berbew | 64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe
Size

91KB
MD5

4953bd29fbc4a4283667dfee3fac3f60
SHA1

e57340b54b86f3a5d373eb2ee65867dda761866c
SHA256

64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48
SHA512

2ab3b8e412f8eb6a67d588170e7fcd10a1df016a91e49002c047ed601e46675cda2f232cb40716a40bcb22b93f0194be0a37bc20d9794a7b70d0344008af0fec
SSDEEP

1536:1bjjX0+1naHozgXzOeP00bB8qaQ0f/gvZYa1mpeqa2GGcsSju2GfnXD:tjXVOmBQ0XgvmKBdGOj9Gfnz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4152	Ocpgod32.exe
3680	Ofnckp32.exe
1792	Olhlhjpd.exe
1540	Odocigqg.exe
2536	Ofqpqo32.exe
4788	Onhhamgg.exe
2624	Oqfdnhfk.exe
3732	Ogpmjb32.exe
2328	Onjegled.exe
776	Oqhacgdh.exe
4544	Ogbipa32.exe
5096	Ofeilobp.exe
1964	Pnlaml32.exe
4632	Pdfjifjo.exe
4156	Pgefeajb.exe
4620	Pjcbbmif.exe
2628	Pdifoehl.exe
548	Pggbkagp.exe
1504	Pnakhkol.exe
4596	Pgioqq32.exe
1420	Pncgmkmj.exe
4004	Pdmpje32.exe
1080	Pgllfp32.exe
372	Pjjhbl32.exe
3280	Pqdqof32.exe
212	Qqfmde32.exe
5112	Qgqeappe.exe
5104	Qmmnjfnl.exe
4460	Qgcbgo32.exe
2408	Ampkof32.exe
2696	Adgbpc32.exe
4240	Ambgef32.exe
4548	Agglboim.exe
1360	Anadoi32.exe
3488	Acnlgp32.exe
884	Acqimo32.exe
4288	Ajkaii32.exe
1524	Aadifclh.exe
820	Agoabn32.exe
1932	Bnhjohkb.exe
4352	Bcebhoii.exe
1404	Bfdodjhm.exe
468	Bmngqdpj.exe
3336	Bchomn32.exe
3008	Bjagjhnc.exe
1632	Bcjlcn32.exe
1480	Bnpppgdj.exe
2948	Bclhhnca.exe
448	Bjfaeh32.exe
2268	Bapiabak.exe
4564	Bcoenmao.exe
4220	Cjinkg32.exe
3136	Cabfga32.exe
2560	Chmndlge.exe
3188	Cnffqf32.exe
2764	Cmiflbel.exe
3980	Cdcoim32.exe
1788	Cfbkeh32.exe
5048	Cmlcbbcj.exe
4348	Ceckcp32.exe
3620	Chagok32.exe
4380	Cmnpgb32.exe
4972	Ceehho32.exe
2604	Cffdpghg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ofnckp32.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Hmmblqfc.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1944	4976	WerFault.exe	163

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 4152	4300	64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe	82
PID 4300 wrote to memory of 4152	4300	64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe	82
PID 4300 wrote to memory of 4152	4300	64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe	82
PID 4152 wrote to memory of 3680	4152	Ocpgod32.exe	83
PID 4152 wrote to memory of 3680	4152	Ocpgod32.exe	83
PID 4152 wrote to memory of 3680	4152	Ocpgod32.exe	83
PID 3680 wrote to memory of 1792	3680	Ofnckp32.exe	84
PID 3680 wrote to memory of 1792	3680	Ofnckp32.exe	84
PID 3680 wrote to memory of 1792	3680	Ofnckp32.exe	84
PID 1792 wrote to memory of 1540	1792	Olhlhjpd.exe	85
PID 1792 wrote to memory of 1540	1792	Olhlhjpd.exe	85
PID 1792 wrote to memory of 1540	1792	Olhlhjpd.exe	85
PID 1540 wrote to memory of 2536	1540	Odocigqg.exe	86
PID 1540 wrote to memory of 2536	1540	Odocigqg.exe	86
PID 1540 wrote to memory of 2536	1540	Odocigqg.exe	86
PID 2536 wrote to memory of 4788	2536	Ofqpqo32.exe	87
PID 2536 wrote to memory of 4788	2536	Ofqpqo32.exe	87
PID 2536 wrote to memory of 4788	2536	Ofqpqo32.exe	87
PID 4788 wrote to memory of 2624	4788	Onhhamgg.exe	88
PID 4788 wrote to memory of 2624	4788	Onhhamgg.exe	88
PID 4788 wrote to memory of 2624	4788	Onhhamgg.exe	88
PID 2624 wrote to memory of 3732	2624	Oqfdnhfk.exe	89
PID 2624 wrote to memory of 3732	2624	Oqfdnhfk.exe	89
PID 2624 wrote to memory of 3732	2624	Oqfdnhfk.exe	89
PID 3732 wrote to memory of 2328	3732	Ogpmjb32.exe	90
PID 3732 wrote to memory of 2328	3732	Ogpmjb32.exe	90
PID 3732 wrote to memory of 2328	3732	Ogpmjb32.exe	90
PID 2328 wrote to memory of 776	2328	Onjegled.exe	91
PID 2328 wrote to memory of 776	2328	Onjegled.exe	91
PID 2328 wrote to memory of 776	2328	Onjegled.exe	91
PID 776 wrote to memory of 4544	776	Oqhacgdh.exe	92
PID 776 wrote to memory of 4544	776	Oqhacgdh.exe	92
PID 776 wrote to memory of 4544	776	Oqhacgdh.exe	92
PID 4544 wrote to memory of 5096	4544	Ogbipa32.exe	93
PID 4544 wrote to memory of 5096	4544	Ogbipa32.exe	93
PID 4544 wrote to memory of 5096	4544	Ogbipa32.exe	93
PID 5096 wrote to memory of 1964	5096	Ofeilobp.exe	94
PID 5096 wrote to memory of 1964	5096	Ofeilobp.exe	94
PID 5096 wrote to memory of 1964	5096	Ofeilobp.exe	94
PID 1964 wrote to memory of 4632	1964	Pnlaml32.exe	95
PID 1964 wrote to memory of 4632	1964	Pnlaml32.exe	95
PID 1964 wrote to memory of 4632	1964	Pnlaml32.exe	95
PID 4632 wrote to memory of 4156	4632	Pdfjifjo.exe	96
PID 4632 wrote to memory of 4156	4632	Pdfjifjo.exe	96
PID 4632 wrote to memory of 4156	4632	Pdfjifjo.exe	96
PID 4156 wrote to memory of 4620	4156	Pgefeajb.exe	97
PID 4156 wrote to memory of 4620	4156	Pgefeajb.exe	97
PID 4156 wrote to memory of 4620	4156	Pgefeajb.exe	97
PID 4620 wrote to memory of 2628	4620	Pjcbbmif.exe	98
PID 4620 wrote to memory of 2628	4620	Pjcbbmif.exe	98
PID 4620 wrote to memory of 2628	4620	Pjcbbmif.exe	98
PID 2628 wrote to memory of 548	2628	Pdifoehl.exe	99
PID 2628 wrote to memory of 548	2628	Pdifoehl.exe	99
PID 2628 wrote to memory of 548	2628	Pdifoehl.exe	99
PID 548 wrote to memory of 1504	548	Pggbkagp.exe	100
PID 548 wrote to memory of 1504	548	Pggbkagp.exe	100
PID 548 wrote to memory of 1504	548	Pggbkagp.exe	100
PID 1504 wrote to memory of 4596	1504	Pnakhkol.exe	101
PID 1504 wrote to memory of 4596	1504	Pnakhkol.exe	101
PID 1504 wrote to memory of 4596	1504	Pnakhkol.exe	101
PID 4596 wrote to memory of 1420	4596	Pgioqq32.exe	102
PID 4596 wrote to memory of 1420	4596	Pgioqq32.exe	102
PID 4596 wrote to memory of 1420	4596	Pgioqq32.exe	102
PID 1420 wrote to memory of 4004	1420	Pncgmkmj.exe	103

C:\Users\Admin\AppData\Local\Temp\64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe
"C:\Users\Admin\AppData\Local\Temp\64a7bb479a5d68b3255c398715429b6646ecb9762021c05e045f8a82af04dc48N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\SysWOW64\Ocpgod32.exe
  C:\Windows\system32\Ocpgod32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SysWOW64\Ofnckp32.exe
    C:\Windows\system32\Ofnckp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\SysWOW64\Olhlhjpd.exe
      C:\Windows\system32\Olhlhjpd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3188
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        70⤵
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 404
        84⤵
        Program crash
        
        PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4976 -ip 4976
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
91KB

MD5
63a35572a653328ecf73186cbe425ba0

SHA1
e00a517a9ce45f52029d5fda1c2ea1670d5ff61a

SHA256
49960869d27bee1fc70102e4435dabb0c749496efc195dd7d726d6df28e1ffa0

SHA512
24b04a454c334cfff233a04e695a89a8cd5500f6e0fe45b98f0cc4b002e4777036722d444ff6231fc82d14d2f59fa5efa4087d6f26ea2a40e7511f1434889945

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
91KB

MD5
b599645c6f83857548395dc1d40aaf49

SHA1
c57307bf574411366b5fdff74fa9102ce4ea22ad

SHA256
0670b13b353a39e239582cefd5d701082bb71dab5fae5f562afbd23a6643a390

SHA512
157d2061c0de5850fb8e14e5b48a964cc26b19b71fc47c1da0289a0956703f3fa4635294832a5917bfd244777945d29dbb9ea887eda5b186f7782a0b26471497

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
91KB

MD5
64a39d39e3d363e0cf8c446809417d16

SHA1
aca4b4a9a484b687e94928afa5df448b97b7272c

SHA256
2c3033639fedb665c1522cda4154649883a468b33c126612d37ab516013e28f4

SHA512
2b5302a0a63f5e7d79fd8efa58a1e97ab7f9e8c961f84685c6bc3c4454319168c6252b6ca1adfd62e4b2e21ec723f62763c41995eccb6774532c9e51e8dcdd0c

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
91KB

MD5
3be99f08f181552d1ab3e4a3443e1123

SHA1
1e9346d674f78a90b39d915c65b730cdb02e7ba8

SHA256
aa0105ee6a4d7fe4045198c0a970599504e6e1529381ca77f4efaa8d6d814234

SHA512
7ea4dcc73d841757d7a134ac966b6f05051e2094752413329a5b9c79da9bd01cb162eece0b88114a2a5403fd6642cd5c38f341a515f58182fea4859761336a34

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
91KB

MD5
34e8e7d519043b6f93ff14aaa40a5ef1

SHA1
7517998db7afd8f90bdcb8ce98dd83bde090abd9

SHA256
8d13b4fc030bc18f05c660025e8661db5fcb48a011661f6bbe68918002483ced

SHA512
85c3f86ccacd8d43095989aad7818fc011933b53d9539113298e089ef4208c6c4935d5fcf4f27d095db01a8c67102db4ec0042ed94bd657ea6db9539289ebbfd

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
91KB

MD5
77ca7da960a3bf05935c8e3b5d50065d

SHA1
2fffcbbc28ca7c7b5b5da9a84b456edf69413be6

SHA256
052c91e2d777e065d6a83b5b1d5e6d31f521dc3340e6ca02eb0b2c7c2ce2688f

SHA512
82d1e0b48204ea0be26ae551686248edb9a7727a61144cc9676ffdf4a3c2d9228e6cab296d1206785f04d927e623e407d7635c146f7ad57947efb3e248ddefe6

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
91KB

MD5
f544a55868d7e4b3ba33d6e8770de807

SHA1
410ed7b24f03d3cd5496ffe1302f28cda72ee1ac

SHA256
1ba7bb8139e04112e1c96a3a603b96728910915e28324aca60d62b9ebce5b192

SHA512
2187f2c67add02483c572390e1867fb683e2ac2d1c429f619de9249ce66b33cc0cc6907f0c7b06cd2ca24786367b60b6fbce9fa7678452c220ba6131b7cbf715

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
91KB

MD5
f0c43a72f77f8f2806994c971d87a76e

SHA1
a052b091069bfb74c309b4cb25a0e2ac98108a86

SHA256
038754cc832fb9dee1e22c6981a34d1f1c9a5a13ef428d271ba7e4e531b740ad

SHA512
731036162caf008485c7a8148eb92864c9cb2f019176f20e028fd3c6d07c318b820643dcdef146cb9e7434dbb9e2da106537e7e916dab3cef0560403966c358b

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
91KB

MD5
529adb61e06b1a2d55707aed4eb16ded

SHA1
0ab2e604c4b174cfa5e68e9eb6e668b38d522b87

SHA256
5cc8df15427a286e4cdfd839d5018de67d3639e13188e90853c091d5039cc596

SHA512
f901aca26888a3a06f8a449ccc3b72486d695ad408ca5fc2b664a6e4c1631d668d4b5adc9fd52961eab305f600ce96d5dcf8a1e83214cef2b57a26f8f50e0b12

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
91KB

MD5
8ff69996da7a15acf9a61b8ae19adb3f

SHA1
68ca46e1f97141fdc4dae3002f101619be235a84

SHA256
fdf7d5e8d87b87f19c5984dbfe2e31a1369536d137a6563edab34bcab37579ef

SHA512
f7d7cd8ffea4353322e11fb4d76b9f3b400b366e0c49b4dc23fb20e5c3332afb59b2501b0abcce7e8f32d4b957e8e57ba880c18e1fcfbd730648c0578e86d88e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
91KB

MD5
2e204a439a9aba51511237e781b89187

SHA1
39c5c23c5396cdb8d10e3895a41221d19ddb79c0

SHA256
389db125b902f17fc4b1d65c8e988c23367fa28c7a878f0bd9775ed91d615c76

SHA512
2d305cfa757f8fdb15e4c6a4c61194d6838c129c0d55814a8d22f0cc74722bf9c3884e280567d5431bf659d171c37bc420c18c5ef32ff5a6c6d190f78f56e934

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
91KB

MD5
5e1f132e328aba98c81a5ab1062ff3d3

SHA1
2aed40d24458a951181c0c5a8eac4a1e4dc23aca

SHA256
dcfea6dbee1f562fd0df49231f4c5efb8b53000d7a64cdf069d63d4feebe73e5

SHA512
c8443fe0543fb0b57abc46270fc987171321bfc89ee79c026f404dc4e335ab83d63fd78a744f1b80a7df5677b552a470116123f5c463043771e8addbea55503c

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
91KB

MD5
6d33d35222582c3de95c54b5547a2d07

SHA1
967b5b0e0b3a07f675ab9f948dd1727d1c4c560a

SHA256
dfd3ca6d3f6ccb28ccfc4799bac4a127ef90b7e867de7c99ea2a3272f7c26212

SHA512
ba0cb4113f02bc2cfb939bb0a6780e1b9636740d1e69db49bdb879f17004b64a056f1b8cc88cfcf44998ce102e4fa5a629cfcc031bb3618f87d256962af00a72

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
91KB

MD5
406438c7987bd285a6533b76a5058f79

SHA1
da9d2affc93772f43c5fc0f039fc55c31d2111a5

SHA256
123752bf939e82bcb98ebd91856e0a6486f211c78d1fc38d0e13166f0ea63a29

SHA512
2545b906d07a65a8c71071d6083ef6e513c767c196643490dbdfe1d28db94a438a3a9279ee030ca469ed3a567d42763cfcad56d797fafb260dc53ea3c72396b0

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
91KB

MD5
32c97b05fd114b836fc5a0ab193099d0

SHA1
9c7d339909c2e82c539b93dca37fdba992bc1c21

SHA256
c64ba03a1fc01ad6038ee93600af2b81e3eacf9ec626731845cad954ecfe2f49

SHA512
8947e4a5d3be662bca9c7cbf8687483c903bec310447d378257f2f1c55fcd9a884756c904dc2da7a6b49a705bf82d85f6c29e33ae995c4eafd5c53d19168bdf6

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
91KB

MD5
ec6e6054368aac72a2b7f275008e9fa4

SHA1
3731ba8fedf29daf217c216156a23442b05aab5b

SHA256
9855d6d1008f89b57b5257436f480a90fb24ecbef7cc1bf5753aac9e3209ef33

SHA512
29432966a941d1d4560b0ddb78008cb7efa4232e7aa6f7f587c1c81149014cf7e0a74ff80d0080354050d8a7b17cda669a8c9c61084e01faf810f14b607d0cc7

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
91KB

MD5
3cdc68f2ee75e8058d813c8ff202e1fd

SHA1
7385ef5e1dc3ca724735f6677802ff778f5cc8ac

SHA256
4368ad89f85541e2fef78e8b7cafa32c306085309430e9e0f3af3da9e5f2b53c

SHA512
0761f02cb9a01d03a721c230ee7aca23a7909e1f2fc05873b1e631214a8f337283819d627ed648b87c8a5be67be3c34af29f656f059f7d7a370ac2cb27900e71

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
91KB

MD5
a806d32ead7aedf2c6958c10c528cf67

SHA1
8c33e7230f2c41bf1eff2c7f8055a21079ea56a5

SHA256
52482d7dde05a748de23c7e186e0f1c1ea08ad3f1729ae0e89f1abd51dc1f3b2

SHA512
c78b7eec637e5d30a202c2b0177e3767018ec1db37b4ebaa5122ff4bbd006f2dde16151a604e959f2f4d1db7761ad5489d1660880feef7d0f54e1d53f1b00a1b

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
91KB

MD5
64561d99d05ec1dad7af17ca932985b8

SHA1
e55ee53b376f44cba754727721c5ed38c9ad7823

SHA256
ab9cb8dfab898cf66f10761600a1dfb3a0384c72f5b915bba50ea5fa2c928924

SHA512
7673fb821bd69999dddc814abe21cae993ba0d5cc76bb5d65365bbe9f23686a7c575b4227ae1d279cadb1fc25a36822697bdcee0fd053ef69abead8b8aef04dc

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
91KB

MD5
82d965aae0c4199e73b8b9346ffc5de6

SHA1
d8baf757d1ab471539d4bb9334e92162ed8539de

SHA256
5a34106a7e5b5a24785ea5aa75af0d1ab26023ac568ad73037fed02655f084ab

SHA512
99e2370d50be53de3b6242db52e46d7cb184fb2843be36aa41946bdb52c5134228d340ef53001df716c01cc1c7ce1992ddfb17c6236897aa4e897d15cf511ee3

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
91KB

MD5
452c0e51e8ba02837e97efe72960e1b0

SHA1
b085b6b744bedac8fbbb55eeb4d41cecee990786

SHA256
c06533f4519eaca6b1eba05968720fc8810a1486de35a45d2a7329e68fd6c11b

SHA512
85819f0c7ac09905ae375080f6bb71918347e1cbcb2ce469fcf445e0747be5343a5e8a02cb02eae8708d9364f2e37380cc332202666f3660f14f8f4ddeab5804

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
91KB

MD5
0f9cd09fbfe33394637597bd61fa2543

SHA1
13c14372e51ee78ea33f000c0f22d8560207a57b

SHA256
9000973367f3778bd3520577ead570afbb0f090a5322ba3487f2222e06e2b4ea

SHA512
e1966e23dabd789b40bb0e4173bc10419237b6c7c1da18972bdb814450827f93766d24b5ea30c2890f97139f4d6be899ba38195ad9c477e407d1ae3a1a9168df

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
91KB

MD5
d0572c75a3309189d7d7ba39cd73d24c

SHA1
169de55b60e760c364fda9914ad9c20b19f7493f

SHA256
2ad2a4b15aa6f27a2023724ad275fe7dbe1bb37b8a9d185b69385eb55c973a6b

SHA512
67cea46afad7bd181cd042a16165a742ae24cf520813b2b05c5ca843315252f11530fe3c895f1c102d300d1d171180fcfd12d52980a9d07248e8da3d449823d5

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
91KB

MD5
5f5b8214d0f2c2cf16f7547707b8991c

SHA1
7b67ef1e82575b037ab6515f9dba03a9e877a768

SHA256
dcda5e5dee27f2ef504a44b8914c62bc5e6e0aa3927378f90502abbae271d827

SHA512
a53fc098347d87f12960db593c5e7f1b307d985af23e6f00062ee9f5c6e61b8cd3324ed75131b7d29b7ac0cd0f8c7691998b24384765c59d7c5f155771b13766

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
91KB

MD5
f4a54748fd2f2dd79e8405c1cb5d1517

SHA1
1ab5d94ea1c16d4fa80261fa14e69e616b5a5995

SHA256
29a8661acf3c94d25c24dda4b88e66b7d0e6812cee789930b525a6f473b9622e

SHA512
ac7d6689217dfa0cfa8e539005deb605bfdcb26fc564c7ea3404f682206202dc23bf8ad2b669a34b83720df9301c3478e916e3674e538495eda2e7ac690107c6

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
91KB

MD5
375292fa6b3af6ea9412e5f924322635

SHA1
4af0f3fccc9428fc6c5fd8497017e834cddb5f30

SHA256
ab0805a91bf0f38ed7f8850c42fdce2bb0defd8b5296aabe4280c06f17505080

SHA512
796e3c0a9ffb34a6ed7d7364fd9c6e1c47ac7acc9d08c0f7b6ce3a830cb5d11c725e415f83485e36ed70c3f37b6ccdf3104a562c28873fd3d4cb96af46ebf57a

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
91KB

MD5
77b00666216046816ccea3595c7c7b4f

SHA1
7c967319fbedf60fcb811f6d19b62052d0c77231

SHA256
7f4afd08129348220b9ba56c46ceb347e277e7cd15757f173beea704b7985796

SHA512
e25a38106b431bb40be620e4f8d6a646651755472f091171ac681713f4002da37a7a1c8620b6acc86bfde0449901132ec85243c26d9a6558624464965adf78a6

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
91KB

MD5
8b84692e1680a6a3db17138c137a0ed2

SHA1
53e80fba6cb2696f45633c40f3ba9ae5c590b823

SHA256
eb86b8bef350f1ced59aa8802ef5448604942556091cb4ecf0d994c6ac55b139

SHA512
7ce2c41e39256833383332d7f9209dae0a5114a685e099b464ec7884f0ea73c7f0cc58dd14189d1c2cf681914d024f818ba5f44bf1c7ba14a1f4c87c0e26ac31

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
91KB

MD5
1e960f9b68502e25d60ca80e74a0350d

SHA1
29709da8fd96a218478f8cb3d11ffe6dff9d846d

SHA256
a870e9408f59f7feaebedcc10520840e0e378e14db0cbf30cd700f8676f34b53

SHA512
c6b5b47e05fc710916cb9187579222894dd02d3364517b19bcff59a2a3ab1c239341bf9d6d34eb3434df2478687ba2a80e6fa2e45bc6039cbb346643a4b1d2a9

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
91KB

MD5
e67211ee8ebe8e9b255a82b8d94c4cc3

SHA1
88fc68c37d174e3664acebae8d9167d47bae33a4

SHA256
40335194755a3c2c66a13a7efce5cc49d9cd2297a4d5ad01b6bfa9a92db449bc

SHA512
04e25077aebdbea809b79c91b3095d96c3788d632539581c81122dcacd62b6c6f054d11c2b7ed42019d5544b801052b833e351d54a1ef6d3d3527a2f3b4ecd59

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
91KB

MD5
29c30f55cc444b1f5c84d8f3f4548628

SHA1
72005a1a194707f29ce7eeb9c0256ac55384919c

SHA256
abb928258d4dac298ffb57200e34d1457ce4e8001715e6b088c8618a34bf2ccf

SHA512
02ab0d2fa081bf8bfdda4fca825c4b5c1a14e32ea1fb78d565cb2298d3b652868e42e22c5a81cb6e64e2aa57438ef7e6653d87079480f9f6565fea7a50e37aad

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
91KB

MD5
738439e920388d99ef8baace05595b19

SHA1
c08af9767ebdd11af80594909d9b250f6ddff917

SHA256
06a649bc1844cab4a3c02e005062627f4e436a57735cb164dff5f0fece9a8d8b

SHA512
1d16b44cd374fa8f07a17e1838b9e753bcccd78c650fcf40b2baa04a27b7586a132552675f20f7b15555ab4e25899792edcae94824985ffa0367dbcea3951ca2

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
91KB

MD5
1624f9415ceaa875147feb55650b528e

SHA1
32a106b10494200a6c60891cebb4db00d77c904b

SHA256
08b808e83fa8722a5a7812d1d667ad593669f23865fb99beeb32933c484f8861

SHA512
ae7e7fff087c61dccaf2afcef046b2193a33d66f87ba8751f341e7b07201da8584a08c212b5f1776f047afea4ed3010d6a02a4aa9e2ffdd17805f2bb2fa11ae0

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
91KB

MD5
eba86c25ee8ae01393dffcbcf33375c1

SHA1
f76424a07c4be0da330438837184a31c1684d282

SHA256
d563b9b121e42da5364f3eb289b50483e95753663ead0aa17b2a2393a2379bac

SHA512
ed7b94072a81a0a7dc3eb0be03e3aec7b799efbe7d3793f1bb4343cb2d89673a157ae739a87f20b2529d0ffb490867d706a4e0775e213325067add1beac1cdc1

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
91KB

MD5
c1744e55508fd056b9b5b236df33c4b2

SHA1
fb5c49703216a60076bb99134d2fdab0491a5f99

SHA256
12ee522751ed1ba6634459f0d851a002cb4a0e132f144232944447e671872ae2

SHA512
b9cecd9c0aa40e76456810c30a979aa656f4bd9f442ebf77037a669c882eb57578af72621eece2f763ab32fa749958e75b2eaeeb39d4c8c12f4640520b1acddc

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
91KB

MD5
f0f73bc4ceffd5995aec592083445b25

SHA1
99020ca7077ff758f1819f7f5edfb375c0f13856

SHA256
106ad5e250533a71c53ab9e617d1765d040722ec0aee02a5e2c729ec1b731808

SHA512
d3d9d20abafee625040b8b2e5384a210ea65bf6b779a38302fda3506aabfa8f40e80b44f3d8aaa3a89eb01d7c9c721081e221d585f634e7d683ef6a677019bba

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
91KB

MD5
7a7d0ae1d87417cce1aca4135906c7be

SHA1
55fee701a18552dce7ea628b7a221c105e825236

SHA256
dfe78352947502200482d970f437d1128b90bb0a4d14d614719368aaaf184973

SHA512
6c3ded5039ac93839ed52b06780cbc2c6fff454db8283c839b5975593403488c130abdabae1603aac38ec067999a164f84e088bace504dceb199ea09895398e5

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
91KB

MD5
9b756066b50c6d6a4dd7c3ef75e7c700

SHA1
83562f0975e83749df662ac1104c8916223035b7

SHA256
ace6daee4eb42f49c3f452137922f035e534d91b3ed3c9d15a92e00924988ce1

SHA512
5dbda7472da78c3e76847a8266a17f02e2e4a263d98d7be45cc547a344f29b1f3a822a4181b71b8b9e1aa9cf20135e2c45f6c7546c5dbf2cea7d0baed6d44163

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
91KB

MD5
c9bfc914e257ddb9377729bdd1fd59e9

SHA1
a198129e855174395689b3b3482e5597d295a9ba

SHA256
45226a2a7c838f3fc1f7d742df48bdcfa5df1dfab87672cc7f49b59dffbaefa9

SHA512
c5e45f72df9fa8499738b04c5c7bc08f3c165ce389f7fef881c01a584bf3447f5c7b0c16ceb691c63024179206b332960576433d3a1c55a6fbfcec20aba11aa8

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
91KB

MD5
716b950c33ab0785b75919a56ac774d4

SHA1
df39fddc651335522e4f5745d74a28d9fe72a6d4

SHA256
b1c580cf76dd53a65894993c61364d558c1fdae93c0ecbb10c487070c77b66bd

SHA512
43760b7876b93bdf6cf30a85f24c63caa6291d1bcbbe1a4a541d737199b84690ec3a7110c85ee4a0ca70dcbdb4cd4bd22db1df5682fedb2e94d638074a82b068

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
91KB

MD5
ad994fb0fe331a0227b4c0a3096a0c14

SHA1
4b8f7f36b45baa23adec3d52c542c51bff948da2

SHA256
a0f528a15a882d0f2d123cdfdd1b0bc686d12b958d222218f460f558908548bf

SHA512
f999c06bc712b811c0e8251a9b310b2a9e0d2580f1e2cc7a9118079fbb746c7c3b5076f12da1a1d0272a4aad2c1736b9feb7f286ee3998fddabe94635d64e273

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
91KB

MD5
648407b4bda28ba8eedd6e9e5c5430dd

SHA1
5be07a41a3ed5ad3561c834be1a04409ae008479

SHA256
9db97131434b5e6111a74b8d9eb84aa87ff9e43a70bbecce633ddd1833c05e1d

SHA512
f4493ce5de4421f89c9950a90e3e0a515c75a65eb886ec74b62edfdc83fe51f6b2ca0a3809df14e83de0279d5095617d891232051f80e591231cefc0469e5d54

Download Submit
memory/212-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-569-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/372-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-573-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/384-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/468-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/616-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/820-640-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1080-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-461-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1228-455-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1360-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1480-347-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-639-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1632-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1964-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-575-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-449-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2696-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-353-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3136-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-571-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3188-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3280-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3980-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4004-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4152-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4152-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4220-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4288-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4416-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4460-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4596-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4632-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4652-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-275-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-645-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-443-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4976-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5096-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5104-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads