berbew | cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe
Size

96KB
MD5

c8068a8d8e8b7b676264dfd1431ccc4a
SHA1

0dd114ceb8c5ca9fa3deb3a65e1fd403de5be473
SHA256

cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e
SHA512

e7c607cf72d242999f21688db19c556f6f063320020c9a60f25184d2939d0f9cde0393fd02e8136ca0a2f83ad4bb516c0033666c155d1a85ef168efa217cea77
SSDEEP

1536:MahHDEj911bCUORNb6mEVQ7KzLeN5Eu3fql86jrduV9jojTIvjrH:zHDEj911bCUODbM2CLkWu3fql86jrd6L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1616	Njciko32.exe
5052	Nnneknob.exe
3308	Ndhmhh32.exe
1128	Nfjjppmm.exe
1596	Olcbmj32.exe
4584	Odkjng32.exe
4384	Oflgep32.exe
3016	Oncofm32.exe
1224	Odmgcgbi.exe
3228	Ogkcpbam.exe
3552	Oneklm32.exe
5068	Opdghh32.exe
4296	Ocbddc32.exe
1864	Ojllan32.exe
400	Oqfdnhfk.exe
2328	Ogpmjb32.exe
2700	Onjegled.exe
876	Oqhacgdh.exe
5028	Ogbipa32.exe
3592	Pnlaml32.exe
1772	Pgefeajb.exe
2548	Pfhfan32.exe
4292	Pmannhhj.exe
1944	Pggbkagp.exe
5016	Pmdkch32.exe
5044	Pdkcde32.exe
3304	Pgioqq32.exe
1480	Pncgmkmj.exe
2248	Pqbdjfln.exe
1700	Pcppfaka.exe
812	Pgllfp32.exe
664	Pnfdcjkg.exe
2516	Pdpmpdbd.exe
3060	Pgnilpah.exe
324	Qnhahj32.exe
4744	Qmkadgpo.exe
2808	Qceiaa32.exe
2896	Qnjnnj32.exe
4456	Qddfkd32.exe
1548	Ajanck32.exe
2376	Anmjcieo.exe
3640	Ampkof32.exe
4768	Adgbpc32.exe
4644	Afhohlbj.exe
1560	Ambgef32.exe
1672	Agglboim.exe
1424	Anadoi32.exe
2536	Aeklkchg.exe
5072	Afmhck32.exe
1192	Andqdh32.exe
3048	Aeniabfd.exe
4856	Acqimo32.exe
2404	Anfmjhmd.exe
1124	Aadifclh.exe
3792	Accfbokl.exe
2216	Bfabnjjp.exe
528	Bjmnoi32.exe
4752	Bmkjkd32.exe
4576	Bebblb32.exe
3964	Bjokdipf.exe
3116	Beeoaapl.exe
2148	Bnmcjg32.exe
4776	Bmpcfdmg.exe
1020	Beglgani.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Qnhahj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5224	3692	WerFault.exe	181

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odmgcgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Odmgcgbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njciko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Ajanck32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1616	2588	cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe	83
PID 2588 wrote to memory of 1616	2588	cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe	83
PID 2588 wrote to memory of 1616	2588	cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe	83
PID 1616 wrote to memory of 5052	1616	Njciko32.exe	84
PID 1616 wrote to memory of 5052	1616	Njciko32.exe	84
PID 1616 wrote to memory of 5052	1616	Njciko32.exe	84
PID 5052 wrote to memory of 3308	5052	Nnneknob.exe	85
PID 5052 wrote to memory of 3308	5052	Nnneknob.exe	85
PID 5052 wrote to memory of 3308	5052	Nnneknob.exe	85
PID 3308 wrote to memory of 1128	3308	Ndhmhh32.exe	86
PID 3308 wrote to memory of 1128	3308	Ndhmhh32.exe	86
PID 3308 wrote to memory of 1128	3308	Ndhmhh32.exe	86
PID 1128 wrote to memory of 1596	1128	Nfjjppmm.exe	87
PID 1128 wrote to memory of 1596	1128	Nfjjppmm.exe	87
PID 1128 wrote to memory of 1596	1128	Nfjjppmm.exe	87
PID 1596 wrote to memory of 4584	1596	Olcbmj32.exe	88
PID 1596 wrote to memory of 4584	1596	Olcbmj32.exe	88
PID 1596 wrote to memory of 4584	1596	Olcbmj32.exe	88
PID 4584 wrote to memory of 4384	4584	Odkjng32.exe	89
PID 4584 wrote to memory of 4384	4584	Odkjng32.exe	89
PID 4584 wrote to memory of 4384	4584	Odkjng32.exe	89
PID 4384 wrote to memory of 3016	4384	Oflgep32.exe	90
PID 4384 wrote to memory of 3016	4384	Oflgep32.exe	90
PID 4384 wrote to memory of 3016	4384	Oflgep32.exe	90
PID 3016 wrote to memory of 1224	3016	Oncofm32.exe	91
PID 3016 wrote to memory of 1224	3016	Oncofm32.exe	91
PID 3016 wrote to memory of 1224	3016	Oncofm32.exe	91
PID 1224 wrote to memory of 3228	1224	Odmgcgbi.exe	92
PID 1224 wrote to memory of 3228	1224	Odmgcgbi.exe	92
PID 1224 wrote to memory of 3228	1224	Odmgcgbi.exe	92
PID 3228 wrote to memory of 3552	3228	Ogkcpbam.exe	93
PID 3228 wrote to memory of 3552	3228	Ogkcpbam.exe	93
PID 3228 wrote to memory of 3552	3228	Ogkcpbam.exe	93
PID 3552 wrote to memory of 5068	3552	Oneklm32.exe	94
PID 3552 wrote to memory of 5068	3552	Oneklm32.exe	94
PID 3552 wrote to memory of 5068	3552	Oneklm32.exe	94
PID 5068 wrote to memory of 4296	5068	Opdghh32.exe	95
PID 5068 wrote to memory of 4296	5068	Opdghh32.exe	95
PID 5068 wrote to memory of 4296	5068	Opdghh32.exe	95
PID 4296 wrote to memory of 1864	4296	Ocbddc32.exe	96
PID 4296 wrote to memory of 1864	4296	Ocbddc32.exe	96
PID 4296 wrote to memory of 1864	4296	Ocbddc32.exe	96
PID 1864 wrote to memory of 400	1864	Ojllan32.exe	97
PID 1864 wrote to memory of 400	1864	Ojllan32.exe	97
PID 1864 wrote to memory of 400	1864	Ojllan32.exe	97
PID 400 wrote to memory of 2328	400	Oqfdnhfk.exe	98
PID 400 wrote to memory of 2328	400	Oqfdnhfk.exe	98
PID 400 wrote to memory of 2328	400	Oqfdnhfk.exe	98
PID 2328 wrote to memory of 2700	2328	Ogpmjb32.exe	99
PID 2328 wrote to memory of 2700	2328	Ogpmjb32.exe	99
PID 2328 wrote to memory of 2700	2328	Ogpmjb32.exe	99
PID 2700 wrote to memory of 876	2700	Onjegled.exe	100
PID 2700 wrote to memory of 876	2700	Onjegled.exe	100
PID 2700 wrote to memory of 876	2700	Onjegled.exe	100
PID 876 wrote to memory of 5028	876	Oqhacgdh.exe	101
PID 876 wrote to memory of 5028	876	Oqhacgdh.exe	101
PID 876 wrote to memory of 5028	876	Oqhacgdh.exe	101
PID 5028 wrote to memory of 3592	5028	Ogbipa32.exe	102
PID 5028 wrote to memory of 3592	5028	Ogbipa32.exe	102
PID 5028 wrote to memory of 3592	5028	Ogbipa32.exe	102
PID 3592 wrote to memory of 1772	3592	Pnlaml32.exe	103
PID 3592 wrote to memory of 1772	3592	Pnlaml32.exe	103
PID 3592 wrote to memory of 1772	3592	Pnlaml32.exe	103
PID 1772 wrote to memory of 2548	1772	Pgefeajb.exe	104

C:\Users\Admin\AppData\Local\Temp\cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe
"C:\Users\Admin\AppData\Local\Temp\cd80d1ccb93f9ca2a25c3ca7e1e8fb20ae69877848fa97602371f6e95bae312e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\Njciko32.exe
  C:\Windows\system32\Njciko32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\Nnneknob.exe
    C:\Windows\system32\Nnneknob.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\SysWOW64\Ndhmhh32.exe
      C:\Windows\system32\Ndhmhh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        25⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3372
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        74⤵
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        80⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2268
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1936
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        92⤵
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        98⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 220
        101⤵
        Program crash
        
        PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3692 -ip 3692
1⤵
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
b1ca9f550ee6a25f9d03983e1c9d4279

SHA1
176890df4f9b987510ae0ed99f86d65a4f9c6df4

SHA256
a2e70e356bc5e3a0221100e4a7ad544802b842c130a8358a5ab77ab7675a8b5c

SHA512
18b50ab68a0145e8994aa09e552680e24a2b51e74bf63cfeba753128852c0fb5ddd8f797a2f5927c8f021cca335a60c2bb806cd37242b976dfee833d1e8a89c0

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
96KB

MD5
b74c861e0d1b1c9e7c48c975d6588b6f

SHA1
31ee8c798225501610a7222ed7b58beea81eb0b9

SHA256
6199e61d6cdbfc23967d30c8613bcb75991799a8fabc646394a537755de3c6db

SHA512
2f6b0e52db8251e579e3f17b813fff3cf48c9646759cd8b43a60b7713e43cca6aa984f6d006809e86b086dd514a29fb84f9b6dc2646e07a469fe9e6bce13d38d

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
2c145e23b0788f9a8b2b65cc72a0790a

SHA1
902fd27ba52479ed7e1c212e3933f5b750b30ded

SHA256
459844bef07b8716811926719ad628428ac6ca43b56ef9eb23b1b2374bbb60fa

SHA512
c60b30e8a8344e2c31d5ebaa860baf808f68a2f4a1a0e15a0d3e46e454f4357cf216c41cb390c690ad89cb9a176d3eb914d76d09a2f76c1741332909b739523c

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
96KB

MD5
120059b93d7beae18322b3223dd3c0fb

SHA1
2e49767f7b370d7e976065cce4262b380b8ab62f

SHA256
f22f2418fc66b085a766fe511290c0d2bb031d7ba0aba13bbb62b034d1a9683b

SHA512
41c25eec67764153dfdfbaab3273e8b460d248c7c69150ba9254e9d6964ff4e9fa8ef138eac4c6591e65b0d01ad9cb48e7fefecb592ec73626797b99b0741cac

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
96KB

MD5
8c5e88dd385dd6dd988d24a11dd4cfae

SHA1
ab7edb62e4a33476ac9cbeafc92a0eff6e120e40

SHA256
b784fe1ee6f0e3ce2f876b73e7291b50a99cf405b765f9e3ac74d0952bdb3e75

SHA512
0ce2625ef7523f8fe660c0e2e3aa7b1631fe5c517dc111aebabaab4983cfeac193889e364b8f8ec6363e540d70acf7ed364816ce0cf712ab81ad9cfda99d3d18

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
0c0765d9123ff6ebc6ce7a96f5fa3440

SHA1
b21bf2e594aae012948c3a0fa8cce491d4109e1b

SHA256
5de839d1e1a97ddb5eb6186643fc316e948ae5aea1690b59865ebe6adc2de332

SHA512
96e1bb63db8e4c31f85bf35f6d16df12b69db8581252ae32553bbe7f3c87c7e6e072d7b1bc4cc45a06bba62421b9f4ff400142a4bcf13eacd8688e54f3461dc7

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
96KB

MD5
df0cad20c26113fa321bb0cb902d0075

SHA1
f066408acd9e2ec9528e58c7a7ef56beba8746a6

SHA256
348c39e67bc8ef7d474dd9242cf5d35c975c025fadf332f352b10c8dab836043

SHA512
8016c8f09afe59a7de4117335629c479525d3db474b0bd51a4e0187bd903c137cc9f967c945708ea4c738fc8839dcd58e07364deed478bb87623cce690b10121

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
96KB

MD5
b7163be9eaa55a162069142f758471e1

SHA1
f5656a2c1f12dcdff8a93f068aaa91a646cdafa1

SHA256
46a6bad05310fe68530944ef49c29fcd173f8cb86572eb54d4ab55bd4cafc921

SHA512
cb9bb250548b0ea5236fc915c410ed1b10d02de97b925372dbe6f69c3f758692178840a811552183c86d9a9786a7194d4969f1178ec50bf59bb2464b96913a8a

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
3c7c7644888bd6dcbcf7a664635819f3

SHA1
7e1712ac2a986a2b875643811c178f85c1390082

SHA256
d622d6174484dfe006958f089122f393be871d99696b49ccea9795dce36df4eb

SHA512
1a823961b319f8870cb0c88a65e2e9abf1f0911fd4209b1a56512f93045c4fe32ab81bcb6ee4a8e60da490d50a17e0e409dff4b737550dfe72f7ee646e2a49b7

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
96KB

MD5
203181865f57b07b359d8d3184a7dbb9

SHA1
cbaa333af5b2b3a17a141fbce1bfda7030553748

SHA256
8ee64734c45a826374de96f0bd74f7ffa0a267b0a776a9b5ef6712f013a881ae

SHA512
424a9d5868feb9b5a5df6a38eb24164e4346b32892a694c1be79d6f660792a4c609e3e4baf1b474aa017503d02316454e1ce200d4167512663bd3afeea8958f2

Download Submit
C:\Windows\SysWOW64\Mjbbkg32.dll

Filesize
7KB

MD5
dbb34440d54070907af05f59150d5562

SHA1
632ce6a067182e8a54e04b96181c01709bd9573e

SHA256
e0808410abf8578658013d825ceaa325260a87d670157156dee349f17a8c1f82

SHA512
c00cca21ab5c5d766a9c40622baa6c039742fec5abcac460eceeb7e17ed18421d5a2aee585b3f728db04b698bff64dde1ff98e4426874d9e3f9a00a23bb3d7df

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
96KB

MD5
231436434156cdb6b4d4e1f235e95575

SHA1
aee90e6a7a7517214d19e1b15c5bc853c07e4280

SHA256
63cb8e72d2e813ea0179fddae51cd0a7c75235fec9fcab3dafe31f6702821e37

SHA512
23c517a41e2331ba7bbb3eb57bb7aaa385352a721ef2fb2ef283c97ec4e7decf731b497ef6c6d70aef18e2744747d6e3542fc8653b4e7dfe2cd03eb3d77b6765

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
96KB

MD5
41f757169a5e2fe7472efcee5b445711

SHA1
d62e056364664f412b79ba7042e1130bcba4daad

SHA256
484fb6e2d08a9ce528235d6cfc833ef0d5516b102747f23fcc24710b85521880

SHA512
925c72150e3fb4577c954004b8a1bcbacfa1fec9c38cd0da9e4b31e081a842fa33a922e50b5acfec6d0cc2e9487424dbd625624124084453fac14a45bb85002c

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
96KB

MD5
70c0761d6dcbabad8da5fa3a6f04805f

SHA1
32059bb6a54e4540931cffdf1bccebe609306a96

SHA256
0fe22a6c5c1f0585c9752621a9c31b6f9d7ea355af3ce48418b8210b69a78f60

SHA512
4af5c5ab77324f8b60966c4f667c1f59f862000c48d5b7fd96e2ccb47686cc5833f2a646b1f1f572096b736253c05159a18f90ec9c2b41451a6746fb7c588dd3

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
96KB

MD5
b3e51d1a151c0915eb74baa103abf0ec

SHA1
7086c32609dc01df26c60ef1c88d57f14c1a07ba

SHA256
45e2b1bcd2e5ad57fecf8908c92785472153e7d72dfd8ea0788d0df9ccbaf2fe

SHA512
3ded3362372b4727671d09ed932f56893321c5d1c93ff340116899d30cbab87ce71e6de388abc1a908b7422ae0ab12eb208128054d67e528a11b09e5d131f500

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
96KB

MD5
322b8bef40cde80ae61190034449e467

SHA1
694325ab2a7f7cd666950b4bcd7627d34efc04a4

SHA256
818ea2ba98a921a9155cd434b1e236e54b33516d9cb67587d105adbf038eb7d3

SHA512
463a3c7caba4a0abcaf92eef7b1e610436b939e89e0ca79c1b38c9a3643e25cb5a526a8b0b2415d9545a1c96c35c237a653544fe8405bdfc0ee78135e56275ff

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
96KB

MD5
7cdc0bd7f6c9a88fd31ffd9cb3bf2c60

SHA1
fc7997e23fe34139c38e856729f5a2c32278eba0

SHA256
349b875732da207e91586ec7f4a389fcef5c9e64bbf0fea7940813a811d81f8e

SHA512
99f82efc608d4ac2d51f846d389c64410aa15f4da97de9361adc26e538e26a3e97a0ae370ea1447034090a70a986b834cd27158e2a9ccda64c6b7bf8eb859c73

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
96KB

MD5
8e41162faa4a07055eccba5a7fc2b0ab

SHA1
f3c69bd25f0ad448ade0d0b3bda5926bc1d637e0

SHA256
49b1de9eae39db6c0349f018e1c932c468d016a4a8b860484b81afb6d1d7d247

SHA512
8d26f0b1a12e3321cb8d01f990032e70d512bcba0467fe86a831a414766e1759ee7852b97427968eed5a66fa028f1f1edc22dda8ccc31db599e03b0fe5416884

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
96KB

MD5
0b67c71f769f8136b3938de3f08ca2d4

SHA1
17b839c2deb74fefa37b4852f567b36df96e80bc

SHA256
0d70bff172a8414c85f3e1a6395c841cf33f5142661849ca4ff11eb1f76e9b81

SHA512
5d3d6944e3dcebc4dfc0fb74b8bdde8354bbee2c11b0e54518529bb1486c60642b43d9e8b426b8b77d5d9be1e78fab1eb2fd3b977dd6eb788d4a0c7159046c29

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
fb1d0921c00760ac08048222bb011479

SHA1
46b795bf1b04d3ce7d943470b94663247e89d6dd

SHA256
add86361e2899496e516a3f09b5640f031b44eeaaecb93cd5943160314b75a97

SHA512
b69895c2befaa84ceee5436d78cf2d1ed5314449953d57420b60c56d4981ba0e806c21f3687ed28a7d50d09788a4b9149b5bf91028c6f3e4f096b817c43a8af7

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
1ab2a12a4a9af328c41b94d5f26666bd

SHA1
5a02dd774182df37c464168aa461654c142b60a3

SHA256
5c480c842d449355d133167841918cecf6a04197755e2237d057c84b4b59c196

SHA512
0699b35763c02608014d818e27a2b943ecdee5e832b80642a7d3437b1d213972ad228e4d7d306c8dcc0d611ea73d70cbbc611f1aa109ec8520eb9ab4822d7c50

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
96KB

MD5
c2cbf2c76d0a5c42b3dc9e807748977f

SHA1
d7e2fd41f5c905678faece0a29283480ee3066c7

SHA256
26b60cad7c34f24d757adde74dc695c1f600744cd90ea9ed5fd9b9456e98da1e

SHA512
6c9c05e5612d9314606e35c2301e77effe5dd3490ec105b7f00c89fec3258b4ba46fcd076b0ea63533493d8e7c74c4fa30ea9da7e318c35a935117029862d11d

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
ae25efee6d22822565cceea6d623bad1

SHA1
facaca0a3d3c7546af6d2ef1705e853e57ef54c2

SHA256
fffb94ffcb116e3d0f1543071828efa76c0bad56c02c2bb62b7ea4c8acb0a990

SHA512
dc125e24cc76224d39dd5d91ea6987d9912149ab90d6439f2c98acc16b23e197c61fb9c72512c5b5ab6834ea3be09638699386de4d94c6034e37e37486214e4c

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
96KB

MD5
5f2e8386b088913560c040a4350538e9

SHA1
c642c4c2a0b6912ee1c41ada6e13edb9d5f789fc

SHA256
3c20878974b0e3696ad9a334020884f01bf11605c9f266fe125be6e5a1fb931a

SHA512
69d52766e7e2e16c4fa2bc66195e554664081c7d0ab6839e9582a023ef1237bc73112347101772a5c2835b533587ca7a8a350d7fc09bed376950264c7d4dd4e2

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
96KB

MD5
129db6321250de994389924cd98f4203

SHA1
c8792a56d40aa76c445c77a3d5326a8ee232b154

SHA256
e5b634517719aff87f6bf5bf8ca9cb87eced8b9c66232cd8d3cceb558154c889

SHA512
474a6f4a148ed96ee0d02eecbaec5893606583fa4f2d773d4c447739c278e00679062cb99cf9b28b234f0d5fcbb8b5fc8b060aa823b3b9076ed2939c542ba594

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
96KB

MD5
ed81af65bb51d3285cffa2d1c6fd6b62

SHA1
e6062a7769a210594065ce23986caf7f00a84b8b

SHA256
f7fc20d964756ac021a3ecb7baf8d0e96edf883c597458a2dbcfa560440227a4

SHA512
20a2c6bc6fad12a084e17ccc6d28a317a4931c88641c3ea57f38aa941132cf3e5cca0dbad717c2fa802c4ce59b97d00bcc64d80b1069e68e111e665c8e623b2a

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
96KB

MD5
905fb0c9ff180047e7a706d839a607bd

SHA1
f1f20cd0a99600e96a3735939915b4afcb7ad17a

SHA256
366d74c1d688c0a8f94d78698ae2559f8603964e67cac937f882d77436315a4d

SHA512
4c2e11405d73944127d8a39fc44d65b10093ebc73db26647cfd50822fa0f73dee3efb88367fae5a631b8313f52bedd72d972f889eec4bccf2b0021234807985d

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
96KB

MD5
6c32aa210ae6b06c50a69e458e8a1dfb

SHA1
55e8e76753268ea53b35b3fb03c122dac8ccbc32

SHA256
5f8149c45345211022762481ec14e5e632b3dab3e4072d22fb644db4e0061d43

SHA512
c6b8b590c564343b53a89f5cdb85a6aa4c2a1468efcc2e97879ea0a692a0ae638cf5992d0e03d435b02d60a651edd300739f5197dea778d6518a1a218758b4e6

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
75c0e5efd3c5b87e41f572d0c02833ef

SHA1
02d03828717b1081047cdef4fb06bca66e181a14

SHA256
537c8d25653a0a6b175930ce6440a152dec411d7216c5cd61acf33c90aa5c7db

SHA512
adce51ec4e10a8b5fc2ee03c9b94a623beaedf08232ea8f5c693afb2f799cfd276262d64eb25a86d8d44afc237b989da96e9f91a77a32409e846f4108129508e

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
96KB

MD5
5cc5d13156207f75480402c8086bce1a

SHA1
0257d92f3161dcc7c18b613864dc1b6d0ea864f1

SHA256
9c9ba07e83a256baae11af3fe64f35b49de6af00f3e08fde4c9a39f4a175b414

SHA512
b869e845d71c694fe3430a648d7a9706462131098c8a11dfc86bfbee080093b87eef008270e44f5ae6f3ebc874c0bc244490e28002a940ae6ed56ef603624601

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
96KB

MD5
bd42152259ca38952a84013498af1a37

SHA1
00415dcf10e74b47d16a74f68cee05c66d8bf549

SHA256
2564e64fc1491807dd01a6023e9dd3d926dbe141dfb323c99afc49651ef11e31

SHA512
16188f8b98e600e1622b6cabab4349b4e08bb0f552edba22f7d20a05dd0f35b0efde7d650e14a1f0aeb577b128084d219e356fb10841ec83f306b9d89e0ed932

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
96KB

MD5
3fb9f1c57c2ea0ba5bc5def15a3f9f99

SHA1
2eb04d54f8c7a9957d087752e11e791c5ac64eba

SHA256
f04529b83ac537619e51a48f824f9ca1852cbed6b31c5d3710c241537bdf4f3c

SHA512
249108e3fb55e0ca0b62a7d123d5159cd106f5cf90b143bd37aaa8327616fa5025539a21c49a88c64fdab7a1cd7a70d82d65901b73eafcd3aba5f8c9a0d66cbd

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
edf5a34f8746ad61c7ae70ac4db53706

SHA1
1b0dc8e01082f4569ba46da1acf61b0d6be169cc

SHA256
f675634e739fd4720298076a0c4e1bd068e20d8192cd2f86564126bef81294f5

SHA512
5284839c79253ddcc79596d1efa0169b631d786492f77c7f85301c8c6420f71bf79b5a853fc2503668bbc57e2e7c1f82ae05270281e33b86a3eda09f57bdefc4

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
96KB

MD5
91b797e4226494986627facdcb89d290

SHA1
78ad2b369c1ae400864085cd9592c2645188bdf4

SHA256
a473740d15b491f401d3767780dfc785d956904ea1cb9a45da14fac6e70712d9

SHA512
60cdd218bbfcfb48345e3c8ece8e8355fdf7b87f83ed8e98f9d0b572a9ab9fc21cde2f1dcab59ce1233e727cd05c76a268b9d20120486d5db232b4e447e5e0bf

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
96KB

MD5
aa335203526002eb3caa31bb5b5056dd

SHA1
2dca5e16882ee6c3c8ac79397b91b534968d4904

SHA256
5f8ed83268dd7951ef0e2287b3c9741ad115bdd7a34e3b037582f12258e8eae4

SHA512
494b71b0a4b42ad7de7790f89fc5925e6e6f210f05daf90d9c5e1e2cb9a8fa113aa2b330cdf59f8879eaa0e95276bd13ab434dee034398a2de52474f62576435

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
96KB

MD5
d71e31b96f70b8a4f9cf26187c969c6d

SHA1
65c8534345cd59e8d3d4e7c673a774dab7dea3c4

SHA256
9c2330510ba7134aba974743a228005b9e4342153fdfc56dcd45a752be3e6d17

SHA512
e919067651eea1a56480dcf2a05488463f726625f5989a0e1ccb7eaaab6e325795195b09f591f59700f5f12e016f79458757a3fad7b5f736090beecc1ca2f41c

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
96KB

MD5
2d3748346ada1dbf92c46b7cfdeefb89

SHA1
3cebc62e5a0fea11f24c2aa0d10fd78d0e140756

SHA256
a801c7996452e80549c9c8fbf90d6e1306b56818d359e7c1e3f2bf0534843e3f

SHA512
f90ed054666942b0a72a70586510c3aac92dc08d6237d0e803b1e4cd3633575123bb1e7e97dcfef9354dfe1d084bd896911d9942bbaf6d5696c855697f836b0e

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
1be19e87f81724e86a25862774651ae6

SHA1
2b674d4ac84b7ee768054485887b3460d5b97f05

SHA256
1f93d187f03e4456fab668687e5ca090a57a8185483ac641065cbdf80b8d304f

SHA512
e01a76046f9a6d32893e548def25069937e9da3e2d5aaa9886ce828fbfec38787aaa0a571d0be9db0f7be8a193a0b6c0eee3f6e1de95b36ec16bf14229ead2df

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
96KB

MD5
f82363c8e8cdd10e8b6cb4bad054da76

SHA1
673e6542cec44040416d3e602ddbb63a55694bd4

SHA256
f13c7556d9b497e2ff38a7621e7915e8a150973df5d34cb9dd314abd42267574

SHA512
86194d6610b26ad72843697f3c3059f002ca9b18fe74243fc930103c9535f3a126de5b5ce3c6352799e2e82046e59c1bab8549706f8a1bc680524b0afd61826e

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
96KB

MD5
dcd43de86a055faa296561e8aa8d2618

SHA1
b952d41aad94bd3290741f5906826f491378d39b

SHA256
d725780ab4edbc908160940355f2be3607367450eb89776d48c00a3571c9d1fb

SHA512
8a0618f055b4325824576d69e37e5d4d08355fd7ad5816806baa466ea507ab5e2b96b9061bda02d8e966ee2c999e089649956e680c1ed804af48824605b6d0d2

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
96KB

MD5
6d6b29a302c655069d6efec1f9567dab

SHA1
afec23055b4716e32cab4a2f9b46f3f57083a90d

SHA256
bab22ccea93e3cdb2cdd8be260a68a343e356a632d95b6e11093a6f692bb6893

SHA512
30cd3afcbc4e475f8825bccda22c0926071d5d3de65e10a8dd9399f48047b7fffd47518c7f89248cdb2a8df3dca5a0cf763b781433e01d8607d59c85bb159609

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
cf19e1f78f0f0bb42bdce3f32d56128e

SHA1
737ab79d0a1b78079c91c66237bd23ae5bf78876

SHA256
f3fd1172dc3c18346ce5ca6a90ac19295f9a0b35908ad9d83f925883ecc20bce

SHA512
fc79784583093e5a8d45631ad8c4858976c53fa9cb492dd576203507a369bc55f4de55c79589b8a6b5fabadcb0d91564b831281faaaee6f0cb567bd532f3bf90

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
96KB

MD5
a0615548c185cf6b6ffdf7880b4af96d

SHA1
8dfc34b89a5e7eaf9b006d93637b045e6067e40e

SHA256
724b433df7b1bc62c10fcce095777f0fdd665ff6e6fa85737c8ac95bf799d6e1

SHA512
6a2500b20e6bcbf7a8bbbac86c9e5381dd2bcf603d0025097a98c0d8a9c28531d07feb359f9f2e8dbeb369583a7db6fa9daea020e8d1bbcaa4666c953b975a31

Download Submit
memory/324-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/400-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/528-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/544-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/664-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-478-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/812-247-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/876-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1020-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1124-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1140-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1192-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1224-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1264-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1344-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1352-490-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1480-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1548-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1560-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1596-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1596-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1672-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1700-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1772-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1844-545-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1888-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1944-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2192-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2216-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2248-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2268-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2404-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2516-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2520-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2536-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2588-544-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2588-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2808-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2896-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3016-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3016-599-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3116-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3164-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3228-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3248-596-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3304-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3372-466-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3432-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3552-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3592-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3640-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3792-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3912-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4048-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4276-508-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4292-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4296-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-496-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4344-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-592-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4456-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4644-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-514-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4744-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4752-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4768-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5052-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads