berbew | 7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe
Size

42KB
MD5

fbe74602ecebb226c8ee48435c44fff8
SHA1

5d09cc42491006c74127799a1b284aed1551a4d3
SHA256

7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6
SHA512

c4870c65aa97f8c56c3e67f288ad60c071f624cd49d17e0558687f833b4b80144e3ad9468a34f33b5bf2660aea4d7fdbae6d667426c232d1ba0812ded655b55a
SSDEEP

768:sXH/eDERkLpp9TgGlgJ2TOmGTnejWNBL9m+3vTfsq/1H5Y:yWDHLp7TLiR9BLn/Dla

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1552	Oponmilc.exe
2020	Ogifjcdp.exe
4420	Oncofm32.exe
2548	Olfobjbg.exe
3048	Odmgcgbi.exe
264	Ogkcpbam.exe
4792	Ojjolnaq.exe
4668	Olhlhjpd.exe
3752	Odocigqg.exe
1892	Ofqpqo32.exe
3696	Ojllan32.exe
5092	Oqfdnhfk.exe
5032	Ocdqjceo.exe
2680	Ofcmfodb.exe
3180	Olmeci32.exe
2632	Oqhacgdh.exe
812	Ogbipa32.exe
1904	Pnlaml32.exe
3400	Pdfjifjo.exe
4400	Pgefeajb.exe
5112	Pjcbbmif.exe
2232	Pqmjog32.exe
4576	Pggbkagp.exe
1524	Pnakhkol.exe
4808	Pcncpbmd.exe
2112	Pmfhig32.exe
2800	Pdmpje32.exe
1468	Pfolbmje.exe
2500	Pnfdcjkg.exe
4064	Pdpmpdbd.exe
3988	Pgnilpah.exe
3368	Pjmehkqk.exe
1096	Qdbiedpa.exe
2936	Qceiaa32.exe
4456	Qfcfml32.exe
1040	Qmmnjfnl.exe
2172	Qddfkd32.exe
3620	Qgcbgo32.exe
3396	Ampkof32.exe
1452	Afhohlbj.exe
3332	Anogiicl.exe
2276	Aclpap32.exe
4376	Anadoi32.exe
1920	Acnlgp32.exe
1224	Andqdh32.exe
1316	Acqimo32.exe
5104	Ajkaii32.exe
4572	Accfbokl.exe
3764	Bfabnjjp.exe
2580	Bmkjkd32.exe
5020	Bcebhoii.exe
464	Bfdodjhm.exe
5108	Bjagjhnc.exe
5068	Beglgani.exe
400	Bgehcmmm.exe
3076	Bnpppgdj.exe
4496	Bmbplc32.exe
1320	Bhhdil32.exe
1420	Bnbmefbg.exe
208	Bcoenmao.exe
4060	Cfmajipb.exe
4960	Cndikf32.exe
3184	Chmndlge.exe
220	Cmiflbel.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Odocigqg.exe	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Jclhkbae.dll	7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Bmfpfmmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1252	4240	WerFault.exe	167

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclhkbae.dll"	7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1552	5036	7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe	85
PID 5036 wrote to memory of 1552	5036	7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe	85
PID 5036 wrote to memory of 1552	5036	7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe	85
PID 1552 wrote to memory of 2020	1552	Oponmilc.exe	86
PID 1552 wrote to memory of 2020	1552	Oponmilc.exe	86
PID 1552 wrote to memory of 2020	1552	Oponmilc.exe	86
PID 2020 wrote to memory of 4420	2020	Ogifjcdp.exe	87
PID 2020 wrote to memory of 4420	2020	Ogifjcdp.exe	87
PID 2020 wrote to memory of 4420	2020	Ogifjcdp.exe	87
PID 4420 wrote to memory of 2548	4420	Oncofm32.exe	88
PID 4420 wrote to memory of 2548	4420	Oncofm32.exe	88
PID 4420 wrote to memory of 2548	4420	Oncofm32.exe	88
PID 2548 wrote to memory of 3048	2548	Olfobjbg.exe	89
PID 2548 wrote to memory of 3048	2548	Olfobjbg.exe	89
PID 2548 wrote to memory of 3048	2548	Olfobjbg.exe	89
PID 3048 wrote to memory of 264	3048	Odmgcgbi.exe	90
PID 3048 wrote to memory of 264	3048	Odmgcgbi.exe	90
PID 3048 wrote to memory of 264	3048	Odmgcgbi.exe	90
PID 264 wrote to memory of 4792	264	Ogkcpbam.exe	91
PID 264 wrote to memory of 4792	264	Ogkcpbam.exe	91
PID 264 wrote to memory of 4792	264	Ogkcpbam.exe	91
PID 4792 wrote to memory of 4668	4792	Ojjolnaq.exe	92
PID 4792 wrote to memory of 4668	4792	Ojjolnaq.exe	92
PID 4792 wrote to memory of 4668	4792	Ojjolnaq.exe	92
PID 4668 wrote to memory of 3752	4668	Olhlhjpd.exe	93
PID 4668 wrote to memory of 3752	4668	Olhlhjpd.exe	93
PID 4668 wrote to memory of 3752	4668	Olhlhjpd.exe	93
PID 3752 wrote to memory of 1892	3752	Odocigqg.exe	94
PID 3752 wrote to memory of 1892	3752	Odocigqg.exe	94
PID 3752 wrote to memory of 1892	3752	Odocigqg.exe	94
PID 1892 wrote to memory of 3696	1892	Ofqpqo32.exe	95
PID 1892 wrote to memory of 3696	1892	Ofqpqo32.exe	95
PID 1892 wrote to memory of 3696	1892	Ofqpqo32.exe	95
PID 3696 wrote to memory of 5092	3696	Ojllan32.exe	96
PID 3696 wrote to memory of 5092	3696	Ojllan32.exe	96
PID 3696 wrote to memory of 5092	3696	Ojllan32.exe	96
PID 5092 wrote to memory of 5032	5092	Oqfdnhfk.exe	97
PID 5092 wrote to memory of 5032	5092	Oqfdnhfk.exe	97
PID 5092 wrote to memory of 5032	5092	Oqfdnhfk.exe	97
PID 5032 wrote to memory of 2680	5032	Ocdqjceo.exe	98
PID 5032 wrote to memory of 2680	5032	Ocdqjceo.exe	98
PID 5032 wrote to memory of 2680	5032	Ocdqjceo.exe	98
PID 2680 wrote to memory of 3180	2680	Ofcmfodb.exe	99
PID 2680 wrote to memory of 3180	2680	Ofcmfodb.exe	99
PID 2680 wrote to memory of 3180	2680	Ofcmfodb.exe	99
PID 3180 wrote to memory of 2632	3180	Olmeci32.exe	100
PID 3180 wrote to memory of 2632	3180	Olmeci32.exe	100
PID 3180 wrote to memory of 2632	3180	Olmeci32.exe	100
PID 2632 wrote to memory of 812	2632	Oqhacgdh.exe	101
PID 2632 wrote to memory of 812	2632	Oqhacgdh.exe	101
PID 2632 wrote to memory of 812	2632	Oqhacgdh.exe	101
PID 812 wrote to memory of 1904	812	Ogbipa32.exe	102
PID 812 wrote to memory of 1904	812	Ogbipa32.exe	102
PID 812 wrote to memory of 1904	812	Ogbipa32.exe	102
PID 1904 wrote to memory of 3400	1904	Pnlaml32.exe	103
PID 1904 wrote to memory of 3400	1904	Pnlaml32.exe	103
PID 1904 wrote to memory of 3400	1904	Pnlaml32.exe	103
PID 3400 wrote to memory of 4400	3400	Pdfjifjo.exe	104
PID 3400 wrote to memory of 4400	3400	Pdfjifjo.exe	104
PID 3400 wrote to memory of 4400	3400	Pdfjifjo.exe	104
PID 4400 wrote to memory of 5112	4400	Pgefeajb.exe	105
PID 4400 wrote to memory of 5112	4400	Pgefeajb.exe	105
PID 4400 wrote to memory of 5112	4400	Pgefeajb.exe	105
PID 5112 wrote to memory of 2232	5112	Pjcbbmif.exe	106

C:\Users\Admin\AppData\Local\Temp\7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe
"C:\Users\Admin\AppData\Local\Temp\7e683f84177a103376eedd6281bb98f0ed0bb7648c67170ca292f55440ab5fb6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\Oponmilc.exe
  C:\Windows\system32\Oponmilc.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\Ogifjcdp.exe
    C:\Windows\system32\Ogifjcdp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\Oncofm32.exe
      C:\Windows\system32\Oncofm32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3368
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        47⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        75⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 396
        85⤵
        Program crash
        
        PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4240 -ip 4240
1⤵
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acqimo32.exe

Filesize
42KB

MD5
4cb39df6171b15a7318bedd03c6679b1

SHA1
ef7211c813c031bcaf677f2e82487d6eca0b9825

SHA256
642446f340cf5c915800066c0e0539d909f343f1c81c514ed7d2a178b7d4cafd

SHA512
f1c464546f73cf8b5a0feed45576ab0417949bea695c2ee38bf7ca6852a1f620e5636320708c0ea35ca47a78efdbfbc27e52ee5496623e39baf5222b74c3dadc

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
42KB

MD5
b7bcc2e20180445c3b130754c6448472

SHA1
57ab211ddbe8b753c96d3cbfc2cc165dddac6e97

SHA256
5c915e2f66c6a903d94c1e04202c7cbc4e68ab439aa4dcaafc29e990bf345c7e

SHA512
3105f7fc15a9ee981869fd9dd8461ee90da20d135473222461a056c3f2e6357a6e472928e22605b4cb6124ed4460f39b37e6e4bb6b1577b2c7473fa926671b21

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
42KB

MD5
d1c918fa7ec3e4c62424bb92f1b36e04

SHA1
c044ffc1a4f8a9d7b201d27a42277d42591b81da

SHA256
81d52735ae0d19f7fa4be4ce96201bd50b20f9daa026e95f67bdcf516e440540

SHA512
30a68a6f5175533f24fa0e4384e814683d85da26d77e195dd276553977a5a8748bdd4fa4eab15efef874ab6fb645b4ca1064c8bbc91b2341eed0f8ebd6016075

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
42KB

MD5
bf9b7e6cb83ad94fd3530f855a440ba5

SHA1
cf0a33f0483f14ae04f2280c99be8026c04c678f

SHA256
624f912341e47fd9034a4c3c77513eefb4b4d55c7e955e924c637d307d520b63

SHA512
7a52e3a0223763bc4a36cf8f0dd7025973787783042bb3efc157cad1a001a407163b4e92b328bd5302033c2513b7d67c75561be699ba4f227be728d809b4dd79

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
42KB

MD5
8ef7b52997d7ad37ab82b2e12ce15b53

SHA1
a8357d407ae5b74b15698105822a95b4b51ecaff

SHA256
f57a3b649f8e63b0a9198a55b5c2dd3e642a1877833301a0403643173008d42c

SHA512
2260107bf43995c92ab1e1029799a6220d25bd26c80d425caee086fd198e9096bc4deb3f4bbc26e95670bf8a40b4b6fb7cbcd94866d4ec536739b5e49aaacccc

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
42KB

MD5
7e42029745cfc8348ba7186a3ea05029

SHA1
98c5454e7b243fc72e1b6ac20dc18de5ba62694e

SHA256
274cf8921dba18016ae849845ceb45fc1b92434b343cd8d4e18720ac278b7f3b

SHA512
0390581d4432cbea8889f66653ea45be5f23f08865146f4ba8dc39dd3723ebc53367d5e623ef16119e50a2cc9e50107fd719de8b9a35804d244cc2bd01c76698

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
42KB

MD5
b569798235c848a93f9b003b8e4e526a

SHA1
e56080300de71a21b51d9dfb710c1b4bf019cb1b

SHA256
881d8c5d4b22165c814a3b7e558217ab3ee834624e46327babba0a3c2b4760f4

SHA512
ed7a0dbbf929dff6519d96912ecad880b56dd13ddd356300491b2ab7c85b69187f68c5025100313b9cbf1b5ddac3908f24028a57b859912ff405f153009eb010

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
42KB

MD5
5a60ecb6bdaf8da3ef9a6a976e04142d

SHA1
5de558226b0132292490a858670d145df9623e5c

SHA256
86fa7542041ec70f1b2e7d50119370ba810e1c40e6e75240e4dbe65385ef832a

SHA512
0266e1d62af0ee9ebea525f5cb7de651183472ed186b3ab8c0f2d672c045dafa912ae5f0f37e467be11661e0d59213980b7b0d81502c881e663526d16a343864

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
42KB

MD5
e497a00f8a63c3e42bb7a0e0fb48a481

SHA1
5721ba88423fb7749b59bd6381d79bad45ae83f3

SHA256
af35d5f18fed178d9f6bb58303501005ae581094d799e954ed95760486c3ba64

SHA512
81e00d205db449c53f23078d9c5afb75723ee6083c9a5500a3186c81bcc5c9f34376cbc370b6159498d46ab9ad78336bf2921db281b7e3316ac0eba5f2858eb3

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
42KB

MD5
c484acfa1ee36d11826a1a039fc1b6e5

SHA1
c7a9c4cbc2832e072f66e50c0c697698ecd6fa7e

SHA256
092173c794537a0afd7ff03731be0a066197cb9ca52c0dab4c8d924a46cfeeb6

SHA512
e55bae5a1f6ff1d1d57b8a28ea00e17784a2a41cbd2a94971fb1c0c17501b3a493304ea5391dcbb7794950609d1f418a9db72ae433e7aa3558fa7f09d3b40046

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
42KB

MD5
c703158f9edd4b28bbf915624d1ab989

SHA1
fc31b60ff8a73b3e481c5e71ad3d6dc2533eb3ad

SHA256
7dd6d63a62579176ea40cad151772b1ba09537c6577afe55c76fcc2a8d480d07

SHA512
18aa1b9c8243b2a60e1dc11fc27b7ddcce94906dac6e552954c6acb45d5f7b0c88629d57d2c81f17f77c5067802ce6ada87b72bb8752901d549ae2535d2e5e1e

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
42KB

MD5
c801e1fb5b5d2f7b0433370ad3001338

SHA1
e3309b8383bfe5764c310dd3689e7d82ddd5af82

SHA256
c84ae59d2deed8c8e6d444edca033fb39270b2f1dbcc23399866d41e612ae1fb

SHA512
f9989fe3c0662150ffb8191cb38a663050dffe1e3652dbc63a5dfb003db10aeea23fb06b1230b87437e51c159e781069a63d5159df23e307da60ce53043b2dda

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
42KB

MD5
cfb79ec248519d2028f30cc8ecba6b0d

SHA1
a3b9c1a7767d5b91b59c5a87edff26211d3ca88d

SHA256
e34785df9e7f82e61d5c7040d907e3548700103bd2958c14197419537765cab0

SHA512
4238bf1fd367037d2d8df7284291f5f661c8dcc2dd935d4458e7f5567df754dbd2d0e7f8e0c2ca1c6c4320d31c7caa2e336b95100548afba0aa35605a9899b8a

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
42KB

MD5
2deca15ed5c32b0e6e7992ebc2dc8ad1

SHA1
9bf5ba9ba7dbf5586e0e38307cc5103a3ef742e0

SHA256
fbb70d1e3367b79270a7c9b8cea157432761cd62a1bce13f4de3968fecb5a411

SHA512
9977dca4e6a6c32d222b4df4d940dc805e85b978636d93929aae0714aa9a7d58ac92fccce88c849bd871671ebce10fd24c0cb296db9e197b3f7017871dd3a174

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
42KB

MD5
01f91e6b0f0c81e73a99a79e16e4e9b6

SHA1
e37dcbbc3d9f1e06f3ccd27c7baeb3c5444d1228

SHA256
9cd8e21f4420f7c9c074ec490da3be1a351a21123fb8302eaa855512e54c015a

SHA512
7a057837822f87b02d3c8331ba5756993001825512932c4f59c56c3914ff18e500c961aafebef2c4618e95ded11f9a19f5b84797dc66c7bae954a39f34e1e7ee

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
42KB

MD5
b19c856877bc4e7948d973f10cee7397

SHA1
898d19157aae32b1d05dfc1e25e7bc1638a4786a

SHA256
22769ef832e3365e72b12541a79ef644e6a3e88c4fc5324b9d138752bc947ca5

SHA512
01b2f5bbdf34470aa266e65f4f7ad916f4b3f5ded8eb05b72592da6c8cd0aee9e58a56af694cd3cbb6136e78dc7bcd54fe0fb212e189e9ab9249ac040e27c94b

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
42KB

MD5
40337409e00489868a00733c3787d1f5

SHA1
5e8059e9dabca2ed5102d246c56c073b4cd8ee13

SHA256
db8e23aa4258b18ead8dc0c4a33c88957cea84a9d5449069136186cbfb1adc59

SHA512
562603d5771a393a6859e55a3ace08a8416c201d6a9416bfb504b25116d15f7a14b9ae84d9651b4d873f1897b3c09ea0f018ec251f56b26434db898f98a2244c

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
42KB

MD5
52b19775750e6aa9ceb967cf4f0c1828

SHA1
e58336998a8087e274a2e7e213a36616842da77d

SHA256
ac527f65a578c106711076770f7dd9d2d90beb22371967c9cef94ca0ca8063ef

SHA512
93c635b5ea161a5a56f7867215f0fc1b9b71d3eb18893a1e3e2b4f3e5285b721c4b09e54b0c38001643f3eefd9605856ee5488c2eb2c82475bd7a6164ac66197

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
42KB

MD5
b2cb2d9dc128aff3e84c912c0e60e04f

SHA1
cc4bb294aaec10b6cb105fdacfd3beea0a6d1b82

SHA256
3249b7eec8aab8e09f52ce9dcbfbbd6fa138d7b482102721715206e297947bda

SHA512
d6ba335d22951b91f75a806cf51e44808b97e1365f4bbe38da7f74ceed1274c5dfaac84523895006702f414716dfe034b06e4217271be0e8e6013ba160f0e7c4

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
42KB

MD5
3bab8951b7a22e96d75e0dd77aa33da2

SHA1
7da4be83133bc59e7c7912d0b6802c94ea88a06b

SHA256
91eedf704abb73420d7dcf5ba369f325fcace31bea30d1174b3de3a4194dba2a

SHA512
0c4df281c38d9e676b08804a2d5cc370edb06398ecd13ffdedf404fe03e7354f44acb7bcc710dc354edcb31243781c0d0ee0bfb6934de2b6cd5f300fcc241d39

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
42KB

MD5
7c9270c6addffd71ebc482470f7b744b

SHA1
39e6c2ad18b5b060601e34ab0b0c54b34bff2888

SHA256
27737627e2f1889fda1c2a503193f4bededb42a5b489f5df41ecd343f47c48d6

SHA512
1507d3604d0ef8697920dde868ef1e6fa726dbbd42313458aa482a0115fb017aa8eee571d2117a6e7a4d0aa08a3f4599b165275c744bec1c16be1f344a211bd5

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
42KB

MD5
f290db3db574df0c9b6240b78ef86956

SHA1
677df7aca5902fe7e80e5df70fb630945c148a35

SHA256
68972acf543ddbf6f92275e6fd6995d1a3d33fc14485bcc28f3a6770b6e5671b

SHA512
ebdccc3d2fbdb53dd8f3790d8773910c0e1e8b8063875f87fce5f58164183857d9c8667a2004b665ed925486eae103bd2780af4a4052b5ce9ab5189c8dbd56d4

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
42KB

MD5
2f2d74e5d0f8d94f1f95ef38772fda20

SHA1
57e8bc9fbf14231e2c715a3a404933f013f7bb6c

SHA256
de39c7155a99808a9296ea256a7c500dd3b4d2f5f925b17a5d6cff8036fe74a7

SHA512
7a2793641b8ee36df1178bf488144b0c824b1f34b73a6becc4717af2a97b80f9ca06dcc6460894429f76acc03c81439690f113098c7830dee3eac407dee64340

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
42KB

MD5
72f59bd94b4f2111481f7f8d96f451f5

SHA1
52d8680a175be16a028c68cb43c93f1222331172

SHA256
79c505049e0440378654a0d579da2522395d52ef84497f44637b73ee494c2e72

SHA512
5b9dc83ae134b9c0eadfd38eaec5c14696ba725f21191cd3d7c2a24f51d3e1384045c7e7223c476f9183c24ac6cf1f355df99b314972a1b9c32594841f8921cb

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
42KB

MD5
1813bac76341eaea5acc385eb6b7d5d9

SHA1
be7ccb35d724440b2b06b5f7a1968bb81b258a5b

SHA256
ab1dd93571287b602dee7601faa01c0758f7fd0739fa99d808439346c20c73bb

SHA512
e003d5b4a088e60a2a09e2b5bc671854056008c974b518b49995004fd875698f3395abdd005aaf491c64704c1d9cd685bdbf89aab9591dfc2149281a4099a7e3

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
42KB

MD5
b59a89d48b08c2e372aeee30874f3071

SHA1
e7d504f57f0cde636d3057459fdfa16061a0c40e

SHA256
ca347c5111e716562118fe034d8578b07768d8ee8005ab4570c9f5162109660b

SHA512
b11721872faaae308c19d62828c7882e0ec002338322cef6b2bead77c16ecb4ff42a05a6107c75f8537101578759289c43894246305726c62678a731991c6dd4

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
42KB

MD5
d385a7de524019fcd04fe352879dfe8a

SHA1
e9b69384d3cc6c879140f87e08cbed6e581e5279

SHA256
a3df8c2505714ee1d57329c83c895ad4d359cbb206e8b9480429062b857bb97b

SHA512
77fd42c0af5147433d5206819818a9530e0864407365b047ffad6d48ff10b01ab1b00d1771af3a505b348aeca76cccca080beddd398e3ca5b9aaed40ac16b8cf

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
42KB

MD5
a9dbb1df53b3e32bc4bb2161178f7c50

SHA1
2db463cf9f3f72bc3f44c98f8b3b720f07ad3de1

SHA256
602e9dee869435c00fed6e1ddb7e157552a73a478c9b993e446761a319cadded

SHA512
8beea8b91ddb16cbba85e2ec2ca0a3792c2fae28ee2599dbef4387b96f76eeb511f3a9bed5682843877c53c1a892430956b7a491051c10d6756aa98f92f022e0

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
42KB

MD5
2eeb9da60fe426811d4383989938f712

SHA1
7aadeaaf162d43245a8b7a3c59cc50e12a8f04d7

SHA256
e01477a8b00fe278d55fd790714fe04c09b237b9deab4bbd0b487cd9a885d69d

SHA512
8e57da8abc74a90a86a3a4473bcae63a0fbeb049e7bae10c6b6877d97b468674ce13c0a08ac28892f8f55c68803cb620c8189d2e2ed366996e19b9370b33a7c6

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
42KB

MD5
4887a6ba43565d298dc8c3922cbca0f4

SHA1
1331687b51ee0ee99b8399c678ad347f4b8cb72f

SHA256
e8be3a2122faa53c8d53470282dbca4ad93cd3f56f0e56ac321c529db32bbca2

SHA512
03936d2757a31192a78acd5e39f5fdfd1a8df843a9efa87538409687670d67e3bb89b2664530107ec10801d1c37e9976f713dab2608370fabe63d39f671c08e2

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
42KB

MD5
105feff983140d579ae585850cfef858

SHA1
8221e4fc2c6b4d310593dea20f201bba66de629f

SHA256
f9ebebbf017e98b1ec86406d7b604c78b733ede1912c6c97fb995563428d8c20

SHA512
bdca28b21947264b8e370ba0b468f2ce9602302a0e998917f6aed9adad69483763ad8ec36c9259b510e64f4c7f4bf23f714385142e1e26886543221d028942be

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
42KB

MD5
bec1998b327e0a758666e89a3f22e92a

SHA1
1d885dd37dded9c7f478e51a24f390293a4ec2cb

SHA256
154963a9ce352dbf450ad339be693610e74957302b7f8103b4ab463885d94b9f

SHA512
85c26936a3d3303b710f11ea592c0954ea177f39f4389db918b4f3355b077afd3f29bbc37de872f3f17ab6356979e823bcec721d1a8b6d725e749af928a97f6b

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
42KB

MD5
3bfa4371867ce2d10a277244b2621b75

SHA1
e76a70e0443e4af497cbd914b384ede21048d050

SHA256
19d166362bffeac7dc081b5712ebf6049617e18c8ab933fa3fd17926a69f2ecf

SHA512
42b91d623166e8745cc310ef258ee092b1d71f7cf16085d6a02c72092f9cd94793f4991974747a08382b08dfcc0aaad4d920e2f989df4e5b8db944e065ae663c

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
42KB

MD5
c1a0b5a09e08a612d73f44f270ff1834

SHA1
aa20179a5a50a30080c6a41c61724e05cfc02112

SHA256
e9e5c4d09506c685242d0857a83a7d3cd80c0234df09eaaa5dfcf9e37e8f97b1

SHA512
fde00cfa82682bc9d1a1832158b681268cd3a44a65dc0274e1a6717d64a9abe7a4af040da2a2e99d1e93a86848709f19ed270de7b9c24e141d5bc2cd9c94bf78

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
42KB

MD5
138b0fdcc4366b27f979e904101e94f4

SHA1
1fa5a927a034b6614b55a5a88abb0d56715285fc

SHA256
5e111d6cac8fb9c8903848959ab366538e27c3a9d507498c14f53e6187cebd10

SHA512
a035d7f470698c53aa26e3bced2eb813bdd8b6eae662ef074fa5bdce8a3ecf531a49e67b6e02343c8d16674ff208581a8e61b3e3cca2639cbeb29b49ce14d09f

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
42KB

MD5
cdc64bbb2673984c13ea02565b28c869

SHA1
22ea29c383c709d2c578ca270439e56261834404

SHA256
95a1474e8381cd11e5cafe70cd643db8a025241636654ebaf0caf52d84b46372

SHA512
dfd4b93512e83e71242796716242b06dbcb036791161e8585bcc5d1475a656d676bc0123937b5ba15c70e1c1e8538a71345f8b7280648d638bf25c21324c8c73

Download Submit
memory/8-570-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/8-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/208-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/220-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/264-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/400-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/812-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-478-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1096-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1224-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1320-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1452-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1920-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2232-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2276-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-582-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3048-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3076-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3180-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3184-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3368-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3988-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4060-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-466-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-569-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4400-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4456-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4752-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4828-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4864-576-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5020-631-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-574-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5088-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5092-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5104-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5112-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads