berbew | 976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe
Size

95KB
MD5

40156e298fdf800d5d0ee728d4a30fc9
SHA1

9d7ead5cce781bb1f3f12e36c4bf2d36b1e15bfc
SHA256

976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860
SHA512

3a6efbe89c63d3fdc47aa14e57d8cad58d91080f0d2aa1da41a91232e6e8cabfdf7db248539f79f6c58306aa4a3653b0d26bd69c5928092530aaff47a646214c
SSDEEP

1536:A5vlYtgBlRMzi4osASoynSch1/KGhtayAnhHc74QCRQrgRVRoRch1dROrwpOudRq:qhBlx4lAGhJKGhtayAhKrCeETWM1dQrr

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4356	Nckndeni.exe
456	Nnqbanmo.exe
1832	Odkjng32.exe
3236	Ocnjidkf.exe
768	Oncofm32.exe
1772	Opakbi32.exe
4476	Ogkcpbam.exe
2360	Oneklm32.exe
4544	Odocigqg.exe
4284	Ofqpqo32.exe
1176	Oqfdnhfk.exe
4292	Ogpmjb32.exe
2508	Ocgmpccl.exe
2272	Pnlaml32.exe
2472	Pcijeb32.exe
1028	Pmannhhj.exe
5036	Pggbkagp.exe
2176	Pnakhkol.exe
3564	Pqpgdfnp.exe
4724	Pgioqq32.exe
1672	Pflplnlg.exe
3320	Pncgmkmj.exe
5040	Pgllfp32.exe
3240	Pnfdcjkg.exe
1040	Pdpmpdbd.exe
2636	Pcbmka32.exe
2800	Pgnilpah.exe
2868	Pjmehkqk.exe
1736	Qmkadgpo.exe
1436	Qqfmde32.exe
1920	Qceiaa32.exe
4368	Qfcfml32.exe
516	Qjoankoi.exe
1796	Qmmnjfnl.exe
4696	Qqijje32.exe
4744	Qcgffqei.exe
1596	Qgcbgo32.exe
4564	Ajanck32.exe
3560	Anmjcieo.exe
2104	Ampkof32.exe
3764	Adgbpc32.exe
4488	Ageolo32.exe
3772	Ajckij32.exe
1564	Anogiicl.exe
3088	Ambgef32.exe
1000	Aeiofcji.exe
2856	Aclpap32.exe
1272	Afjlnk32.exe
748	Ajfhnjhq.exe
1560	Amddjegd.exe
4176	Aqppkd32.exe
1976	Acnlgp32.exe
3356	Afmhck32.exe
4976	Ajhddjfn.exe
4648	Amgapeea.exe
3012	Aabmqd32.exe
1256	Acqimo32.exe
4836	Aglemn32.exe
4540	Ajkaii32.exe
800	Anfmjhmd.exe
4440	Aadifclh.exe
4664	Aepefb32.exe
4036	Agoabn32.exe
4732	Bfabnjjp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Knfoif32.dll	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nckndeni.exe	976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cnnlaehj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5148	4452	WerFault.exe	182

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqnjfo32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 4356	2276	976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe	83
PID 2276 wrote to memory of 4356	2276	976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe	83
PID 2276 wrote to memory of 4356	2276	976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe	83
PID 4356 wrote to memory of 456	4356	Nckndeni.exe	84
PID 4356 wrote to memory of 456	4356	Nckndeni.exe	84
PID 4356 wrote to memory of 456	4356	Nckndeni.exe	84
PID 456 wrote to memory of 1832	456	Nnqbanmo.exe	85
PID 456 wrote to memory of 1832	456	Nnqbanmo.exe	85
PID 456 wrote to memory of 1832	456	Nnqbanmo.exe	85
PID 1832 wrote to memory of 3236	1832	Odkjng32.exe	86
PID 1832 wrote to memory of 3236	1832	Odkjng32.exe	86
PID 1832 wrote to memory of 3236	1832	Odkjng32.exe	86
PID 3236 wrote to memory of 768	3236	Ocnjidkf.exe	87
PID 3236 wrote to memory of 768	3236	Ocnjidkf.exe	87
PID 3236 wrote to memory of 768	3236	Ocnjidkf.exe	87
PID 768 wrote to memory of 1772	768	Oncofm32.exe	88
PID 768 wrote to memory of 1772	768	Oncofm32.exe	88
PID 768 wrote to memory of 1772	768	Oncofm32.exe	88
PID 1772 wrote to memory of 4476	1772	Opakbi32.exe	89
PID 1772 wrote to memory of 4476	1772	Opakbi32.exe	89
PID 1772 wrote to memory of 4476	1772	Opakbi32.exe	89
PID 4476 wrote to memory of 2360	4476	Ogkcpbam.exe	90
PID 4476 wrote to memory of 2360	4476	Ogkcpbam.exe	90
PID 4476 wrote to memory of 2360	4476	Ogkcpbam.exe	90
PID 2360 wrote to memory of 4544	2360	Oneklm32.exe	91
PID 2360 wrote to memory of 4544	2360	Oneklm32.exe	91
PID 2360 wrote to memory of 4544	2360	Oneklm32.exe	91
PID 4544 wrote to memory of 4284	4544	Odocigqg.exe	92
PID 4544 wrote to memory of 4284	4544	Odocigqg.exe	92
PID 4544 wrote to memory of 4284	4544	Odocigqg.exe	92
PID 4284 wrote to memory of 1176	4284	Ofqpqo32.exe	93
PID 4284 wrote to memory of 1176	4284	Ofqpqo32.exe	93
PID 4284 wrote to memory of 1176	4284	Ofqpqo32.exe	93
PID 1176 wrote to memory of 4292	1176	Oqfdnhfk.exe	94
PID 1176 wrote to memory of 4292	1176	Oqfdnhfk.exe	94
PID 1176 wrote to memory of 4292	1176	Oqfdnhfk.exe	94
PID 4292 wrote to memory of 2508	4292	Ogpmjb32.exe	95
PID 4292 wrote to memory of 2508	4292	Ogpmjb32.exe	95
PID 4292 wrote to memory of 2508	4292	Ogpmjb32.exe	95
PID 2508 wrote to memory of 2272	2508	Ocgmpccl.exe	96
PID 2508 wrote to memory of 2272	2508	Ocgmpccl.exe	96
PID 2508 wrote to memory of 2272	2508	Ocgmpccl.exe	96
PID 2272 wrote to memory of 2472	2272	Pnlaml32.exe	97
PID 2272 wrote to memory of 2472	2272	Pnlaml32.exe	97
PID 2272 wrote to memory of 2472	2272	Pnlaml32.exe	97
PID 2472 wrote to memory of 1028	2472	Pcijeb32.exe	98
PID 2472 wrote to memory of 1028	2472	Pcijeb32.exe	98
PID 2472 wrote to memory of 1028	2472	Pcijeb32.exe	98
PID 1028 wrote to memory of 5036	1028	Pmannhhj.exe	99
PID 1028 wrote to memory of 5036	1028	Pmannhhj.exe	99
PID 1028 wrote to memory of 5036	1028	Pmannhhj.exe	99
PID 5036 wrote to memory of 2176	5036	Pggbkagp.exe	100
PID 5036 wrote to memory of 2176	5036	Pggbkagp.exe	100
PID 5036 wrote to memory of 2176	5036	Pggbkagp.exe	100
PID 2176 wrote to memory of 3564	2176	Pnakhkol.exe	101
PID 2176 wrote to memory of 3564	2176	Pnakhkol.exe	101
PID 2176 wrote to memory of 3564	2176	Pnakhkol.exe	101
PID 3564 wrote to memory of 4724	3564	Pqpgdfnp.exe	102
PID 3564 wrote to memory of 4724	3564	Pqpgdfnp.exe	102
PID 3564 wrote to memory of 4724	3564	Pqpgdfnp.exe	102
PID 4724 wrote to memory of 1672	4724	Pgioqq32.exe	103
PID 4724 wrote to memory of 1672	4724	Pgioqq32.exe	103
PID 4724 wrote to memory of 1672	4724	Pgioqq32.exe	103
PID 1672 wrote to memory of 3320	1672	Pflplnlg.exe	104

C:\Users\Admin\AppData\Local\Temp\976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe
"C:\Users\Admin\AppData\Local\Temp\976f44459d6c685fa963df6a300f9dff22eb2a4bff19871f35a21e9f4da2f860.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\Nckndeni.exe
  C:\Windows\system32\Nckndeni.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SysWOW64\Nnqbanmo.exe
    C:\Windows\system32\Nnqbanmo.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\SysWOW64\Odkjng32.exe
      C:\Windows\system32\Odkjng32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3236
      - C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1436
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        69⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        71⤵
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        74⤵
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1340
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        80⤵
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        83⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        84⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        86⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        89⤵
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        94⤵
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        98⤵
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        101⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 416
        102⤵
        Program crash
        
        PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4452 -ip 4452
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
95KB

MD5
8781d79a14e8375a0e6e161479229dc4

SHA1
5fd313a3f866ff291cf261d0bad320dc1ddc8cdc

SHA256
0081ba0bc4c2099bd36e46ab8cffaa9e9539f7a0d8e287367b345f5148d2c3cc

SHA512
376d719d1caca6b3bba0f0ed2f85e5420b83127dfe2125e9c03738d158ac97c0915331aa3dcc0d98fa8e9684202315c22012c6ef2be81ff58291d67ee7feddc3

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
95KB

MD5
88c0fc34d596f5946f4642a75b33b9a9

SHA1
289ef7d3678e4e9c5030ab87ddb71785da4a9b67

SHA256
7e50d8fc6358861ec6d3086165a38db7d0cfce0ce64de84f90035904d4f6a7c7

SHA512
f102347eabafa8757c81d9f013a7ad23fd6eb316ca1e8f1010ce15c00e87e2f13c18995f9895f2627cbe91ca08a7336e81c002302b63b6cce59ad0c2c6d277a0

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
95KB

MD5
bd1dad67a8263ef80e130577ed87f983

SHA1
6272c56b22a26e3b503de29f871e82a02ec29bda

SHA256
6ac2db95888e83f3f2e0067ae278b77f8196be513636d98f363d34ec7aee2e51

SHA512
5b369ee9f3b6e56346076891cf2fdd2f11c8fa7fcf6f157857fc466de591eaf0d7a7a5eacae6db33826645fc2910bfd3462d5e10872bdeb7a88dbef2e03b87dd

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
95KB

MD5
d5832c49afa5dff1fe7adff619ec9e70

SHA1
f76def8f8e760a0ab6b241d1078bd7879abb8c90

SHA256
03950d179de36697ff3dfcda1d7dc239e08b819db60d666dd9f3c2495747fd0b

SHA512
45c1967b65a0dbc91833dc90a8c9ef953655cff3b51274d7a591336e4359352b9ce6958829a7091cf3f5d8ffe7b458444c39b7e32b5bdffc45f95df1558fd8fd

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
95KB

MD5
4415f0c7e7a9fbcdbb8f6e0ff3424a7f

SHA1
b6f774cf26096c037adb319435f00ddbd74950db

SHA256
747a5f535d8b78d1fd06bf4f13526030837f0c1241d6d06986a46b7aeded1ef6

SHA512
f3d63b2094adee4b0e1153c2d98ab3c109d6099250e2bccacee8899cd95384f7b152d9c98b4aaf03708aec0fafaf01395020baf004893cc552ff71576d89cc90

Download Submit
C:\Windows\SysWOW64\Knfoif32.dll

Filesize
7KB

MD5
1fe00e1c959c2086f5f71338513af25a

SHA1
e8874b9004d5a9baed510c917508cacc0cbdb05b

SHA256
991b307ef210abddf1b7c74addbf5e20091f0207b6809e7c7057640c7acdabfd

SHA512
94879602312862298ca89872f1e52f0da74ed7a87fde5354ed5c11137f985677eb08979cdd0a7c8d17186a7e4b2501eb0a37645b8405b16e57d877568a88518c

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
95KB

MD5
b4dd36449aa66e9b3c156c7b930e0691

SHA1
d254c262babaa25f4529baddfc1201206738dca1

SHA256
bc7d744d62567ff06099c05fcfa99b48ef183624477d6a6b2d409ab34d603519

SHA512
323fee85919ec4b35335c91b329bb68f79cb30122b84cfa327415a5e30308efbae8891cd51151ff2632ac1cf167b8084948a9d22cca22ed3833b63a562674fc5

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
95KB

MD5
83711d637325d233a64363780015acc7

SHA1
5535e2de016b537c480e8914e397715d701bb8e2

SHA256
5ca8c00e74820bc6067993f4f377a694c7f2aab3f6656bf99de5b87c270b80c2

SHA512
e8bb7c4a669830dcfa8f5272a15131b233535da963f46ce19de25819c1964047a4ef34ba774699831b334405fe4fbaed3b657ce1fc170dd903909ef3f1104ae4

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
95KB

MD5
90a5e13cd4cc0514a7876fedf614b6bb

SHA1
a62437ee73b7eb50aa05655ee2d98dcd8f41432f

SHA256
f14dc3312b08963ce6ecf5203cb145c492d11799b82d64e2070fa0786be1e3ed

SHA512
e59d8ee96f1804da0bc3b6fe11c84be1fe98b699e271d05b453f28a6d78152f99355e9bbde6572531cd4a715ee561d3ad6be5c05f0a5bd1bf1382ec99b5f93e9

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
95KB

MD5
850304e3ff0c9686e3a5503aaa60fc54

SHA1
c0c31e519e0f972b20056ed6f937706683fac153

SHA256
4e1215f08d3d2de89f9f9e45bc4b1c68ac72542b8bda0ad7dc93e2786be045e2

SHA512
b682ea6365ac6f6c281f8536c4770dd2a68a841d51f0d6f23f610e00b3669fcbe810794a951d3702b1322540dad88c0b8fd7c9431f0ec792e56bb63cd4e4d466

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
95KB

MD5
dbc4c06c89bde5187cff356c2e1e022f

SHA1
688649f21bd02a7fbfb83f57acec5c3b56d4dcdd

SHA256
262b06371909d36d11429cec01dbd8288aa0cc9a715722c3b1b90d31b3e2fc24

SHA512
80f0ca1c6370a2332a00926bb9e580b1eca972494176dee99992b9acb7d84dcb61f306aab130690eaa9c4214ef153176e3e4639bc5bf50964e6b1e6fd2626078

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
95KB

MD5
be4413146aa2aa44ef2dd15593a44899

SHA1
93710cd85083016c2b20de18ef42e9ed062e17ea

SHA256
1bffe9dfb9962252becaad71027af85ccb42b059cfe4959e1709be75bec0f49f

SHA512
3a99ddd6b40b6bd051a84e47818cfd5ca7ef2fdc16a967804c74c00572f77a098aa90feb2d2830465b34dd01704dae2cd0b414fb145603c10a600b961dc671e7

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
95KB

MD5
e1b10f2199e38886469d463d90b11b8b

SHA1
bfc216fe17be4255c33111da2adb141271f87d54

SHA256
85206b6a9d9cabb0654830e4e2362f874c20d9c00a3f97d5803de8373a6d8101

SHA512
fe7832156a399cd3dbbbf0e5d1e05e1eb288de94d11d6f0cd141278330e3535714b499ce5b440c5429d489bba0338c3229adfee51dd6c0021eeaabf5e95f7a54

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
95KB

MD5
7748cd6635d21f50e4c32e328c9bcc9b

SHA1
f8723ece8f8b93ef1d430f28527793d78cff687f

SHA256
590c247679b6befc1dbc40874191a9773974132c2535ae92cb61674480891f66

SHA512
64cb9f66ac90abaa276952048468d439343ee3bcb338802c48ccd42c971545599454cc5913d5b6caa9e3fa4943a3f00fb511c9b160f788f4bb78f8f37d42d157

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
95KB

MD5
e011e5f909088506314241b4c63a914d

SHA1
8980e4a4dc81ea9106d395ff00553217c30de5dc

SHA256
5dc5428e0ab542cd33f511ab1b4a1b54dccea69c2bcfc94ffa06b320fb775685

SHA512
bd4989e618eacbb3e5a17ab96124fbc6283ee40c8e69dbd6bc3893d8edb27bc5c7d09ac4d1f5f3f816ea5dbd768639c796661b20c11c8eb53ae7d354468897f9

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
95KB

MD5
f887b560913dac1571f540e348bf6f37

SHA1
9a312c8b977f3fef41c5ac7baa52c57780b7e79f

SHA256
caebded6e27f84461a5a91da85c928e0c50d4da877b448d1b60893de99c7feed

SHA512
208f01342d58d5fb4c1d754253db9fb5dcb705294164b4f92d89af345d96ee7c75e86351fa8830981727d1fd9bfcbaaa39af345dd52e3183d0be8e13cf71570a

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
95KB

MD5
4001d496b3e3c14ecf2f7b77076c0b58

SHA1
f2f16efc1a930a339f7490a394f48195bc03d6fa

SHA256
a0b3e34c77ddc98997feb221b26b36b95e474b085231a0f6ee4bba13f7695796

SHA512
271fc6f72a0c5eb8ea4b70342558039f286855b71a79e620ee32a8977a6eb8bd09d85310f4c812a7b12f2e7e145c754216d1e0f978a998a9ad8e63e208505ccf

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
95KB

MD5
9345b666eae7ccc48016f42c4bb26693

SHA1
fbdeb2149b10195bcb623736663415746b77d6ad

SHA256
549d60c07bfdc0d56fb038849130b70ee2f3fbf6104b5548f021422d521a4c1e

SHA512
29fafb4c06117604a8bce0cd17c1d528da6bcc0b44eafd32398a9db5c290efefdf4b3fffc9addec7e7784377a10bde3937b66f783b1564f6bba60600c255cce3

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
95KB

MD5
fe940f7a1468e369fac7d488dbf10f0f

SHA1
ff1720c781a8ac54c2db324f9e26c3dadb7b8f38

SHA256
391562b3be643e01b9a3f4d7022bed367d8541533c45c1c1cee460a64844a6c5

SHA512
45a26314cf6426ec015f91bdaa79bd5e052848f8909ad349a72d20c43733b29a83a72ca375e2ef646a55301b5f3507490e44f232c5aeac48b6ad7c52667de827

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
95KB

MD5
27c3ae6f4f4b185c30db4c6d55483c6e

SHA1
1f5fa4db84065eb25e51d7de519aad8901016a15

SHA256
5c292c990646808beceda04f72f7b9f187393c498338002eb509b9160485915e

SHA512
96124d9c1692bc9206c28cde1bf10db6d3240c0603bff8db9db94eddce421493a0558a96899c74d478cec85ac779089971f9d1d979249a31d5f1513dec67460e

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
95KB

MD5
89af9ddf37a6e629673fc4b237186f71

SHA1
5675cb047ada68a7f95c8f73d369baf0b4bfd886

SHA256
efd69f4ad7da866a2c9eaae494880ec669ca280dfc86ea5e28cb19af5d10d66d

SHA512
27c09e75a08190e6b801aac9bc7e28b02c7b920e936926cd6e0fda233d5626d79802a3973992e6256fe73d61538680979984df84243a6df6cee75d0277aa00ef

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
95KB

MD5
3dce91a7c319915e4ce24957d88240bd

SHA1
66f6214852654a1384b2fe5fbf67f76c1aa9aa7e

SHA256
66ac66f387fbc5ed24d188646601e6fea2458d412bc98c5830d3774fecad57bf

SHA512
69a9d9f8df606be02b3e752ce479dd10827475c2cd10773ed16cf4361164bd290c94d008e1a6976b95f9a0abdd5ef34e849743e90166d7d4e3cdcfa6c7532619

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
95KB

MD5
c6c958bdc88532cac2df57e311553d71

SHA1
4b91cccd5e06f23bf8a98b7492f3e82e45f4b5f7

SHA256
331f9c7cb9ffc06798037d974851ad261c35dbc44305a590510fa5dfdb7a7a73

SHA512
7bc6d0e710c6ebc65141c5abe5d3ac6e7a6df71cb161e3c3998a8ee72a520d25da703f0286aab83a48dc147a6a072823c7e27c4719390be1fdd84709b961731b

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
95KB

MD5
d8cc83d537ebf845963ee51d47da7f4d

SHA1
48c5d7e0db52be76a973d2a76005c6f215113637

SHA256
184467f8dc366a318b3bcfcefa76e36b5ab8b3a8787b7f4e9a529eea5f9ec0ad

SHA512
82524b21c02b23d9cc11e64b365a251c6f14f7f11d88298c2dfa9099f77230119fd36536fbc249e6fd50a432fa5346a69cb1d5be80c86f094af4761c86a2d0d0

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
95KB

MD5
acb4d333f775d007be12375d6060cd0b

SHA1
464d06121f4d38e323410e560b40bbbedfc96cf9

SHA256
bbd7f934d0eaf1a718e33090dcc931123a1536393daf97a98fbdd7127fc061bf

SHA512
2c0e4d9dcea4be074198a9a0d558624b497b3dbe3f366feb488dd554468141f0217acabe005474d7f9901ab8847306c78d7d419b3e9d6f3d4b1c022a92c86b54

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
95KB

MD5
133c12835ab24554b624d6e4997a0df2

SHA1
3bda1ef288bc1ec44f1fc209afe351f481c539b3

SHA256
daf10c2fec57578a0033081447ab2cccfb8827b09de92fa1529a51d79caa90b9

SHA512
698d4562718d62c9335b98da79fe15b38058e13b2ffcddffbb75e8df8278afa8fb548f805c27f30323abb79c199badf375d097f2112c706dbe5bcb3781caee0e

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
95KB

MD5
97ea5f30a149fc7c37f372373e954aec

SHA1
e25afb76b87b91ebb4a4cc6b2b0b0ce02a9efa82

SHA256
8e108db619d3be43281323fd1b41b7e679b389901249007dae4c9b79c16a5d4c

SHA512
118d76263182a72f1f743854f90c823400483e9af7841cb2b981aac97022ebdb85d6bd1effed05c366f2dc4a23026ead313357e0b1b476883185f7f2f6b2f9fb

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
95KB

MD5
d742d3fb6364607f907301985595dfd1

SHA1
bac198118f1cf20f81ddca7db44d6f17f94a22b7

SHA256
4ef4050bfa7339a66c20c47481591645292b2aa8e17b50a771639dfa13fd5b50

SHA512
66cd2d4517fbb6fcf370acaf630843f66d940ca00d0e8e9f507ef015f0433b23aec8067c6903ba57973f30132654f8152739e8aefbc1d08970de142fb9fc3c9d

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
95KB

MD5
272f6eaf0b42b021ad26382f34cc930c

SHA1
76d986bb8e6624e8daf18f37a567b7d240d4edbd

SHA256
29aacbfab6a73374d4fbbbef8598b1e6eafd60898409b88ce197535650677f8e

SHA512
67242b1847225f26d76854fa5743f82e885d3bda2c57e8b3718aeb6277b2f08b200ecc94f985f023d23ccf5a17a10fa6c288827d7a3fd36a1b1bc1bfbe1b48de

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
95KB

MD5
43a7db588e71a06ffe41267f0032b2c7

SHA1
c94316f9e9d4a8cb7919ede5314c380435eceb58

SHA256
921a1bbb2da97af61d71eabf41f4b2cac395b7790a6ccfd14e087e58f8933cf7

SHA512
e3f1f646950d963134025519da68b53179346f06ce21fbf3477df9a7324a1394cc758353917853f0c2e659fe543f406a186cc9085ac9d2e69f459af3ccd37997

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
95KB

MD5
1835e8e653c15e801e332cbcd77bfa33

SHA1
a2ec00d8ac78a2a63f16d49b3a3024aec7a5b28b

SHA256
5a7f0cc2b99bbec37dea022c5a6bd5652ab82a1343a60313eb2dac7c83dbf320

SHA512
1b05ba78187811a2d5b0d25e0036a48b435dead5ab49bdd520b4c889016806ac5141b22b6a786d4f8fb9e3cc9dd845a1ec1ee52f3a2081e07095d1ee73407447

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
95KB

MD5
65276187e6f6b67d4c331bef8aff4ca1

SHA1
6ac11d34861355c090b01975fb70304f0ada6f7a

SHA256
1fea95be8a5ecea030ecd5f03238ed5781e963acedf60e3358f45cc543c5871e

SHA512
7b443f6e0537de38d7a78a477676eea880a5d669dc8c726e769a379292153f29593ba07899db32b248ce3fce9b01317909b36fabc648b5775fb3d6ab19a1ebae

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
95KB

MD5
485c44344ef31f12b7d7ebcb9cf43556

SHA1
5e2c735bc6503a08a585d382b45e0a7e58b27950

SHA256
7eae4f308ab600dbeac54fd9d5b61b1f63899c445c59373d3ced23c03dda13a2

SHA512
32597582e3de43741e80fa1256662b54507622dd0a67f7cd5a574f05690b207b20d97858bd68a116a2998c0f6c0520dd53b3e0620369446f42fce92b39c4ba8a

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
95KB

MD5
07956a6711e078fc059fd66759baffff

SHA1
fd3802526c6b76bbeaf1cd68be10d4bdf42fd71e

SHA256
25e92fe358dfd16500b48dab0944407862dd31425c2ec10cb431899a3ae9849f

SHA512
7f39817857ae2f24e4fd9219faa04fc2031e0849b59b5e01d86075e495095e9f038ba6559e65786f54343df50fdc302c7aee1707212e30af9a761750f8b3994c

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
95KB

MD5
f2752dc3e180867199d001f532d20fbc

SHA1
f642f5677c5a9e59a21657012cb4680abc2bec58

SHA256
e9ad164024f1367079111bc7bfbfb0796adb9f2d90a2082fdda53510b7f37c0b

SHA512
1ff50da32c3d96644e15ffb66828f9cad043827f082cd508490153ad391b32e116d1798c01e6aa7d1b196c69ba012a48b0ea05c77c96a99288a8fb549d047e10

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
95KB

MD5
083c5dd0ac8742e07d8a7a7cc2ca8713

SHA1
b9ee305bbdc0ee653308c8a70d18e90497e39ec4

SHA256
8da9884051fe4120c186ecc6e6cdfb380734d19fcd734e4544f286df33647b25

SHA512
a7918b78678a16bd394e673f39cabc6282037b0f8afc5780938e17fc82572a3a3088303ff6c7ead3cda5355cdfe4c98ab2945b6eb37f04789b4b24bc2b4dca3d

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
95KB

MD5
d4b4efc2d53ec5c6b156d02d6810073d

SHA1
5b65e183e9e0ede3137f6925806b0459f9ce84e8

SHA256
aec68e4210190cef248625f734d36fc92d329908571493616c4c674c8d52dcfc

SHA512
6dd6e5e6d9c941bfd865778a12148c995ab078d92ce881f0474734a9ee5e5b8a7add5e4250b997414b0d6c0345ddb45ca8b6a13f39b886746b23469b92d2707e

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
95KB

MD5
57e81190eb32bcea8701d9de7990e310

SHA1
ed417ef20a15b66b6df684053d5532ef08915a14

SHA256
3a01386c80b6230b197203da0ece1df367e5beb9280339cb3312c4c9d0957c78

SHA512
8b0eecf930cd20343fcecc4f89af0ddde60fe4c0222037e0263762411a8ba78849b1b020d1b2568c02b9bf81fa5f67cc344f7b6f767644bd5cd9cbea16c1bd67

Download Submit
memory/456-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/768-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/768-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/800-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1256-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1272-378-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-264-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1564-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1736-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1832-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1976-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2104-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2272-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2276-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-505-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3320-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3356-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-523-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3772-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4284-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4292-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4476-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4488-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4540-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4544-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4648-421-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4724-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4732-475-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4836-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5068-481-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads