452dafc332e3

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
296KB

MD5
0eb88f80f0c4336a4de657841e32ac18

SHA1
8672a40c87349d47a86a7e28945c809871069659

SHA256
da7b1d69b10d65d91952620fa2a5742eb2438bd36f15079132b39caad9ffc506

SHA512
8d5f95bdeca524d3b2ea9b7fe8b2f5655a26f41e7f1f9a272af3411673f88612f9f31a4b9acc45e63b65bb35a6c95ce038958523aa1b58525e5d432ed97e9990

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
296KB

MD5
96ba75003a6fa144588d954695450923

SHA1
82372db3f6495583d89ea82e495d3a8c5fd8fa58

SHA256
221c62abafc263c7db4488a021b2b5a3b6b0e6ee0f9c0277394ed21a7981ff1b

SHA512
7b6029808e260197b2b4953e966b9c64b60ebaf5c2266ffb2b33a839846c6e30f4c404ae118b66ae3b4ab1f151040966addcb1c40cb820de9499b8f7b5182f42

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
296KB

MD5
398d73d30d270e841c79b5430a9f3901

SHA1
ae47a281b7d2d4ba76c3781d63304f6b4ea960de

SHA256
2bbe5f7163e69c40d967e66a5cb6a5c3674596b8218e23ae0f34e50ac5719cea

SHA512
536ccee8122ee214037cb6ad80533c363a4d1f303cd3ebb3672bb0a4165911638dec2c99bfd1358709117ce8cd578d2804f2a47c6b8648e8c79520e96421c199

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
296KB

MD5
3424267362db755fd62e553736892de4

SHA1
7353e9e28579ac6f797bc081988bc7d76672e82b

SHA256
bd3ea2a085e747fcfdc15ad9c596d5e81b4696d856b14b5b9997fa37bfe167ea

SHA512
2c1b6a7c835c2e09dde57f0191cf725233477b1112ebff4ac2862497408d138f74626250f17591b1bed31e0202e2af2bc95337a88931eb4eed3f43b539464bb1

Download Submit
memory/8-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/64-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-607-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/468-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/664-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/720-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-584-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1380-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-604-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-588-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-556-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-596-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2092-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-597-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-601-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-598-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2580-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-608-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2884-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3008-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3124-605-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-577-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3304-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3416-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3432-599-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-606-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3800-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3908-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4184-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4220-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4324-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-603-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4700-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4716-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-602-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4796-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4800-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4836-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5008-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads