berbew | 82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc

Analysis

max time kernel
92s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc.exe
Size

81KB
MD5

4ef693cb08e96110249e24240d0e817f
SHA1

ca35e4dc050560115af05cde7b8f676ce1daf9bd
SHA256

82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc
SHA512

8e63b6777ba4887c0082866ee8aeaafcbefb987bba1992b28d8fe3eeb4b66bce99599637d92182dc8d6ab5f11d1d33e0b8abe752bd8d607a6a664a1a5f0792a0
SSDEEP

1536:B9h/jIjKbEC72fVU2FYvoZtU+8ZnzF2WVV7m4LO++/+1m6KadhYxU33HX0r:1jMEJ2fVU2EoZtooWb/LrCimBaH8UH3M

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3368	Ofnckp32.exe
4868	Opdghh32.exe
4676	Ognpebpj.exe
2252	Onhhamgg.exe
760	Oqfdnhfk.exe
820	Ogpmjb32.exe
1320	Onjegled.exe
1088	Ocgmpccl.exe
1924	Ofeilobp.exe
1404	Pqknig32.exe
2100	Pgefeajb.exe
1440	Pjcbbmif.exe
3712	Pqmjog32.exe
3112	Pclgkb32.exe
2332	Pqpgdfnp.exe
3568	Pjhlml32.exe
5072	Pqbdjfln.exe
628	Pcppfaka.exe
4916	Pjjhbl32.exe
5036	Pnfdcjkg.exe
1300	Pgnilpah.exe
2680	Qnhahj32.exe
228	Qdbiedpa.exe
2560	Qjoankoi.exe
2412	Qmmnjfnl.exe
3728	Qgcbgo32.exe
792	Ampkof32.exe
3104	Adgbpc32.exe
1788	Ajckij32.exe
4612	Aclpap32.exe
1624	Aqppkd32.exe
5016	Afmhck32.exe
1720	Aabmqd32.exe
3296	Afoeiklb.exe
392	Aminee32.exe
4420	Aepefb32.exe
4016	Agoabn32.exe
1524	Bnhjohkb.exe
1008	Bebblb32.exe
4556	Bganhm32.exe
1168	Bnkgeg32.exe
3748	Baicac32.exe
1760	Bchomn32.exe
2344	Bjagjhnc.exe
4116	Balpgb32.exe
2244	Bcjlcn32.exe
536	Bmbplc32.exe
4012	Bclhhnca.exe
1996	Bjfaeh32.exe
2844	Bapiabak.exe
2640	Chjaol32.exe
872	Cjinkg32.exe
5000	Cenahpha.exe
944	Chmndlge.exe
2160	Cjkjpgfi.exe
4936	Ceqnmpfo.exe
3100	Cfbkeh32.exe
4856	Cmlcbbcj.exe
4256	Cagobalc.exe
2020	Cdfkolkf.exe
3352	Cfdhkhjj.exe
4540	Cajlhqjp.exe
2512	Chcddk32.exe
4288	Cjbpaf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1972	3004	WerFault.exe	161

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Onjegled.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3368	1100	82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc.exe	82
PID 1100 wrote to memory of 3368	1100	82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc.exe	82
PID 1100 wrote to memory of 3368	1100	82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc.exe	82
PID 3368 wrote to memory of 4868	3368	Ofnckp32.exe	83
PID 3368 wrote to memory of 4868	3368	Ofnckp32.exe	83
PID 3368 wrote to memory of 4868	3368	Ofnckp32.exe	83
PID 4868 wrote to memory of 4676	4868	Opdghh32.exe	84
PID 4868 wrote to memory of 4676	4868	Opdghh32.exe	84
PID 4868 wrote to memory of 4676	4868	Opdghh32.exe	84
PID 4676 wrote to memory of 2252	4676	Ognpebpj.exe	85
PID 4676 wrote to memory of 2252	4676	Ognpebpj.exe	85
PID 4676 wrote to memory of 2252	4676	Ognpebpj.exe	85
PID 2252 wrote to memory of 760	2252	Onhhamgg.exe	86
PID 2252 wrote to memory of 760	2252	Onhhamgg.exe	86
PID 2252 wrote to memory of 760	2252	Onhhamgg.exe	86
PID 760 wrote to memory of 820	760	Oqfdnhfk.exe	87
PID 760 wrote to memory of 820	760	Oqfdnhfk.exe	87
PID 760 wrote to memory of 820	760	Oqfdnhfk.exe	87
PID 820 wrote to memory of 1320	820	Ogpmjb32.exe	88
PID 820 wrote to memory of 1320	820	Ogpmjb32.exe	88
PID 820 wrote to memory of 1320	820	Ogpmjb32.exe	88
PID 1320 wrote to memory of 1088	1320	Onjegled.exe	89
PID 1320 wrote to memory of 1088	1320	Onjegled.exe	89
PID 1320 wrote to memory of 1088	1320	Onjegled.exe	89
PID 1088 wrote to memory of 1924	1088	Ocgmpccl.exe	90
PID 1088 wrote to memory of 1924	1088	Ocgmpccl.exe	90
PID 1088 wrote to memory of 1924	1088	Ocgmpccl.exe	90
PID 1924 wrote to memory of 1404	1924	Ofeilobp.exe	91
PID 1924 wrote to memory of 1404	1924	Ofeilobp.exe	91
PID 1924 wrote to memory of 1404	1924	Ofeilobp.exe	91
PID 1404 wrote to memory of 2100	1404	Pqknig32.exe	92
PID 1404 wrote to memory of 2100	1404	Pqknig32.exe	92
PID 1404 wrote to memory of 2100	1404	Pqknig32.exe	92
PID 2100 wrote to memory of 1440	2100	Pgefeajb.exe	93
PID 2100 wrote to memory of 1440	2100	Pgefeajb.exe	93
PID 2100 wrote to memory of 1440	2100	Pgefeajb.exe	93
PID 1440 wrote to memory of 3712	1440	Pjcbbmif.exe	94
PID 1440 wrote to memory of 3712	1440	Pjcbbmif.exe	94
PID 1440 wrote to memory of 3712	1440	Pjcbbmif.exe	94
PID 3712 wrote to memory of 3112	3712	Pqmjog32.exe	95
PID 3712 wrote to memory of 3112	3712	Pqmjog32.exe	95
PID 3712 wrote to memory of 3112	3712	Pqmjog32.exe	95
PID 3112 wrote to memory of 2332	3112	Pclgkb32.exe	96
PID 3112 wrote to memory of 2332	3112	Pclgkb32.exe	96
PID 3112 wrote to memory of 2332	3112	Pclgkb32.exe	96
PID 2332 wrote to memory of 3568	2332	Pqpgdfnp.exe	97
PID 2332 wrote to memory of 3568	2332	Pqpgdfnp.exe	97
PID 2332 wrote to memory of 3568	2332	Pqpgdfnp.exe	97
PID 3568 wrote to memory of 5072	3568	Pjhlml32.exe	98
PID 3568 wrote to memory of 5072	3568	Pjhlml32.exe	98
PID 3568 wrote to memory of 5072	3568	Pjhlml32.exe	98
PID 5072 wrote to memory of 628	5072	Pqbdjfln.exe	99
PID 5072 wrote to memory of 628	5072	Pqbdjfln.exe	99
PID 5072 wrote to memory of 628	5072	Pqbdjfln.exe	99
PID 628 wrote to memory of 4916	628	Pcppfaka.exe	100
PID 628 wrote to memory of 4916	628	Pcppfaka.exe	100
PID 628 wrote to memory of 4916	628	Pcppfaka.exe	100
PID 4916 wrote to memory of 5036	4916	Pjjhbl32.exe	101
PID 4916 wrote to memory of 5036	4916	Pjjhbl32.exe	101
PID 4916 wrote to memory of 5036	4916	Pjjhbl32.exe	101
PID 5036 wrote to memory of 1300	5036	Pnfdcjkg.exe	102
PID 5036 wrote to memory of 1300	5036	Pnfdcjkg.exe	102
PID 5036 wrote to memory of 1300	5036	Pnfdcjkg.exe	102
PID 1300 wrote to memory of 2680	1300	Pgnilpah.exe	103

C:\Users\Admin\AppData\Local\Temp\82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc.exe
"C:\Users\Admin\AppData\Local\Temp\82f0f011580652d66472e416da7c374d9b125b8746b3093f87083f60962912fc.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\SysWOW64\Ofnckp32.exe
  C:\Windows\system32\Ofnckp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\Opdghh32.exe
    C:\Windows\system32\Opdghh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\SysWOW64\Ognpebpj.exe
      C:\Windows\system32\Ognpebpj.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        34⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1708
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1952
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        77⤵
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 396
        82⤵
        Program crash
        
        PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3004 -ip 3004
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
81KB

MD5
fbec9e726ef90b3f2a9a1327f90e4439

SHA1
3af34f0e6f9de82f9378909738bd59dfba8d18bd

SHA256
9be0971de5936189b1178c5d33f10b8d552c97b34b4f5c29bc2fc87f81f70f3b

SHA512
d2f0e730bd03ecac06ec71526b3f216ede67bac0569172db65907518fb5b35dfbb07175e0332a914a4a647473fc7cc41b3d79fb81f1339cfb5449db62f5e3b22

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
81KB

MD5
6e311841a5dfd1490f449dc7ef82241c

SHA1
afb4b412918285645ff851225a75e5450adb82f2

SHA256
8830318fa63dd8755fd162412f4f5d415205f6b6ec2ec2349a14bcdd85715562

SHA512
a8f0cd2ae2e798efce777c242919b3add97b73940bc83d1763280427707826ad363c48ed56b1293c8b2490ecea32b63a0f8cdf23c9748c524f45eab57d20bacd

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
81KB

MD5
df68c3155fecabb952dc1245fd77fd71

SHA1
876dd4728724975578fcd1d63fa95cee8de45e4a

SHA256
68313165b8a844ade9fa60301341ae8f718b8ce433a33834a029336832bdc433

SHA512
8f9be0ade4b2289386c260241779066dab637e07be6606a356f8765d726a32326f57c766351bb36a787d5cee00dbe7a10ada4a427ab2766592e06adde184cd0f

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
81KB

MD5
8ca023eba8ecf3691d9479d358f2d148

SHA1
25b69f82c92bdcf745547ae41a43c559ba0aa128

SHA256
c6fe98804c42c784136d07ed3895e23d8760149b8c27157c857db63a350101ac

SHA512
ce8ba4bbc3a4d562f1f26a35c74f5dd0d33c060fb5eb6b94628837a38b0270419893d71dc5959ab2f75abfa67c32e266ecddbebb4edc1219c53f2e7d5176e4dc

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
81KB

MD5
65c7fdeed1f1c0682dfd2a2c27671e63

SHA1
a9ced135b97ad4822f46b179ea3e8496ee79d22d

SHA256
d2cb64a20d05c2f85c7876c86a21b30ed45eaf5fa1750e415ca9c60b434dbb3d

SHA512
2c05b3565437995105d7df2a9b87c5ea8c15b97a523f870bb7047178503f4f5f631b7a15e041d79bd08fca133041fee96b2f52f54ab4c963bbf94bd36dae9557

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
81KB

MD5
1e398c8ddd9073653b7d74bfb8f94c96

SHA1
760c4e8b25aaee97ecc07defb424ddbcb1b6c5d6

SHA256
cfffe5f188825cedf27aa764a58f8c9e7f3b96d2abc3b509e5c4d027536f9a73

SHA512
d69a60d7e04e564f2523b977e57f43d6477bda25884b04ce0fcde5e12c0c86222b6b82222e5b324d54130a8687e97a3459c9b937fee19224ce29d4930fe8f77c

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
81KB

MD5
d22d48a839101fb156aad8743d223198

SHA1
cd873e2c792c4ca4346ecd7ca2d69bef3f95e20c

SHA256
8b7a754f5a32db4cd8daf34014a28fe20e879450f85e352155f78194d2a47831

SHA512
81ab27e69ade5d5f727ad129cd589f2b262711ea40385dc50e046e7388603caa855fc929ccd00a2f7f6e9f861aa072768fa7be84a54e05406a82d2c16632e0e2

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
81KB

MD5
dc5608b9314b4e198abc55320880faeb

SHA1
587cea09652f36b39f9d4f250d435350e4368b14

SHA256
12158b94575e1760e5bf3f53714cdfe7d6ade18f30de80c3ce861f8ae547f5ca

SHA512
5a761301323ec07626816f820abfa65f9fb4fff4607bb84ba40662918adb95b11ab99be4e332684723e3e321d88dd23e3a5fae5fef2adb88991db92c5f9f6255

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
81KB

MD5
3f9eae663ced57891688f20c765d968f

SHA1
6283511041e2e323ada361d2297ee8781ff9c24b

SHA256
157c99490b0209b8c3744e26e8e2d32bb10f55ab5aa80920cd2abfc3f1864b30

SHA512
16558a18cb72bd53c8d6203e109c9f05237a58e7a38f4684fe7db5fc119536a443d95ffa8863ccaea85e37aa511d2ffb11d071c9975e8aa169b2bdff87ec97da

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
81KB

MD5
e57b9990bca1af610163292231f463f1

SHA1
5d3c246eac1be530b4207b5955b26689b685c629

SHA256
ec9f5059965e6ee10fe822f75e77b3421fbf8351ada0c714d36a1157f2721526

SHA512
639d424c15dc97cb192b1e124d8122890b3e3b648d044faa2e23a2805c5a21bfc40ed1190b28b650f87aaf972da247cb0fb7addfc8f1b5d57bfbc04e450054ba

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
81KB

MD5
e829c81ab3527c12cf20b8444f76ced5

SHA1
9878c1acfac2257fd78f4829e1f67ec3c8724cae

SHA256
43d5c1878c7c5f8bb3400a4ab6349ee929bfc98b6f4a24e51c22cb7499c640da

SHA512
542a6888fa7dd3f4e1c7ace9b3d16db8d68a200b10433a40466dbea60e9d3f9e35238d4376c69bb0f02ef80aae21898878d14a4ef91ecee716427de224388eed

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
81KB

MD5
048bc2a5537cd27e0b65e21e1df59d81

SHA1
af7b0f7ba33a75ee9f10362ecc7fff9deae446ab

SHA256
2f562c196aba2ea100bdf58d3742fea4f753af328e54295d893fd7938cb95559

SHA512
94b175b89f73d2ea6d1e188934f16a2fe3e67499d4ca8dbc08b796f0a3ec005bc312b486bc5f47850d360bec98ad5179747ff7f966a1d566193cfd3b6f39256b

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
81KB

MD5
1668d609ee22105df5bfdb52dd989e6a

SHA1
3be0475702a9e4b95676fbcf4c53a85b092cc631

SHA256
3c50e34fe54d8c6645b500fd097dc6a1cd60346900d88fde85c2f47d796036c6

SHA512
6e7a796277df94605667d063269d1360b9f87569da686b3a16169b9a64bc44bfebd02b620bd0ce0068c8f008888ce49f8f4eafb30af8c593915ae068a53d3646

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
81KB

MD5
30f3364eca692ccfdecf1f264a2866ac

SHA1
ba591dc427325e9ffd7f56535b6aef68c2199852

SHA256
a34dc7497ff750cce73047362b888d011b0fe7331e94df723fd01c06df291d04

SHA512
0128c5b08be038f52de1d418b5203cdcd7ffbb22bcb1ba29fd13d49c7c3d5d331c9b9b57f99a4447a87355e37e7d244b77a00e14a53c20531b3df440ca9769b3

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
81KB

MD5
299913a644f96bbcc44663ecc1cef45d

SHA1
f74f0e433844c34bc46699c4c863c6fc77513a73

SHA256
be9ef32033a4a5242f6cd686ec19acfd74542b48a9cd1863ab5244481de6af00

SHA512
bc4e0ea377cea7c4ffeed58f6b28971b9b0475fdaa64a97b61b33e179955f441107e750fbda843243039af9d09ad25ea6c1f6247f9cbfddb606beae2398183e1

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
81KB

MD5
40f5e6d9fdabae9fdc5d05483c667a89

SHA1
9582091741024b5c204859ceaa8f2a382a2957fb

SHA256
cd8fa6c58cd3da8f3fca5ec71a950e38cc439be5390ac1d722ff8e597068eb02

SHA512
c30930e9c3320bb9c30f3ec707a98a15beec36e067658149e88478fa2aa55dde38d8f02fd86857d789c18af208351b5d9f4ddfa6b760153a3d44cacf174621b1

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
81KB

MD5
f3dab4facd7a011e7fbeaca61f0ddf88

SHA1
de73e6b625dc7ad989be36334da633e2873ed61c

SHA256
a0c4a7ac106eb0fa03664c7967c84a0dbeb7fd19edd1f9cfb309c5f34c2162ff

SHA512
0cceb95429c146782215b419f7692aed4101f4407818623b56e5123f6d6b3a518581ec0d41b168382b55a22d7708b5fdb3bd1b8392f3fe9b164730a11096ee75

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
81KB

MD5
9b2cf826426c7516beab4eb53cc09967

SHA1
09bcfaccecc1e3b4879549e04d7d3d734f71bda9

SHA256
a4daaa38111bddfd44837e62de1269ae79ec41be6b9cedaa97ec6acaa9d28bbe

SHA512
1c6daa744bdcf2970f70c5f7fe2cf912bc08819dd51743b1638a56ec5ec0079b42508094edad87fbf1e5c2412e6c144b95e20d383f8904999f572401fcb00801

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
81KB

MD5
f78866cd98929f01403f067f67f0fb6b

SHA1
6b0fa2d4d6fe10b3368e01db649c9b2e6d790ba9

SHA256
61f462d1f75aeed6eac9d1e79b44ded1c7f73a2fdcef69e5712d8babd28fdff6

SHA512
933767ea158c276f28cf4181dca8049ae0c55e46d64f466e066ebbe277cb7fd4a588d7bc5f29a53ee7a5a4b924aeebb0d04ce433b3807a558837a224c1ebf45e

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
81KB

MD5
4f2c5768acd736b8f378065f8e78237a

SHA1
8f65fc18aa3fb06aef58b1a8f2b71a37ef3612c0

SHA256
146492e4771da5d84239cbd2373f880065f30c482538e6c4fb9a55831ef31792

SHA512
c74f5dd36d82638937db868eb1c4445ee7147110e699c293a085723aba080e70b94a4c13e9ac2b60f04b9b40dac9079ff598d0d5b5cd62f3c744a5cc1126fd31

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
81KB

MD5
4488e211898c0315b56108882e2b0139

SHA1
ab7ca8da6674b91622a00ed7356335cc3232b0c5

SHA256
683e61ddb629237e3d1fb95ba6e18f3946b6f54a9b7dad111a559c0ea3824374

SHA512
d2e5726396c291524135244ad88a9558da07188fb92e2f9cb946fc4e389b2981354359940213a95618a187ada70dc888280d2cebf38cb60312837309ec75fc0a

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
81KB

MD5
94148da86371c56edaf715f137356fcd

SHA1
64d13f04fd2769e83e3c13ef7800dd05ffc87ffc

SHA256
ab49ba486b9c9af8a12eb92b8009c2de20436ee932b5c256dda83a2f592727e9

SHA512
0349d2e02051e8def26e22769869368e68721b029aef2e689001d7994c1b3c1c459bf90f22db3b70f6dd2af1d80ee4e088d6461874aa10b36e2700e166750120

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
81KB

MD5
06046abb7d6d438ff7621c250a2bc20f

SHA1
56c3c4d88911096e661bdcb64983a3489ffacb2a

SHA256
5e65dc38ee8a325bb7b8a763b6a3e5e12d9736e62d1ca7833231259b704c9deb

SHA512
2b5e63abad021ef031423682aeb98c93e6e202b30cf92cee964de35a2f6856e946ef6cd7f0a26f2b0d16dd42de02ac71855617263cd37b279623e0b924a84d66

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
81KB

MD5
6575bff04564adb4bc6f61787d343d6d

SHA1
82a46f832a329d2e260a821dacb24007ad9ed1fc

SHA256
bb8c2787b82cc15eb27a2d5635be8b334ed2d800196ffa2e4d41f3aa157847cc

SHA512
8afa0fa7553ac486fc3f60b1a6cd9e2fbae8668abdd63907c577a7d75c6ad7f7d90986cd4873acc7d1797757f7b6f9512611ea8eea96013b59dea2be9c4ddfbd

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
81KB

MD5
0cea64af2cbd2a016ac745afc315916b

SHA1
04c37b153e012ae9b7eae418f7923d24c72eac30

SHA256
85dabe6891362bf93fa7f7d422234330e9b5a152593a7db73ee384ec9175c4b1

SHA512
8a7e693aeaf0c008c7957a7850c0f2854cc493bcc72f319f96f613579fe18ec67ef9befc818e3bd124d15790f4329755fb5f5f43b49d5f51af7cd28582809159

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
81KB

MD5
f3eec09589c704f6d84146b3495fbb0f

SHA1
0b80ee2ece21c86afafcb322d85fdaccaf314cc1

SHA256
8db9b81b7528ddad43027cd0a445e53d3d4a5e6f7e5ee7e88e114cd6576f9cef

SHA512
9576ab64ee1a22faf8c6a4f03a3a9e91da2a5dbd6840356fc8ab7f42a4cb7ae17f271abad07eda5e21efb12e6c35c482f09ced7730f82bce67b40544622e4093

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
81KB

MD5
80d3bfe01f19f9a671c777c51c2eb71d

SHA1
e4cf0d5615d4ec1ad5c012aa26667a07b6b3033d

SHA256
5d3d208104626f805a85e4dcf6c45ad6e0da42a5020a6c7e65013298df72f2df

SHA512
da7751cc83449aee8ac7558576c6bc233439f2d933f4b0a0f3c0f0d9c193335a2a41f6563223f1ed704b2a2ac4e64e67cdf50e5cc4eae0dd6907da6ec5df7509

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
81KB

MD5
042906e21eb6a4df130a0da1f8583b66

SHA1
9a844b6d51ce7a8e91d754a587bb9a3d6f0fc9e4

SHA256
875c504542284d850489c79ffd7a38e58215b37224a8dae3e7d6d87e7c06da1d

SHA512
46153420f017786c97c6562b20f331e55045f609575a3bc68a95d3aac05d87f7a018687e5aa1de03c116eb8b2f467d4833abbdf0e37857427a544825e5956e44

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
81KB

MD5
62fbece2205d56f1b19bd7ce54a91a23

SHA1
f10cdbf209dd69e7c43f308e658ae2cccf9ea342

SHA256
60dc6c24d122d592b7430debbd763675427605d42d388370f1b01f3191861e02

SHA512
5db5f929ed1b6674e1d8cfc202bd46376ae08a0b40659cb2ba2e2d388b9940a603821d4ce2bee7df9884a84104c45891d73a49931be36dc5fdcf69bfcc83ca39

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
81KB

MD5
469c348da3aab588297454535a5ae2c1

SHA1
0d81e4e806ad0b22bef563a02d7f012c0efedd6e

SHA256
29c955308ca0e7864c93edce24b5d7c7e3627f9b083adc80940c2f3e53942226

SHA512
30428b3b2a97b54418bffb8586502f3471a12b648c183627f71400b42476c9f83a1543bdd20814b77f9cb9ba96916736abcecb583c075671c5f289ce56d17a12

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
81KB

MD5
f0755e5ce966d91bf83fd214e10fec27

SHA1
bb2567924ac30b003e527a6becd2c4527eb63655

SHA256
bf0ee337b62cef8742a68f3fe70533913e0936a4d8d5419c8cfd2913c336b664

SHA512
35df67447f8108b0c9c8168a5c01b4231483a6637b30db864913416b66734515e36f21e434f922e10091b117c089cad36923375d9efc2945f1d4e126e3247805

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
81KB

MD5
7aad0ef8f87e4732a1fc98d48b14322e

SHA1
c1159e138859a79cfe1f4acee13104872eb3f870

SHA256
be49fec3f4ccd152d58484723edc8993a3fbc1cc9091c87fc7dcca66c025a668

SHA512
bc77b2e05d6d6a3a202bc58784b3576048e955e2c513675bf72c3a326df3a50185d995d035bf9a3d5f3ef12bbddfbcc16495aa100463f3745ae242c49385b5ed

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
81KB

MD5
ddc282c4426a5bb3958f16fb41e7eb15

SHA1
080d8f303a8845167eb46d3b8c0e6bd118970938

SHA256
71f88be6b249fa267681a1ff926d003f4901e13e10ca2fd159cfc0f09e037b65

SHA512
8101dbf91922efba4c7edff2901b68d4cbf18d93b24f17dd4512cad7741c679676f400839d91a5d9df0fbe775e32ccb02acd8368a2d459dd0efa3b4b210cdbdc

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
81KB

MD5
5617ad37fe1373820185c9d60ac2347b

SHA1
404a7e817eb90c81cfbf63282a5d6e92e69de9b2

SHA256
9a1f5297e584d5a3a8a79cf825be39be29e311db1088514a07e6db319777a86b

SHA512
42a104323589891df502622bc2693c10a19868f3f44983ada33db9b16be619bf0acf6136c712dee67b650b7050fd94aa4990509f91eb36d94a06046662f8d21c

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
81KB

MD5
6eb4764fd7f8ef584e618b0b80cb7b91

SHA1
2330ded1fa49136185afa303ac9ce4cdd78d46ea

SHA256
0702c2a07e9abb2ebd36da20bba423e375229fe094427638f31a0cf561868b9c

SHA512
4a17c05b99c51f48fed4d048b10aadbbbb5d0e31f72f6e1550053ee45b1db5c94ebe641c424e2af400d0825a96686ff4787013621a20b77a824c98fa33d8968e

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
81KB

MD5
c7a477ba2f0ad8a234ba66d037561eb4

SHA1
3eb47a207a0c219a12533d7a39e5c193483081be

SHA256
f62af037e1ac68616322dabbe1423b3325a36ec7c8f15cea6bf7c02b9d100a56

SHA512
64b71e560f801e3ebc4bfa9fdd683381031ef282ab79a2eb64e966e524999e4902745c5e0435f03d2177df177c8a54a0afee7114a816f5f7e2d5ec38325b0128

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
81KB

MD5
b7bb8a39b00b03992bc7871ee9b0cbfc

SHA1
5a7e9977ea6be2fc7eaaf04f2a6201ce2d186295

SHA256
80eba0df73240fd4fc06856974140ed5def1e92a0f6d8338838a378ac6a74d5f

SHA512
00401d3a683c9be7ef45904ee95ada8d37a3720a5bd92ab8e6472a332e3df187468d457950f2f0c2928041867450bc1ce28f7087b56e00d91fd757e135bb84f0

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
81KB

MD5
f5b00e47b3464583d5cf2617d050809a

SHA1
437ab506b420cdc9e8e33c395ab41074c8ddfd53

SHA256
5dd25c3f8caabaace99af11d995d9b9f851f739b0e063d31d69e75e33260dc3f

SHA512
7419e207019de83e39c27e4391dbc591c532a1fde51eb7c46edf7eb58e252db8276ad6d905bf345a6eca6aad91ba3ebae77ff07f2a47919fb1fa175edbf2950c

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
81KB

MD5
c5572e487edcd29f9cdc9d540b3435b4

SHA1
64f65dd403c093ca60b01d40e51f12ff13d3aa3a

SHA256
b0e07d8e31508b2e53a8af89545027f1fb8bf0b5617fa28e4529c83c958a1506

SHA512
34867dd5ada90f4a3f43ba54c90b2fef13c113203986e013919695dfa1a8dffa6dbf752191e5c448ec2707eaaa154062208cca03a5a6f8d641706e8c3e1a2082

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
81KB

MD5
a0573c46079409eb13417574c0fae8c2

SHA1
fc53d4a285a66c14c28bb70cf24d6b586e70f6dc

SHA256
8be1962fff370a43bfca43076388f14453b3f331abdcb8239e6376919f09017c

SHA512
650b85c608a38bfafa853c6406fcd873f40ef86a9157434c407c2790f42c83b4d7da9fc018e18d6d80b5780df08649ca2e27e015682a4243e15c22b6403db7a5

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
81KB

MD5
8e8292383521dd9286ea0209c50e871e

SHA1
57999b836a011e9501b8036fb3071e75a41de8a9

SHA256
07fe7ce217209431d053706c7d85555018d4956315bd5a4c00b2c4da8eed3568

SHA512
3a8e589b9fcc6a86cbed2b60e8e8a73e994b5119f1f650e57f181ca01a9b4f1c5936a8498ec1eacae1d4c5a131fa564f7ac52b600c29bc4b1123d8974e6338c7

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
81KB

MD5
311baec2c0c04130f54d665228ac4e21

SHA1
8c4c702a5008665d77c38d2e88c280b8c01334ae

SHA256
472a4f552e11e1d961d070cae2582a2976c34ecd9d8788f6d8bf597aac79d7b7

SHA512
7049526d6e441bb96bd3e590697b8ff393d008bddb065504d2801159076d8b18c1504858311f61ab448a62b366a6e57d46b6f3c42bd853ebef651d255d4c46df

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
81KB

MD5
ceab73221728b645a1c096b047addf8c

SHA1
93e5730c098b1c8c7fd076a642e910dee9d62b72

SHA256
cdb2b3f529515cb11f7020658730cdc705043d6510c7c1b96ebed7ddd537ee93

SHA512
684753595f76e1572850a8deaf5330fd06204a1acd3b9ce19a9a128fc7816227063719c69a74ed2c95d5a8ef555bad380d6cde5fa361e0056f6308a3ab78bc4b

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
81KB

MD5
b8d8b42a04463cc3f358594a8c846308

SHA1
63cdf414ce5a1902ad485af23b317889857c4d7a

SHA256
0a6583f7aefb353d24ae51a9cf90614f9a091ee460ad0dcca2f56ad04b0edce6

SHA512
346823e7ec7baae867abd5430ada9d603b2fab068d186e38613045f5ce349f1f2dac67c30f963c4bf37276ae6202908c2f952f9c8a88fc893a464598ff47b14c

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
81KB

MD5
61a6cb02d28d783e0b050dfd2a94d4a3

SHA1
83da664cb347e3c8cb81be7088673aaeeb927849

SHA256
00fe115131be79c0f09ebf86709eec752787a7e43f5db999a58e6db04b02ad89

SHA512
5e53e8f38844c33f4ebb3c3d16499773fccf768589c3ebc7417f602f4f895964154193ff5b4dea796b673e615b5aaba3ce21e28c5af5866461463cb4ee1e4bfe

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
81KB

MD5
836d7d6b10bb1bd9cb57421fd28538ea

SHA1
180e5dc655372beca0bbf4f5fe26cf0b94416f77

SHA256
56a950c4d1c126b09c7eadb3535bf72ac81f1c759b4b09d14ab3b9d14e9105cb

SHA512
390e338cfd81c58fbce01608a1f442752b369be31982fb97a153873d15892b1ccb43614ba913c619099c2870a3fc6e51d83042e3d31779c56f9698854589039b

Download Submit
memory/228-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/392-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-489-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/760-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/792-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/820-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1100-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1404-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1524-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-564-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1924-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3100-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3188-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3352-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3616-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4420-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4552-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4612-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5016-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads