berbew | bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe
Size

96KB
MD5

501a2e00f2a8ab8ce3fcf0f2d3f17d89
SHA1

98a93702a3f3150f8b4af1396aa7051f15f0fa31
SHA256

bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986
SHA512

a48411d37f235abdfd9f99c98168c82bdaefc943bfda63467acce612e91bac41062280ada67f775df3570a495e4abdd9c45b37c19c51107087e2fbbf8d02a849
SSDEEP

1536:i+5qb7LgOOnALRZ8r7Luac2Lj+7RZObZUUWaegPYAy:D5kgNnALYr/uUj+ClUUWaeP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3656	Odapnf32.exe
3136	Ojoign32.exe
1056	Olmeci32.exe
4268	Oqhacgdh.exe
744	Ocgmpccl.exe
2860	Pnlaml32.exe
1276	Pdfjifjo.exe
1328	Pfhfan32.exe
2228	Pnonbk32.exe
2524	Pmannhhj.exe
1988	Pggbkagp.exe
208	Pjeoglgc.exe
3420	Pqpgdfnp.exe
1456	Pgioqq32.exe
1980	Pflplnlg.exe
1708	Pdmpje32.exe
772	Pfolbmje.exe
2352	Pmidog32.exe
1396	Pdpmpdbd.exe
2116	Pfaigm32.exe
1196	Pjmehkqk.exe
4928	Qmkadgpo.exe
1780	Qceiaa32.exe
3424	Qfcfml32.exe
1552	Ambgef32.exe
1404	Aqncedbp.exe
2968	Aclpap32.exe
2812	Amddjegd.exe
4468	Aqppkd32.exe
4124	Ajhddjfn.exe
688	Aabmqd32.exe
4344	Afoeiklb.exe
4832	Aminee32.exe
5028	Agoabn32.exe
628	Bjmnoi32.exe
3832	Bnhjohkb.exe
852	Bagflcje.exe
1680	Bnkgeg32.exe
2492	Beeoaapl.exe
808	Bnmcjg32.exe
4696	Bcjlcn32.exe
440	Bnpppgdj.exe
412	Bhhdil32.exe
1940	Bmemac32.exe
3260	Belebq32.exe
2504	Cfmajipb.exe
4376	Cndikf32.exe
3676	Cdabcm32.exe
4940	Chmndlge.exe
1784	Cnffqf32.exe
4788	Ceqnmpfo.exe
4820	Cfbkeh32.exe
4816	Cnicfe32.exe
4736	Cagobalc.exe
1384	Cdfkolkf.exe
2892	Cjpckf32.exe
3256	Cajlhqjp.exe
4412	Chcddk32.exe
4536	Cnnlaehj.exe
2180	Calhnpgn.exe
748	Ddjejl32.exe
4768	Djdmffnn.exe
372	Danecp32.exe
3864	Ddmaok32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1300	4188	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3656	2184	bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe	83
PID 2184 wrote to memory of 3656	2184	bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe	83
PID 2184 wrote to memory of 3656	2184	bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe	83
PID 3656 wrote to memory of 3136	3656	Odapnf32.exe	84
PID 3656 wrote to memory of 3136	3656	Odapnf32.exe	84
PID 3656 wrote to memory of 3136	3656	Odapnf32.exe	84
PID 3136 wrote to memory of 1056	3136	Ojoign32.exe	85
PID 3136 wrote to memory of 1056	3136	Ojoign32.exe	85
PID 3136 wrote to memory of 1056	3136	Ojoign32.exe	85
PID 1056 wrote to memory of 4268	1056	Olmeci32.exe	86
PID 1056 wrote to memory of 4268	1056	Olmeci32.exe	86
PID 1056 wrote to memory of 4268	1056	Olmeci32.exe	86
PID 4268 wrote to memory of 744	4268	Oqhacgdh.exe	87
PID 4268 wrote to memory of 744	4268	Oqhacgdh.exe	87
PID 4268 wrote to memory of 744	4268	Oqhacgdh.exe	87
PID 744 wrote to memory of 2860	744	Ocgmpccl.exe	88
PID 744 wrote to memory of 2860	744	Ocgmpccl.exe	88
PID 744 wrote to memory of 2860	744	Ocgmpccl.exe	88
PID 2860 wrote to memory of 1276	2860	Pnlaml32.exe	89
PID 2860 wrote to memory of 1276	2860	Pnlaml32.exe	89
PID 2860 wrote to memory of 1276	2860	Pnlaml32.exe	89
PID 1276 wrote to memory of 1328	1276	Pdfjifjo.exe	90
PID 1276 wrote to memory of 1328	1276	Pdfjifjo.exe	90
PID 1276 wrote to memory of 1328	1276	Pdfjifjo.exe	90
PID 1328 wrote to memory of 2228	1328	Pfhfan32.exe	91
PID 1328 wrote to memory of 2228	1328	Pfhfan32.exe	91
PID 1328 wrote to memory of 2228	1328	Pfhfan32.exe	91
PID 2228 wrote to memory of 2524	2228	Pnonbk32.exe	92
PID 2228 wrote to memory of 2524	2228	Pnonbk32.exe	92
PID 2228 wrote to memory of 2524	2228	Pnonbk32.exe	92
PID 2524 wrote to memory of 1988	2524	Pmannhhj.exe	93
PID 2524 wrote to memory of 1988	2524	Pmannhhj.exe	93
PID 2524 wrote to memory of 1988	2524	Pmannhhj.exe	93
PID 1988 wrote to memory of 208	1988	Pggbkagp.exe	94
PID 1988 wrote to memory of 208	1988	Pggbkagp.exe	94
PID 1988 wrote to memory of 208	1988	Pggbkagp.exe	94
PID 208 wrote to memory of 3420	208	Pjeoglgc.exe	95
PID 208 wrote to memory of 3420	208	Pjeoglgc.exe	95
PID 208 wrote to memory of 3420	208	Pjeoglgc.exe	95
PID 3420 wrote to memory of 1456	3420	Pqpgdfnp.exe	96
PID 3420 wrote to memory of 1456	3420	Pqpgdfnp.exe	96
PID 3420 wrote to memory of 1456	3420	Pqpgdfnp.exe	96
PID 1456 wrote to memory of 1980	1456	Pgioqq32.exe	97
PID 1456 wrote to memory of 1980	1456	Pgioqq32.exe	97
PID 1456 wrote to memory of 1980	1456	Pgioqq32.exe	97
PID 1980 wrote to memory of 1708	1980	Pflplnlg.exe	98
PID 1980 wrote to memory of 1708	1980	Pflplnlg.exe	98
PID 1980 wrote to memory of 1708	1980	Pflplnlg.exe	98
PID 1708 wrote to memory of 772	1708	Pdmpje32.exe	99
PID 1708 wrote to memory of 772	1708	Pdmpje32.exe	99
PID 1708 wrote to memory of 772	1708	Pdmpje32.exe	99
PID 772 wrote to memory of 2352	772	Pfolbmje.exe	100
PID 772 wrote to memory of 2352	772	Pfolbmje.exe	100
PID 772 wrote to memory of 2352	772	Pfolbmje.exe	100
PID 2352 wrote to memory of 1396	2352	Pmidog32.exe	101
PID 2352 wrote to memory of 1396	2352	Pmidog32.exe	101
PID 2352 wrote to memory of 1396	2352	Pmidog32.exe	101
PID 1396 wrote to memory of 2116	1396	Pdpmpdbd.exe	102
PID 1396 wrote to memory of 2116	1396	Pdpmpdbd.exe	102
PID 1396 wrote to memory of 2116	1396	Pdpmpdbd.exe	102
PID 2116 wrote to memory of 1196	2116	Pfaigm32.exe	103
PID 2116 wrote to memory of 1196	2116	Pfaigm32.exe	103
PID 2116 wrote to memory of 1196	2116	Pfaigm32.exe	103
PID 1196 wrote to memory of 4928	1196	Pjmehkqk.exe	104

C:\Users\Admin\AppData\Local\Temp\bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe
"C:\Users\Admin\AppData\Local\Temp\bc71b99ea5bab18dec661183f90e905892e8c7287fe779a645eca8d46855e986.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\Odapnf32.exe
  C:\Windows\system32\Odapnf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\Ojoign32.exe
    C:\Windows\system32\Ojoign32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3136
  - - C:\Windows\SysWOW64\Olmeci32.exe
      C:\Windows\system32\Olmeci32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3424
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 408
        77⤵
        Program crash
        
        PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4188 -ip 4188
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
38ec3c192b525126834d87a22c120ef3

SHA1
3097ea70f1c57c8ebc81fced1ad28344f5b1bb38

SHA256
65e1d7460fa0f79314d260398823bbf8bbfb4e32c59b8ca6d37a5bea958fab3f

SHA512
4cd05c65eddc5f941dfc14f1957637ecdb0114b075c3fa80277a5afd0c667922d5cc935f3dda6d499ccce44735b1ca3f1ba7b5d876bbf70720067a235ac6bef5

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
96KB

MD5
1b19f6a4c10928761c4893b95243d3f2

SHA1
1e07b9ee5106030759f09689c99a3b8bf6032f78

SHA256
8dc56be5dae23618d33b43d1a589c247b8b4185f8c5a23a8165d618e6642afcc

SHA512
4be76efb5dd769504d0194bd1c25060cb18b81c8173aafe15416f0e678f5193afd391576c67daf2c79e7e654286f1e82ac09069e0146b9c624a0537daf2b7287

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
96KB

MD5
1349da48062da11928acf90962dfe921

SHA1
be7bf54ef0c9acac5bcad689949131e9ec1ca9fb

SHA256
6e9bf0ca81b9f0a568e1b33e401106cf87a0f41cd25738dd59767330002b7597

SHA512
ae934d11724310df2a72f81d59abfad03d1ad5e1182b5d9526d7421130a6f72ac9b8d03f9b7a283451b18d37ab251260dd02e16a67aff1dd38075c4e5203a38d

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
6062206aeeb9f67e5f7ee055f5de3376

SHA1
f55bb3451229af7716065d57dedf909b84fbb2d2

SHA256
577c1c5a2ef9ff03193b9748e17802ec8fb83229952304e57bc196ecee8729f1

SHA512
1564e5b6f2d92aa0c1ea15ab9343162ed885ca00e140ef7394c27d5533eb97423acc6e93cfd5385445210141fee08d9b666f56f2645fb3466ffa258de3ab1e19

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
96KB

MD5
a59a210b202cbc6e5bcc0b49cebb39b2

SHA1
73b7d1b551a6edaf3a10c3d7b2de49bcca585da3

SHA256
1b5346a34570a7cef9c48506c27edb1eed3826928e66a4038a7144714f2d263f

SHA512
0f8404df9b8b070673a4203e265f37f0814f43e47a98789d8f13a1204c30a9d4ac005a42052205610ea34a8471363e51afe7b3f6e146c35ee6dd616a358d8a11

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
96KB

MD5
536f5e561662953d93aa1ffcc2e49009

SHA1
e1313c97b6ffcfbe84475f5e750b63519378651d

SHA256
65dad17e91ff6df0ab751428f60059845f945831934fe26ec01f29ba87cff0fe

SHA512
50912fe3c164b556ee3d454f728db682563b54cee1dff1566289c5f2f370a7b72802e77b4ab1d6f048602d627ecbd01fb5dd45ab59f2b0251504cfa9691babf2

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
96KB

MD5
5d4432b8928e80da58534a8043abb247

SHA1
81f6dba8910e12621f6218728e6c77cc79d41285

SHA256
c72a279549c4f3801e01c78ea6fc02d1cf0c01655cbe84ff46a798682c027556

SHA512
f787a6995a661afd71312bddbc25908b2ebe73280625b0c021a734747a19feaea9639fdadb94ada0ad0a8929b5f65d4cc6b683bdf6417cad4f904909b6039501

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
e7ead44b7c3c337e8b73b8ad6d3290a6

SHA1
541c2a5571872c1ca83d9726e568286deb88a85f

SHA256
afc84ce61a3b0231524509a808fb34068a6e25c52b7c4598241c108463fd146f

SHA512
ec843a3c391d31d5b07fbd8165f8d0491c2769a41ceb15b28c8642a2e0d27e20d15cc3519f2a84f481c42df6ddb8a359248df6e2ac5ffbcc382bee962b80c90d

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
96KB

MD5
b7843f7c48d5671a0e7a4a0493482841

SHA1
7308950bc4e6cb1a0ea0588a99d3b096be771f98

SHA256
cd5422bbc6ed393a958afdc6cb7750cc7de64bc105928ed277bfbcb8ddfd4be8

SHA512
e985eb90c07db6817f7a0e4f4ef6a49e28f66251d9637bf0a07772efa2dad37fd23c514291104d37e788b77ed81d1b576ae65a402d05f62832cb04b8e01cfdf1

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
f1d6af7adc8ca23a83ec7fb65dcb24a0

SHA1
473583ddd589f22728264e03bb3ff03939562605

SHA256
a9e990f77b060f5c477176b24ec19f312592047b2c7d6a5d273887d72dcc61c7

SHA512
4d8d3801d081f0a4d9dfaba0e13b0406d20ba170d89768539d6546f1bba26d90e51caafdae976d81a6f41e0fa36e5ee7f7c04638a709ad80b85415d580fd6836

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
96KB

MD5
d685fd922dc399a19e6f5c2523c826e4

SHA1
3d229e157ea7e155fd577555024cf76a6beb5824

SHA256
6c1a1dc1226d794c596afa775e8dc0f0d2b58ac651017a52077d364fddf605fa

SHA512
6d29d4d342f7d5fe89fe25125e41dc6d00963535eac78c3fd4c08a41dc6cc92b2d24afa03f0f05fea96faec674919d0423470739eeec20091aa080d032508af4

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
2f3fec85f5c880b3552a7d5b1e2919be

SHA1
42de2593541fff0d8c62c9df13492136fa55a3f1

SHA256
31bd9ff0da4c1fe3aba3c6db759316ddf11d19cefadef71e816363b3da939c46

SHA512
7784c46cc7ced2aca8c46f8c9b080d297afbaee52fba1f4bdc1bc2904dd52217fce08606ee8ffdbb3f4d9cd065f4acec4a01d771f3ae892b0fd7f12ceb5296a6

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
df6376b804406003efd3088234f63946

SHA1
5cb128fc9247f5820e068dcef251929281645515

SHA256
72d88be173b5fe3cb0702108926f604f9e6334735ead81f8167b0d1d4ebd804f

SHA512
3bbdcb5a292e450343155e8ed77487717093150166d03310301dd554a30943655dca87ae926eac2d06eafdc6c84e2f7b589d9ad7da297519c903b2a3a2b4d872

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
96KB

MD5
204ea3b57565f2d56d518721bbd512f0

SHA1
84e4625cf0f3611735bd434b15280d84e032aac9

SHA256
97323a84942141b83774db7cd75124b83dc80710caeaf8903b5935bcd766d86b

SHA512
1bc7f8da51a9ab02986395cc93cb35649bccfc75f49240750fa7f2e0056a72af7c649141cdaab0c9aec549c2d71f2380ffea3787ef4aa4b3b009aeb1c9ff7c8a

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
96KB

MD5
840217ef75b018c92647eb4f38a2d314

SHA1
e71740fc8128910aca1df24fd1d168d4d4cbe0cb

SHA256
defb11e52233bea71cf49b4d27cdf7ac99bfd1158aa17503d6119be419657485

SHA512
25263962c65ec21a1a0cbdacdd75d08787fbe8f8d3cfedd912cd01c320ba62ae2cacf2034d368b4f9350644fdcacf13b0915e22f36c283336194948bd087aeae

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
96KB

MD5
1bb7f857c8c7c3f5c447a89dd7f1ac58

SHA1
780a9c67296f7910a6b73c74f38c498b81536e81

SHA256
dfac77510c9bd5c6b8c185c24e484244d508e49a63ed3d03130d3ff8fde844fa

SHA512
4343a5bafd9b30776e037b0054a6502c8e7d15afe8e54d06b3ecc711be58ca7c4d2ae45c6b18002e29c25113101f33581af997fb383f76c087c9919977eab1d0

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
09b449a841b7c614b3b244faafd729c8

SHA1
985325d5a690db611756f7183f18c0d9f13731bb

SHA256
814a0515ff62d78d41e2858e022b6d6b7fddc7e130b6dd3f9c9c246f251f98cb

SHA512
b471c1dd6a385b89575e45a98d331248d377dcd15b4726886ca9b557d86b9e6a73c210566bae22ad259a626373af47783d237cf8575e9810ffd1fbc2d30d89f4

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
d5eb70b8716bc773234961dd78fec717

SHA1
68188cf8bfbdecd33131a081e9027a370c242b7f

SHA256
90a46cff69b84f1fca8f554db56b5e17da80593e523b92126727ac48732e7adc

SHA512
12df18d9b5037223697fe5b5cf81c636c6593a2f5f11aadfba818e4216567dc5cc15fa0a3657386ee6f474616595b6a43389087862712239217914faaa85d554

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
812d943eeaa54ee527c4fcb62e3aa41c

SHA1
813e2b03ab2a30de3b18d76bed91b0943a23f32d

SHA256
e0d282734891fea8e79224aaa5d1c3d842ebbb0415ae3ea050c45872f4850e44

SHA512
ece126801a6867ebb78b99baff37623fe7ab767cffebd7389dd80f17f0318ec084b83be168aa467860da1820ba0df883515d3cce7185648223d0d888df17e851

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
96KB

MD5
94ded4d0bbf85cc48d757ea2fbb913bb

SHA1
1892ad75641b85b88f398fa729fbdaec02a1939e

SHA256
91da8d3f2f8e25466d9392e3a7f00bf6dd6636a4cc9cb4d8da243de1f15d6107

SHA512
73e6ae9cac37d114648ae3411394c021b08a4df4e3f568e9b5d3b63def9407bc2b413ead628d7db2eabd0afab22b328745ac829b6672d3fc7876f0139a2f0c4c

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
0b2996ec1d36095e129035ae407b05e5

SHA1
d2ac0d3cd56240c01dc14f81cf5ba707079e5379

SHA256
7623f67aab949965679fa34fcda657ec9934629bb9c1aa92533e89b3f364d2cd

SHA512
2fd6715518e02e0c6ad021bde39acb0c1442bf10b1a7e9cc2137892e5f3b627ca8a7a3831b24d64564dc2b8f387c48afe383294e9c424cea2e007f0f0665ef5c

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
96KB

MD5
fec024c1ea72aa5511faf8ab38de0d56

SHA1
18a85c5509cc4bc8830105385bcd30b45842e91c

SHA256
f8a66ec3be2691065790ca980c59ac8b3d813a8e12f424e5a6617fd89e7e215a

SHA512
5ac34e6e6f1c98edbf79fb4ea7c3078daff88c2729028ac8f250ce8e1aaef21883c7cd8b25236fd3eee073a726644203a9286eade0546d1b3fb1c8945c8529e4

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
eb126f4d62bf1a107bb1c524f839ab3e

SHA1
a439657e2dc5e1dbad240a3a9c6b70b13e61a8b3

SHA256
260a4bf3cc3ccca095f8bd22b9decc4c5f76b06b1a18c81db6aee78c07946040

SHA512
b04cfc10e7963af20e54366d8ba3ee9fb7d921eecd90ac66b21946f7be7f9cb8afd78ae173bce653c2c7f98d4dcc71b9706f7e5c4e43377e017e2e99f34c32fd

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
2d5e9a239ae8cfba19952596b2a95506

SHA1
ecde8658a76949ee7e57bb76b6638b830cb02859

SHA256
6382146f06abd6ba63c31fb957f54f56d194ad397ba1d462efa4cc7c1e396acf

SHA512
1240e707ee7b64bf72e97400c0cf4149393ff50efd3be81a7a620be394149be61d76e423a55824ada3a5cc611e554e4b050fa904b560461d6fd056070bba63fd

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
96KB

MD5
a705b8115e4e78b2c91152ad02bc572e

SHA1
6dcdfcaa52f3176a3b06633f2c7af5c634748a5d

SHA256
ce1eb2fe8e074054519ce3b852134c3b41d55e324b6fb1e443fb5e878660fe53

SHA512
d4cbb433927ac092641547ac134bdf5954fca72309f3642835b125918e3ae026ef64379dc88f607e752eb2369a4e2e08d5391e50b436bd6afe1a1bfce3fafdf9

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
96KB

MD5
869be9cd1a208e04c8f49ba5397a2b07

SHA1
752bb4dc2722a063ad8c8778ceaac2eac14b045b

SHA256
80bbf9d4e057247e4db0f3e3c57b403f0199c9bd1d0c0305109078b8bcaed6be

SHA512
33c0d0bf597bcb903a87743997d9d2639a9cf01fcdf95c481b091ce56c51660526fa6885ae3357c132a0a72ab8b8402a7b5d0393f7e3608aed63cc38eb09dcbf

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
8e0673cabc601a9d4dc7349e3c85f23d

SHA1
850d1c96b9702a8fa9af5cb24fa8e91f08a4e5b9

SHA256
94776424fcb57d8062bacfdbceba3ac5cd846dff6001baa260cf2582bf73ecd5

SHA512
fc50a749e91c9a86cd20db1e0104f98adad3f901ee972d91f2381513ddf29c04f555085e43eb0647591cd5fe5a57d8df133920f720f427a51f1b2da7c331d409

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
0f0b399e059685444fcf9f8f82a7ce41

SHA1
9efa333c201d3143935f99754295a7a4ccf6c001

SHA256
200122d391c51b233aefbec45cc79ae8fa96556a03b488f707cd24cbf25d0a7c

SHA512
ac0f9a389e80c6b6acdd4b4ea8c4e5c51369635624e8338e31b7ccca01b77f5f1662a4ed95f98b93d237025979b197ff15e8a97a8227cb9cff84a70b0b98b060

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
96KB

MD5
4d3890aeaddb241042da76c461306889

SHA1
bb34ad09b20901841a9b745cedbfe9936451fdbc

SHA256
5bfc808fc4628bb70a0dcab60b2a47d5c1ab61a7ab979cb04a31c3f019ba179f

SHA512
caa59de094d8c44784a60d358df310c93499cde9b8353bcedf2ec2f91d8db9caf25761b1c060d21e4019cbf35cbef37cd3ea745bae46af37fafc366ae705208c

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
96KB

MD5
8c625c45603c24fb1689e2cb34da4360

SHA1
1a5bb7058a239672179da59b9c7a54947d2d16ee

SHA256
e68e14fd22670b5080f3495331a28be81a4969de6f17835c8b1ce1423e62db7e

SHA512
512dc6670dc816c8a2a9952dcaae82c3f607af364f72fae157eddd974b338530e864cadb31433dbfa585c0ebc3ea08c88cc226e2111beeb1391cd1daef51db76

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
96KB

MD5
173aa1c26a03f4909018e67a23a57a2a

SHA1
613a9c988f03f1c512400fce49e00987bcdcaf1d

SHA256
6d481981640d4d5ec2d83ddce509fa58e2292b42f88cc96224c8bf5bbd728c24

SHA512
8166ec882a6e78c7db31dec6d1f10bb4fccb307d25bead0031e58b1aa8f8a8d553bf6b0f4467b734401ffd8d5752a9ecbef4b49a73598e08ac7c13c7b9dc4603

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
96KB

MD5
deea58866e506e79d606bb772e9fc435

SHA1
cddaf1aa9cafc71e94d2a0eaaed726e69c7e775f

SHA256
dc3c9965ef1d692f66ccfb2ae9ebb4352d3be179d9ca03d5e56f4be6ab8a5340

SHA512
48136fd223cfa0e414a85c86e35f9289d1b4ec8922ef2afc0203826155bd86d7bea047c04f59c84ceab6d6bd98e4d75f979d10c4f253b0728621eb1de7ade9db

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
735f3b554dc6f6932e21f6f036b46281

SHA1
460aacda3b9d5c7e8b043ad7e82360bb152d5bba

SHA256
d3d43fc8ed0de093ee42b2cad6c63f6bf8d0d1eaac9a0f62f963fcc53c8c06ee

SHA512
5796468192b3924de55c5633390f715aef5f1f36771b65b48c77b384e6f6d05660c4e660780cc5a45c0881208571a14bb2e0accf482250101ee6ee69a6fece58

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
10b3193236feefb863bad67fbe8fb655

SHA1
a990cd11c04bc9fb3b304e1b8bf615755f50f00c

SHA256
292bb4be6285b56bbe2250a68c97babdb7fe8f3ac3d0a8bdcfbb56c962a06b7f

SHA512
83540082c19cccb7dd1d406342965f56ab871eafe428e67fc69131a5ab922bde5771cffa029b6aabfafded45144fdd88da0691cd681f9606de1431ae15e9a282

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
96KB

MD5
f0dfaca8341aee65e74d0fa5869c1558

SHA1
408361f2a0b617324bb7cdcc6504c521ea9c30b7

SHA256
90d6e509d5248ec9a411c45545589a1024044b52af2ba614deef696edf7f0b46

SHA512
43cdd49d17df0d4969a534daf2dc0c2c5988b60508b29c5ebc569f5f9871421dd4f119aa06f699acaca4e4e9d46841d714079dfa3af6e0703310f24b3788ba16

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
4040e5e7084ba984ad494cb87ef7fa46

SHA1
cfb4e91320cd561f643a0dd17214b84b782a5069

SHA256
f85b4953492961d61fa5550e1650b34f7e481c2009adf53c23bd04d20e57d4b1

SHA512
594972d2f16a848efbb5265da2367176135aff79a71229be01c3d3232ece5d78a45c3aa1f89fe30eb7d51898da65cdb6c666d16cf5d83920101657a23dbdfd90

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
96KB

MD5
f32c4d37610122664fdf1c948c41361a

SHA1
90e664d15109c76a5e4cfbe4a4b373038554609d

SHA256
286c0ca5d6babc90e35c438f19d684f251c01b6c083e525b042b544d5cb891d5

SHA512
68ee5d35f85a368c03b8ed165a251eccea97efbc5b88e5ea06b45a56b7cffab8a05219463436655c4cf186079598ad3d463ba56895150e7e4f28545e050437b1

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
96KB

MD5
e3001b0572a87c30f45554e7e32ee78d

SHA1
db9b0dc5fee86cc7415f50c1d15d287e14515ef1

SHA256
85c01e788d8b2a85b314861e32e8a6fea642fe0ccbe8027c0c5d453b248e14b5

SHA512
12ab8ad705f0393035cc29eeb82abeb51e6b1434aaf9f6cf290cd46ffcbf7720edaebb72b28192f13a7f960a3dd517e0e9df601fa5cfdf9239529afd8f5be938

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
44ea8ebfa9f2a6b28a6bd5d945e911e4

SHA1
a2e14a56c18c9876ec1dab249b76b459156fef4f

SHA256
9d65cd1ced76a9bbfd21928562e6b24d1c6b18a17ae46f3e431be74fb5a2ac4f

SHA512
ad10b9e7e2f0787830d74c4f9b15bb65dbc7d17440c9263dd0f83fe920b96cc0c631576abb68c02df3e2d015679f1a630e4ed3763f56b86103d242a28ccbb9e1

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
96KB

MD5
300566db5c09bdd1f4a4dabb7c0fe24f

SHA1
015d25f7e30141aab862ba2774069773015848f2

SHA256
4ca0604055ae82c12fe4cf7c596e54833c545459674661267ef0f572458ead03

SHA512
003f0f78fec48b388a721fab840cccbdf69b66906ec9c7f46663b2e91bcb88f9a6042a4e110fc25df85859cffc174baa05ce7df7e8207fa8a789bef52de91c64

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
d352f0356e2586696b055e4e3c969194

SHA1
bbe8949e5444f560be241b19c2622339b87cf514

SHA256
a54c76785e33e7a21c101093ab1dc5d1b6d70d9e062c8202e3801a2c0cda7274

SHA512
3efec116d4d629fee1051a434139d7c531edf274fb55f496412be52af4d68b6deeba93cdbec2baccdf3bbc659a73e8b04d832b102dcd72b269efdd13b2d29533

Download Submit
memory/208-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/644-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/688-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2228-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2624-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-525-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads