berbew | f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe
Size

187KB
MD5

e33ba6fa244b8f7f041121ac29d4a680
SHA1

bf391b1be27134531ec3ea76802a2d924751aa69
SHA256

f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8
SHA512

1369c50a0babeb6d7c09375733cdc016f96e2a1b2c91d5eefbd46ca0d3371f43b295e90debc5d6bcce7c027fad21887392b3fc4b7dc090bdf09597e6801c4ff2
SSDEEP

3072:A3ivjiHOUJBv1GHAgBqpAylU3vDVgtRQ2c+tlB5xpWJLM77OkeCK2+hDueH:AS7ilSggkpnlU/DV+tbFOLM77OLLt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4088	Olcbmj32.exe
1316	Ogifjcdp.exe
3840	Oncofm32.exe
2432	Ogkcpbam.exe
2876	Oneklm32.exe
1584	Odocigqg.exe
3640	Ofqpqo32.exe
1112	Olkhmi32.exe
2316	Ocdqjceo.exe
3788	Onjegled.exe
4444	Oddmdf32.exe
2976	Ofeilobp.exe
2132	Pmoahijl.exe
4404	Pgefeajb.exe
2608	Pclgkb32.exe
3572	Pfjcgn32.exe
2272	Pqpgdfnp.exe
2624	Pgioqq32.exe
3484	Pmfhig32.exe
1664	Pgllfp32.exe
3412	Pnfdcjkg.exe
4408	Pcbmka32.exe
1916	Pjmehkqk.exe
4696	Qqfmde32.exe
4684	Qfcfml32.exe
3952	Qqijje32.exe
3156	Qgcbgo32.exe
4232	Anmjcieo.exe
1936	Acjclpcf.exe
2764	Ajckij32.exe
220	Aqncedbp.exe
4896	Afjlnk32.exe
4368	Amddjegd.exe
1164	Acnlgp32.exe
4680	Agjhgngj.exe
4008	Amgapeea.exe
224	Acqimo32.exe
4172	Afoeiklb.exe
1932	Aminee32.exe
1264	Accfbokl.exe
3536	Bfabnjjp.exe
2696	Bmkjkd32.exe
3568	Bebblb32.exe
5064	Bfdodjhm.exe
4828	Bjokdipf.exe
2860	Bnkgeg32.exe
4848	Beeoaapl.exe
384	Bchomn32.exe
3284	Bffkij32.exe
3604	Bnmcjg32.exe
3584	Bcjlcn32.exe
4948	Bjddphlq.exe
5068	Bmbplc32.exe
620	Banllbdn.exe
3288	Bclhhnca.exe
3704	Bnbmefbg.exe
5072	Bcoenmao.exe
956	Chjaol32.exe
1708	Cabfga32.exe
3196	Chmndlge.exe
2236	Cnffqf32.exe
824	Cdcoim32.exe
3040	Cfbkeh32.exe
2396	Cmlcbbcj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Odocigqg.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
396	3272	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Oncofm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 4088	3896	f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe	82
PID 3896 wrote to memory of 4088	3896	f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe	82
PID 3896 wrote to memory of 4088	3896	f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe	82
PID 4088 wrote to memory of 1316	4088	Olcbmj32.exe	83
PID 4088 wrote to memory of 1316	4088	Olcbmj32.exe	83
PID 4088 wrote to memory of 1316	4088	Olcbmj32.exe	83
PID 1316 wrote to memory of 3840	1316	Ogifjcdp.exe	84
PID 1316 wrote to memory of 3840	1316	Ogifjcdp.exe	84
PID 1316 wrote to memory of 3840	1316	Ogifjcdp.exe	84
PID 3840 wrote to memory of 2432	3840	Oncofm32.exe	85
PID 3840 wrote to memory of 2432	3840	Oncofm32.exe	85
PID 3840 wrote to memory of 2432	3840	Oncofm32.exe	85
PID 2432 wrote to memory of 2876	2432	Ogkcpbam.exe	86
PID 2432 wrote to memory of 2876	2432	Ogkcpbam.exe	86
PID 2432 wrote to memory of 2876	2432	Ogkcpbam.exe	86
PID 2876 wrote to memory of 1584	2876	Oneklm32.exe	87
PID 2876 wrote to memory of 1584	2876	Oneklm32.exe	87
PID 2876 wrote to memory of 1584	2876	Oneklm32.exe	87
PID 1584 wrote to memory of 3640	1584	Odocigqg.exe	88
PID 1584 wrote to memory of 3640	1584	Odocigqg.exe	88
PID 1584 wrote to memory of 3640	1584	Odocigqg.exe	88
PID 3640 wrote to memory of 1112	3640	Ofqpqo32.exe	89
PID 3640 wrote to memory of 1112	3640	Ofqpqo32.exe	89
PID 3640 wrote to memory of 1112	3640	Ofqpqo32.exe	89
PID 1112 wrote to memory of 2316	1112	Olkhmi32.exe	90
PID 1112 wrote to memory of 2316	1112	Olkhmi32.exe	90
PID 1112 wrote to memory of 2316	1112	Olkhmi32.exe	90
PID 2316 wrote to memory of 3788	2316	Ocdqjceo.exe	91
PID 2316 wrote to memory of 3788	2316	Ocdqjceo.exe	91
PID 2316 wrote to memory of 3788	2316	Ocdqjceo.exe	91
PID 3788 wrote to memory of 4444	3788	Onjegled.exe	92
PID 3788 wrote to memory of 4444	3788	Onjegled.exe	92
PID 3788 wrote to memory of 4444	3788	Onjegled.exe	92
PID 4444 wrote to memory of 2976	4444	Oddmdf32.exe	93
PID 4444 wrote to memory of 2976	4444	Oddmdf32.exe	93
PID 4444 wrote to memory of 2976	4444	Oddmdf32.exe	93
PID 2976 wrote to memory of 2132	2976	Ofeilobp.exe	94
PID 2976 wrote to memory of 2132	2976	Ofeilobp.exe	94
PID 2976 wrote to memory of 2132	2976	Ofeilobp.exe	94
PID 2132 wrote to memory of 4404	2132	Pmoahijl.exe	95
PID 2132 wrote to memory of 4404	2132	Pmoahijl.exe	95
PID 2132 wrote to memory of 4404	2132	Pmoahijl.exe	95
PID 4404 wrote to memory of 2608	4404	Pgefeajb.exe	96
PID 4404 wrote to memory of 2608	4404	Pgefeajb.exe	96
PID 4404 wrote to memory of 2608	4404	Pgefeajb.exe	96
PID 2608 wrote to memory of 3572	2608	Pclgkb32.exe	97
PID 2608 wrote to memory of 3572	2608	Pclgkb32.exe	97
PID 2608 wrote to memory of 3572	2608	Pclgkb32.exe	97
PID 3572 wrote to memory of 2272	3572	Pfjcgn32.exe	98
PID 3572 wrote to memory of 2272	3572	Pfjcgn32.exe	98
PID 3572 wrote to memory of 2272	3572	Pfjcgn32.exe	98
PID 2272 wrote to memory of 2624	2272	Pqpgdfnp.exe	99
PID 2272 wrote to memory of 2624	2272	Pqpgdfnp.exe	99
PID 2272 wrote to memory of 2624	2272	Pqpgdfnp.exe	99
PID 2624 wrote to memory of 3484	2624	Pgioqq32.exe	100
PID 2624 wrote to memory of 3484	2624	Pgioqq32.exe	100
PID 2624 wrote to memory of 3484	2624	Pgioqq32.exe	100
PID 3484 wrote to memory of 1664	3484	Pmfhig32.exe	101
PID 3484 wrote to memory of 1664	3484	Pmfhig32.exe	101
PID 3484 wrote to memory of 1664	3484	Pmfhig32.exe	101
PID 1664 wrote to memory of 3412	1664	Pgllfp32.exe	102
PID 1664 wrote to memory of 3412	1664	Pgllfp32.exe	102
PID 1664 wrote to memory of 3412	1664	Pgllfp32.exe	102
PID 3412 wrote to memory of 4408	3412	Pnfdcjkg.exe	103

C:\Users\Admin\AppData\Local\Temp\f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe
"C:\Users\Admin\AppData\Local\Temp\f667ab9cddeb50b40983238ce5a0b641ca3c084f6a7e72a359cb741c7f51acb8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\SysWOW64\Olcbmj32.exe
  C:\Windows\system32\Olcbmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\SysWOW64\Ogifjcdp.exe
    C:\Windows\system32\Ogifjcdp.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\SysWOW64\Oncofm32.exe
      C:\Windows\system32\Oncofm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        45⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        67⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        81⤵
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 408
        90⤵
        Program crash
        
        PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3272 -ip 3272
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
187KB

MD5
dabc8baf187b951ae0fd7a7534af5663

SHA1
8667244e1c1f3b2096343c522337611c798e8d29

SHA256
fb155878ca2a6ecede82b54b001ad716c616cf29f6388d5e85930eb1671b8394

SHA512
0d89d63664ccb83d8f3b6905c0ab982f664a4dbf4b3bf2c123e1d1b381192e7719b453267ad3d366160acc3ce430b376e57563bc49c84379de1bc26f334b8833

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
187KB

MD5
ff446d695becd87e0ae6ebff85bd469f

SHA1
e9f18066a560a940802d1a9670c0371b50dfe3b2

SHA256
7e31bacde64ab007d766ccef452b9f406cd39735cba4cebaff410f6f48f72eb8

SHA512
3be0e7e0531ee9aba5d69d0db443e342dce90767cf6f848ac7073e08d09b882d5132cbeb6a74590aa9c4fbc32b24aabe9ec7341d5a3189fd0120d0284a549d29

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
187KB

MD5
6e36d23000d90a9bdf6a3d9bb04fae1c

SHA1
6633770dfbbe9a10ce229523a2f945ffc58116f9

SHA256
cf86cb0d4630499a492aa9f2e87c128a1c357832eeb1fbb5e67633d29e45d312

SHA512
4b9ea756239df53254b36dae54fd24cecdffaead5402d98bf2e46b99553674c09def7c9e67a1bb4792a952f9265258b115e0c2cdfa070174ea48ff9327787704

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
128KB

MD5
8978b28d3e6d0712f8deae016970c241

SHA1
440841d5f40a4f95c61835720273afb12c6c4935

SHA256
4dc4ff8928ee382b14ed7c61bf488663e826f9b5ae88d5d6a98658946df36c30

SHA512
f5c240ac818f9a29e22ca2c790877b631af8cfef4db896a7aa8469757c2d7fa341767911edcc5311520fd5a51029006fe11b1f3fc3d52c0883c64228e53c05ff

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
187KB

MD5
22421cb30e45dc748f5c6921bf35bf24

SHA1
07883b9c117d6542e2747bf42c4a99c01c176566

SHA256
184b495569bf61655cd2949df788fc8c9f5bbac19ff419439d3a3a9313f61410

SHA512
b132183ed9fcae9bb5f114ebd4a5b909f09cbf4572aada2a37b433a71b7f5ff79dabff6d1e03b78da7d06974326d4cbd40e26ab6b9b0e095c758a8473eeb40a0

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
187KB

MD5
ab955f795aff6feacddf3a8de23968c8

SHA1
3575bdd2d4a6e3b3fc098ed517c991e823ec764a

SHA256
458a1abf548f27597dfefd10cdd050c5a4a4bd7273402abd3f483a2d6c0527fc

SHA512
d64c8d6ec0ca17eca544512d62f83b64a1e65a283404a1205f322e253b2a4a7a2bfe9a717d70666895bef951dbdf7b5a6a07b157157b2adffd173ba7ae990466

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
187KB

MD5
7fcb08335cf326bad36eeb45b69fea4a

SHA1
faaa0f421e4b518d8def6b1767900e03c05c5ce8

SHA256
e6536f349afa981a9316324eb76e174ab960822fb257ea3027b856cb807ca204

SHA512
52bc3a2f333504ac6f93ad5fd05df780245b5766487efbde938dc864c1a1418d223f4514c09f28b3a0a8c5fd17c67b3ec7c88007c1a8025b67a3236a9d5120cb

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
187KB

MD5
48729ff7447d8a878977b071fdad3f0e

SHA1
b8f41afc036b331a8e146f730409db877e58302e

SHA256
00f54b5dd269a67c87337f4b5074230d436437108f53d6cede5ea2d2cfdd740c

SHA512
c4f0905f8e640e5118185b0b3f974ee711878381e05828ceb47933f38520c6e2f6c7d1cb5045c037f3b0631f3ae6a97750250c35b180471186dc0c5130f0d70a

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
187KB

MD5
cf4d0bd3cb15ff80dd4556226a2e9228

SHA1
dae2e6f6f2fe3c63a69267b0898f9325cce0ac0d

SHA256
b7d465cb2779ba74f99f96e10b6f024d1df138fd2ed707846212d8f0341a2727

SHA512
d96f0187c80cabb6316f76cdbd32677c0dca9ee485461e74a28eb111dc4974e19e78d0fa5b64961274d123bc528104ebe3a89643330d31629e7ea73b6a25fb24

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
128KB

MD5
fa11e645a6f444a340f12b04b057a5db

SHA1
c30d20ecea5c9d8c99f6e18c1dab88de05ade0a8

SHA256
384552a8b18fba5e31665c02a19843dea792a3da4ebe8bd55738b95405e3a9e8

SHA512
9bd873c10095ca9f5ca974e2aaecb4a5501a48e1363ef4578c6411ec1349f865bd18c0c89609b87fd335b601cb92a224a01935406d5946576b3ca549ad0b0fc6

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
187KB

MD5
9a9e1113b09d06a9a2ecfc6c1bcc2170

SHA1
28d498988c7d1366d22750a5bc88acf37e967990

SHA256
4a57ccbbf4e2c000c55227222484552436213234475358d375da1c9cd888de35

SHA512
622a979ae6ab8a3c7b8d62e1938fab8eb0e383b1c6c6dd1d9ab568e3908fa47b78025ef4b45d75c54605fa8cecf7610ba562bdb3469be7a6c054742bbba2fb70

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
187KB

MD5
72bd80b2a746cf93f5b3f178e262afe0

SHA1
228d87602592ca7289e012f1e1971bc9b55389cd

SHA256
6846c6d6dcc52b41f3a6e7cba595816bfc2f76b93266e1a6d08cc7d10a534b00

SHA512
68247bbe279b9f83b5e3e1f64a6d8e973436be06305cd863e7f26b294f7f029adb05a921e8b8c7fb26249c0290a306c170b87720c2b5208c76b42d996eb34072

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
187KB

MD5
546fb526108f47c59bb4dd4d3f177b82

SHA1
04753d1c4ccd8d5a0babde93f28eb10231cca682

SHA256
61738a0a6078d2fa84a06cb4cc0995800bd03895d8ebacd51250adc36039f449

SHA512
6fbf60e407f17d8475aa54537dba5f91d82fe924300dc60b6f02b48c8a824d6b80ba1e1bee57a1a477acfbd7291f6145b5317bbcc491fdec8f91dca59c60be13

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
187KB

MD5
f0a20285b7becf5a12628ca7cc0a4d0e

SHA1
7890ae1827765a6676bdcc6dc0f7a1a6ed4eba35

SHA256
8ecffc1b6ed8c77abddf60433f7e69d5d7d07fd901524e37d3384ccd71a99bef

SHA512
85bb7bc7058f29bf1cab2914900e59b3ac8b973aa8279113cca76df188e062a156a0ba34f4c620a795bcb727b21edcd788fa360a95b17f675cdc00750774e6b1

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
187KB

MD5
2690aeb15720fc4c868d8eb6d652622f

SHA1
564b65ab9315cdba2ee60c271f4e83262300dba2

SHA256
a2025b055fe8b350d34eae5924692bbdae9af055c23efcbced18678edeb8d942

SHA512
5cdc0979fa0b1010db771c5d536c541f12bf3f970b121992ac05e7930a5cb61685805e95fd22cad4aa8d412cc10db9ff9e7894409af6e907b7f28dea2e758c40

Download Submit
C:\Windows\SysWOW64\Ladjgikj.dll

Filesize
7KB

MD5
fcdac37c9e578747a0085b596bce6ca8

SHA1
5c2c55b17ad7039f2427c64b6697e5db9cab903b

SHA256
a681f2851097966909c2688a664180c2f897fc9a3a212e7184cf1898af84301a

SHA512
28a0b31780369276fa207084f1c29448cc8c1a3b32662b4d6e8b82c50a7b3c21670ed1a2d694e42e6f011bde3bd14174256267a21a97586a23bcadb54f0fa216

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
187KB

MD5
c90eef974b238afb600b8afbcef1a62e

SHA1
bcf0bc7692886373c44e8a9a87f2e9f384c36eaf

SHA256
55ab9efe3034953d1f3d902da13e1d0c33c893bbb1efe6c17a979fe78b3308b0

SHA512
9c0f4be73bd4dddc26a6510f2e9dc1b81266f5f64868b1572bffa3bad66fc869b63e9e0e30d7c7c09d6bb3588bd1a729fe9dc44e090a19be50fbd87b9708b669

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
187KB

MD5
05f2ff0ed3c5339ad83f6fcdb4a5c41c

SHA1
b2dbfdd7a4f1ff264f4def1b663fc417ac4ad8e2

SHA256
0eb6cbcfed4175a6b9466ae85bd2692b739460fb125d29a977d7367ec05397b3

SHA512
5939ead849dfd0288b8a628704bf2bd8c19ea42709670f0caedef0445d130f3205ff395599ed49d8e48d604d173229dfea754ded2f932d5ca227d7de893c66d6

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
187KB

MD5
03a4d789db060420125ff409cf256c44

SHA1
2306b259ce7909454a55bc12418b672f281f18bd

SHA256
7571de3e44c1e1ccd19ffe3fa6ea381eac2e41fb39add5370c3ad6a3a35b6e0d

SHA512
573ba08b82550ddf6ddc75a14f041fcd8711938c86a3b844e6da8f99971209536e0bc04e2b3f5d2867aa99f93e6af8f3934b839d465b4d42a337bff47a590793

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
187KB

MD5
d1dc98ac50ec12930ce218a2596608ec

SHA1
311c6f00bb41cb0315710bc2a3fe65a1968668c2

SHA256
3b44db5c6f36ad398fbf97450d0e552beb5f20d28f44f750c6245160aa949380

SHA512
0ca9b642c30ab7d7d519abd8e2b83669518970957d996d4b6014d01caf7dfb03dd9b44e22d6b6759573ffba89dcda0fc9add2bf831fdd6610619b10e781ab1a0

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
187KB

MD5
2a1f4b7fd36390512cbaa29b29a5975d

SHA1
edac62995fd977dd63083582485db5caecd587f8

SHA256
e028bf8bf0d89583c300499b065df9395434c9be66ca431e2e60be2af885057c

SHA512
b085acb4e6098a9c6b5847483d1646bd65040d5dba4172d2c8ffd29795b52267c0c5805619937d4063add097dfea67ef7dd82ac875a7972f49fb9685ce8133a1

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
187KB

MD5
e45bf44e3a002896094c564b6d4ea83d

SHA1
60effd1200a6eb7a9eb9b7b098c37602cfac8a44

SHA256
1833baef305abafd00fa04445d4b76d6c7acbbcf4ab47c5ada61b38f56db3bab

SHA512
902a18d3a8b624c4e5473bb0eed7c2a1736b718a3cc8104fd4fec54bc070b0ced37639d1ab3b5d431361845d390d3bdec3e09a83edbbc87066b96722483dcb41

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
187KB

MD5
4d34af9d090c893743d539b10606681c

SHA1
546d65e506599fc27f5b195dfcb8d148084950a7

SHA256
06934db763162510712ffe33be179b3f2cccc2e11fabb8aa90060a0bbd0644eb

SHA512
d150e865bb3645dd525cc86e41deb215bd699baf101c543eeb1ebf4b502f171038a14cff09508774e3652d76941026165f681f5a5a0b2db09945b22d0a71627f

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
187KB

MD5
90d47bddb136a104f292b149e50d9af9

SHA1
c2fc6b8aa24c673935a048b6a84d6ac1893ce0e5

SHA256
915cbdc6c41f13ae0f0d1a139496a03ecedcf6849ad70bc53154b5baa4648253

SHA512
9c38d72ac0944254b10403acc404a29f4ae9b95f3ea510cb810f07493cabd0c999f3b9002af623af0d100be80227edbae6a4ac028a83de07c3e79b1db1945ee3

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
187KB

MD5
abed85bd45ac51f76f0fe37f8f66c4e5

SHA1
ad8ae7118e500547d174e0918a0f56c94a82981d

SHA256
bf84ef92468ca76b88b0efb5d8997ee3f027f4a2253946424ffec3b942ecd9ef

SHA512
0e40f1632d431ff085f2d11c991b8be62417686b8d0eed50574ff496a6baf2bb594df0c053a765239e3ba4c01ffaa614e1fb1a6c404f980263424884bdd6869a

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
187KB

MD5
cbaf30bb482a9d711f67e76ab2f76b7b

SHA1
7ba1caa3cfd6db5438a869dfd3fab3147c0cbaad

SHA256
0b03713a6563ee0bcc7cb3a0a3913233c0807e7bf2ee6b77bf759aa74aea07f0

SHA512
21f10175cf53ec99458cff3730f66bbba91173ccdc78eaf836059941e9554b9fdd6d0e48e2598f3b52c0dc762975c612991ec4a49fed33e45d11ef39efc41c6f

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
187KB

MD5
f916515a93c97ffc7446897c9e370271

SHA1
2146389796748a99fdc37a15f1c1d0da774d6505

SHA256
838c8efba6e8b4c43ed171557031c314562f625cbe7331e3c3e7252c100c8ed1

SHA512
68b91311090aa1a49b96a56ef5d6a4273013aed8d25738f9daa40b9e0a1d840dd61a452dc8adcd1aae9c015a1b1e8e86418f08143998fe75ad3e5044a1988a4b

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
187KB

MD5
807667f4d1e5e81224fdd77867d7ce8b

SHA1
5a85ee2ac0a18253f72f80a76815f2e7ce88a00e

SHA256
ceba8df95012f79b39df77456bba5086855bca0ef4d6ffae913a8cf3a3f2bb8c

SHA512
ee377eeeeadfef7c5a7d3d345cf8a83f14f63709d18cbaf8b7997b3634ae66559981ef7151d0dc2425fdc08fc049d00df877a1dcb9c38686b05881b14f6014e6

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
187KB

MD5
d70fbad88bd39a27308b7e89d01ac8bc

SHA1
47c8aab267b964efd89c5890f049b42265378db1

SHA256
745c3f5e08662a6a1fa5125acb05d8a62fc6e05c16babbb8a2063093bdc229ac

SHA512
ee74c52a1bfac0fefa5b10a1e217ba8751867db1775a7b6b22b1585eb574fad65b8ed394b1506279c11e51eef36aca966018a1a9ac54119d3f616e692bb3278b

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
187KB

MD5
6ed6d41a8ccd5263eb328bb71124631a

SHA1
fd7dbaf83738a8da950cf6e2e432e5e13f39fc54

SHA256
ac33c3adea4e93af46a2adcc944d7fa795037acd3a43745301e3e0dad7015c78

SHA512
37ac0680f222bcc870be47d8eeef66166c5ab2ecad2390533fec736bce690d8d8b420ee82cd8acc132b7f7fef517b64807ba3f6a5846140309181c698496a836

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
187KB

MD5
68a163d4bbef9b6ee218c96f60426c4c

SHA1
ee970b3cec8cae618c47033cc2fb31a12d01dcd5

SHA256
864e5ee89c376e56eb18691a86a38e703fd9e05eff7b4c417f6addcb7d3ce610

SHA512
8d94ca4df1b884f2fa29bca007eaf91a4d4122dcb9fffd1b6e9c95405aebc8cb2ae9fb44f02ca07b2c9c574a58fff1d1934cf384b06b2ce099d85a30ac2f0491

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
187KB

MD5
49da53f3248a17b4d9494992cadb971e

SHA1
2709f19a19a7b021d0c77eda3c25a1075085077c

SHA256
ee05c3e361705208de64fdc1e5051cc2883982d94b945757d47d299511b490a8

SHA512
f7345c924add692e29038729cca5f92b0dd24a9d1d6de93bc3424df3ad959f4d1134822910cdccc9ef8f50c5f92decb557e07a188779efc65423d1b9159bd27d

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
187KB

MD5
816f947736692df1cc2324e9e359b3ac

SHA1
6c83c3f969f51095f036d30c1ea1573c7cd5827f

SHA256
411321361deab5cd8e8bdfb53f786f0a757866b3b50d80eee76e7c0412e29a0a

SHA512
b1eea043a4619b40f5b0c75ac726edf5b9e057209e274a85eae8f075c65bc85f3530b8a4a6c2da4a23e6df832867aadb2ef6755750db4074afd7501e391cb606

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
187KB

MD5
5211fcefd5fa3f4fd644d94750f178c8

SHA1
ed3a6c9a058b0a43c0844cb981f53d1ebe9eaf83

SHA256
6897176359b3d601dd7423f58f0ec200deacc90d5b8378ec61b042e922bf7ad2

SHA512
b70561fdaa0b397c7ac1b28caf9d869304f52ef287c257cab37476ba2dd0908d2adae1c3ecd78680082fa64acff4d44d7a094917c26ad97008413c97db14382c

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
187KB

MD5
8597e146903cbd8df2ef659248295e48

SHA1
d8cc6f02966fc6a7fd60b65b58f87578a0e57d5e

SHA256
f5ed15584836c96d3a33e995493f896d1947ba337c73da8b27b6e4233d3124ee

SHA512
50cada615ddccf26cd017ba010dd749c4ed0521ffa9f80970241c169f3244bca070c236f9a318c3e20cb170a545421110f053b64344b22b00917cb19c15f4b8b

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
187KB

MD5
e77115910a5eff4fcd49b236654ae1e4

SHA1
b1105b6abe197aa6e224c82fdde08025b2067c1e

SHA256
0a46428d2b298e93e1df93f3264143ec050a314363c3f18eab5219aecb6ae00b

SHA512
c2a69e53def555f5ff9a62d57b14fec10d56cbe496cb0ea826ad4daa6ff97922fe4c906792fe67fccae3d34184b0089a7a17064973ed42ecedd54d7819b7df10

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
187KB

MD5
203f6bd63b46db39dd4a2fc7a6128475

SHA1
f513e1573a9b092ea7c31d16a39b39c17e9c01b1

SHA256
f289c70d6f5e6840acb583c31a5a4d7c94a0d2f21a6660b6b152042b4d0576fa

SHA512
08f8f0cba62e6b6292f863ac3f56235821ec520d86c3ed117fef3fc5551c84b90696f53a3b86768d7ab9614e2ac291972828da03d230b08c7918726a609b6187

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
187KB

MD5
ce5bae9bc72b322e4d8d6cc8fae48af4

SHA1
2aee0c13abc6ce209a8ac674eb4cd77915740385

SHA256
60945575e14929f5df5a26447c135115aeec9721021e0b2959c861d8b91ffdcd

SHA512
c189caff536df95873bb801806ded0375d80762fa16c21a9e22bac0b4bed59b59ff58571cd2f3bb64f090458ce04b25deb9fb2a2781fc828a1b69b8b8559afd7

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
187KB

MD5
6798ac299311e34ec95f9ad02c3a501d

SHA1
8a25f390503f6381c95ffe98eb84bd27f17f910a

SHA256
59f112fa423fffc0ffe1f72b6d00495838bd3e4f5bfd4071b4b1ac65c2837465

SHA512
c09530c8c5634040fdf2240fbe77090442c026de58303e3b75e729386d14c9d9d3f6f785bfac5df6a599b3213a9d92e36968265d74636158820f54755825049a

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
187KB

MD5
0c3b6f86c727f4de14e28916df82df83

SHA1
07719d9db5db7a702cd306208ee2c986a5291596

SHA256
9c21bfce8643cd4a79478f887163b164bd79419bc1f1ba6b0370d2f3883a2f78

SHA512
bcb2b45d77f5188f319aed7fbf9e63d0a45ca17f5170fed4b6a7b880745be79e2043d371fde4d8758d2a1239aea79e548da15c7c479b701aac5bdc4fe1d14cb5

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
187KB

MD5
015df8bd66687804f1c418862f087089

SHA1
626faed7d5469d26a3f053928d6bcb471cd2a641

SHA256
d117fb4a55e8f1a42d85cd6380bb09232aef68c3f7593416d77612808cc42de9

SHA512
66a8b151037266e878b00785f574b23eaa40afa6282488292825168371d267e45e4bf6513c2503d0ed50938273b63324f087bbddde87795a398695967dea1841

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
187KB

MD5
52db45e0e8b572c88c288bed373faf81

SHA1
b243c00994447b6efcae35d996b77f35fe07b03e

SHA256
a032b5e5d998eda399d9647e14063088c017de7fdfc081a45287ddcc1a3f5aa2

SHA512
1a13713ac577de8dc8e6690c29026f4e908dd05dc2335e57821370fab3486d65e60a4c287b5b16f39ef326da29c4e3c21f5a8cf339b0a216e63f63ca7e10757a

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
187KB

MD5
cdf801c56decac61e421c2091c5fd6ab

SHA1
689bca4b177de255898ad7927df6d8ecfe02689b

SHA256
2dad84313019b08f3bc6af3d5741a52b16b448ce0753bd0c5be2ec7fe794ae87

SHA512
842e5eff60476b020bdb9af692eff0027c8aeea617165261fb0a8e222c4015194e9c8758c026c37995670d43a99ab98e300cfb12ab9b1108dc33eed345536268

Download Submit
memory/220-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/620-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/880-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/956-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1264-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-586-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-508-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-183-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1936-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2200-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-448-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2432-572-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2616-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-579-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3156-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3284-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3568-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3604-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-593-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3704-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3840-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-638-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4172-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4192-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-718-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4404-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5064-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads