berbew | 8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe
Size

96KB
MD5

57b03fb14b992d4e56f863b286c33e15
SHA1

024f1d4b7c11aaaee752625cdd8a2bc793683fb7
SHA256

8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde
SHA512

ce275af5991bd58277c68b4d7397ec6f963d015d5cdd3be7e4ffe335e87c8472bb91fd6630b5afd8725f641b3d05f169453ca7c8195e7902c0fe360a087c93f4
SSDEEP

1536:0yISjvF393fyfo+Ac86aB+dn2L1n7RZObZUUWaegPYAi:4SR/hRClUUWae3

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
5004	Ogbipa32.exe
4780	Ojaelm32.exe
2524	Pmoahijl.exe
4984	Pdfjifjo.exe
4356	Pcijeb32.exe
1048	Pfhfan32.exe
4136	Pnonbk32.exe
4388	Pggbkagp.exe
3984	Pmdkch32.exe
5060	Pflplnlg.exe
1924	Pmfhig32.exe
4972	Pcppfaka.exe
3620	Pjjhbl32.exe
4860	Pmidog32.exe
3880	Pcbmka32.exe
3112	Pjmehkqk.exe
2416	Qmkadgpo.exe
1536	Qdbiedpa.exe
4864	Qjoankoi.exe
1576	Qqijje32.exe
2560	Qgcbgo32.exe
2976	Anmjcieo.exe
4916	Adgbpc32.exe
4776	Ageolo32.exe
2140	Anogiicl.exe
1632	Aeiofcji.exe
4440	Agglboim.exe
2192	Anadoi32.exe
4848	Aeklkchg.exe
936	Afmhck32.exe
4308	Amgapeea.exe
704	Aeniabfd.exe
2076	Acqimo32.exe
4872	Anfmjhmd.exe
3728	Aadifclh.exe
4588	Aepefb32.exe
760	Bfabnjjp.exe
4968	Bmkjkd32.exe
1072	Bcebhoii.exe
3256	Bjokdipf.exe
2828	Bgcknmop.exe
4912	Bjagjhnc.exe
4996	Bmpcfdmg.exe
5080	Beglgani.exe
1504	Bfhhoi32.exe
64	Bmbplc32.exe
3292	Bclhhnca.exe
1836	Bfkedibe.exe
2136	Bmemac32.exe
4796	Belebq32.exe
3636	Cmgjgcgo.exe
1768	Cenahpha.exe
4772	Cmiflbel.exe
3872	Chokikeb.exe
1608	Cagobalc.exe
4424	Chagok32.exe
1616	Cnkplejl.exe
552	Cajlhqjp.exe
2468	Chcddk32.exe
3240	Cmqmma32.exe
2984	Cegdnopg.exe
2184	Dfiafg32.exe
5100	Dmcibama.exe
4316	Dejacond.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4444	4056	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 5004	4504	8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe	85
PID 4504 wrote to memory of 5004	4504	8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe	85
PID 4504 wrote to memory of 5004	4504	8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe	85
PID 5004 wrote to memory of 4780	5004	Ogbipa32.exe	86
PID 5004 wrote to memory of 4780	5004	Ogbipa32.exe	86
PID 5004 wrote to memory of 4780	5004	Ogbipa32.exe	86
PID 4780 wrote to memory of 2524	4780	Ojaelm32.exe	87
PID 4780 wrote to memory of 2524	4780	Ojaelm32.exe	87
PID 4780 wrote to memory of 2524	4780	Ojaelm32.exe	87
PID 2524 wrote to memory of 4984	2524	Pmoahijl.exe	88
PID 2524 wrote to memory of 4984	2524	Pmoahijl.exe	88
PID 2524 wrote to memory of 4984	2524	Pmoahijl.exe	88
PID 4984 wrote to memory of 4356	4984	Pdfjifjo.exe	89
PID 4984 wrote to memory of 4356	4984	Pdfjifjo.exe	89
PID 4984 wrote to memory of 4356	4984	Pdfjifjo.exe	89
PID 4356 wrote to memory of 1048	4356	Pcijeb32.exe	90
PID 4356 wrote to memory of 1048	4356	Pcijeb32.exe	90
PID 4356 wrote to memory of 1048	4356	Pcijeb32.exe	90
PID 1048 wrote to memory of 4136	1048	Pfhfan32.exe	92
PID 1048 wrote to memory of 4136	1048	Pfhfan32.exe	92
PID 1048 wrote to memory of 4136	1048	Pfhfan32.exe	92
PID 4136 wrote to memory of 4388	4136	Pnonbk32.exe	93
PID 4136 wrote to memory of 4388	4136	Pnonbk32.exe	93
PID 4136 wrote to memory of 4388	4136	Pnonbk32.exe	93
PID 4388 wrote to memory of 3984	4388	Pggbkagp.exe	95
PID 4388 wrote to memory of 3984	4388	Pggbkagp.exe	95
PID 4388 wrote to memory of 3984	4388	Pggbkagp.exe	95
PID 3984 wrote to memory of 5060	3984	Pmdkch32.exe	96
PID 3984 wrote to memory of 5060	3984	Pmdkch32.exe	96
PID 3984 wrote to memory of 5060	3984	Pmdkch32.exe	96
PID 5060 wrote to memory of 1924	5060	Pflplnlg.exe	97
PID 5060 wrote to memory of 1924	5060	Pflplnlg.exe	97
PID 5060 wrote to memory of 1924	5060	Pflplnlg.exe	97
PID 1924 wrote to memory of 4972	1924	Pmfhig32.exe	98
PID 1924 wrote to memory of 4972	1924	Pmfhig32.exe	98
PID 1924 wrote to memory of 4972	1924	Pmfhig32.exe	98
PID 4972 wrote to memory of 3620	4972	Pcppfaka.exe	100
PID 4972 wrote to memory of 3620	4972	Pcppfaka.exe	100
PID 4972 wrote to memory of 3620	4972	Pcppfaka.exe	100
PID 3620 wrote to memory of 4860	3620	Pjjhbl32.exe	101
PID 3620 wrote to memory of 4860	3620	Pjjhbl32.exe	101
PID 3620 wrote to memory of 4860	3620	Pjjhbl32.exe	101
PID 4860 wrote to memory of 3880	4860	Pmidog32.exe	102
PID 4860 wrote to memory of 3880	4860	Pmidog32.exe	102
PID 4860 wrote to memory of 3880	4860	Pmidog32.exe	102
PID 3880 wrote to memory of 3112	3880	Pcbmka32.exe	103
PID 3880 wrote to memory of 3112	3880	Pcbmka32.exe	103
PID 3880 wrote to memory of 3112	3880	Pcbmka32.exe	103
PID 3112 wrote to memory of 2416	3112	Pjmehkqk.exe	104
PID 3112 wrote to memory of 2416	3112	Pjmehkqk.exe	104
PID 3112 wrote to memory of 2416	3112	Pjmehkqk.exe	104
PID 2416 wrote to memory of 1536	2416	Qmkadgpo.exe	105
PID 2416 wrote to memory of 1536	2416	Qmkadgpo.exe	105
PID 2416 wrote to memory of 1536	2416	Qmkadgpo.exe	105
PID 1536 wrote to memory of 4864	1536	Qdbiedpa.exe	106
PID 1536 wrote to memory of 4864	1536	Qdbiedpa.exe	106
PID 1536 wrote to memory of 4864	1536	Qdbiedpa.exe	106
PID 4864 wrote to memory of 1576	4864	Qjoankoi.exe	107
PID 4864 wrote to memory of 1576	4864	Qjoankoi.exe	107
PID 4864 wrote to memory of 1576	4864	Qjoankoi.exe	107
PID 1576 wrote to memory of 2560	1576	Qqijje32.exe	108
PID 1576 wrote to memory of 2560	1576	Qqijje32.exe	108
PID 1576 wrote to memory of 2560	1576	Qqijje32.exe	108
PID 2560 wrote to memory of 2976	2560	Qgcbgo32.exe	109

C:\Users\Admin\AppData\Local\Temp\8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe
"C:\Users\Admin\AppData\Local\Temp\8fdb2efa8893b0829e0459cc91d895680570b1a9ab30c3a23b71f49288151bde.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\Ogbipa32.exe
  C:\Windows\system32\Ogbipa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\Ojaelm32.exe
    C:\Windows\system32\Ojaelm32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\Pmoahijl.exe
      C:\Windows\system32\Pmoahijl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:704
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2708
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        77⤵
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 396
        79⤵
        Program crash
        
        PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4056 -ip 4056
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
96KB

MD5
aa7fc27ba8945f050b8a39b09c265cf8

SHA1
f3ea269c6189b0225f9069984f556000f3568c16

SHA256
b985a847dba79528e076aaa4d747a394e6a3fe39899f0b6d6077b4124893539c

SHA512
fd1c5515a71b448321164202d0f8c835535dd7388b24a83e96aaf21a679817dbfaf8fd46df3cf25038328d631282a0b1406467721dfe5ad75f8990fc419e4692

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
86f19cc1e1ac4bbb2d38fed20db459e0

SHA1
871989d415b8171a06b8b20a6113099f7c4fac7a

SHA256
e5ac1cb90e43f055980c8efe87231fca56d881a19ea1b734e8e04c1f0cb90fd7

SHA512
d53879665be55026ef252d397558dd4cc8d7c81a3d5f4a8d1abe469665694c50d141b1b5ca8025889bbdf6bdd4a97351ae46c3634b0aeb95b48bb6f4a76b4bc0

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
96KB

MD5
4e52d19b1d7f8d6fadcfcb4d25ab4a7f

SHA1
435927ac0d3e6b08c2cc440a11e9cddc76e0005f

SHA256
485c6fb31988b3e4e8215df8f80acb790c6781b9c6cdb6ed93c1bc12a194c4d6

SHA512
558be6ac844409c8ee52dc5b4bfc713f997c2fb57aeca92da6ef3eb943db91e95812a1670f68dddd4393168d214e88cb2c3ff68bc7bf5b8fa2a671cddd5d484b

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
96KB

MD5
fb42e6245bd09b05661c7dc229858a46

SHA1
1acba4d6869de4eccb7cf336b1861ac96f5a4017

SHA256
4fc9898619dfa68a6830adc57632f07abc97f59569f085dff30b01b980080c92

SHA512
4cbe8d068387ca881ff579644c8a71b36b8dd3a857041ce07cc84ca8098b85217b9304429e0464dee2131c0ed665b38ab85fe62ba3083e3fe6c0daaa4125a9f9

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
289d67d7f2eadf609a7ace44cdeffc93

SHA1
b628e2f9c5703b75d67f62e2358008e543c0b21e

SHA256
4964d757db54a30e462c1281507c80def67863cde3a71825e77e6ab257d1d23c

SHA512
575e17eeb8e11a1bdc1048fabc75bca49a5c3aac4a626dbb0a1516088d66236849036a9f4b2fded74d2e98e1381f448228e9285af33a9a7b4973b3c7ca94ee02

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
96KB

MD5
0157ea31a756bfcaae095948383eba4e

SHA1
b92b383d29b83da6a3bb55cf6c27b477a3d32fb1

SHA256
0f0612c845ad028bbd19441fc072c4c7d65aad585910c7d7ef55c11958fab303

SHA512
3710c92bf102f9f9e82a5150e4d279ff89e71003c36e765babe818e7e87e0105fd3a8cdb05a8499ab3afd92f57cb774bfd41f124d3aecf8c915eddbd2d3d5641

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
d7f06f8f2dd888736da19caa2c7fa375

SHA1
1b658e7ea22919bfa66e19dea734f8f6a079c231

SHA256
f71e13dc5077c33fca7bee648c6203650ec9797e21a0c684e236368391fecd14

SHA512
69e62c378bc2538a3b41f285cab4987e651351050d319991be6733a1a0929ab6f32c29b7407cd67a46517966bf552a78e2148688b3ca3bcb2aae25bb87f12327

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
96KB

MD5
2ce4c463fb3f093ab911c3a314bf8f2f

SHA1
19a07d0348d890d41a3909e2760e87bc4a5dbba3

SHA256
1cae434afac6af555846cf15560923deda6128f4bd936afff533cf8a2c068eb0

SHA512
eedcdc7bcccd62bfff2cf2311584ea60f29fb8b6809aae4f3a78ef1e1cfae360ee50dacf1e249fd9edd6026f036cfa5847b0a1bab46bc970ed9143d973e394b5

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
96KB

MD5
3c24f08ca5495a746fcbaf87c299da2e

SHA1
82f2dca2ba709635fc955bde64f36c2e396bb3bc

SHA256
946ea42fdb32ad966a45d8e93f67802bf76d1186af49e4d7b910faaa119613c4

SHA512
b3c5349f14a0de96040d4f0a1a949248dc17b9a4a115cf1392ba3afcb53ed83d3698c2b18f17747bda1ba3d5f75572360800ca441b8b5c681ac68d3792f04aef

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
96KB

MD5
d37141b78975600d89ddec7d092ea912

SHA1
ea88a0e1b760c9b973a68cdd899753e5d6ca6fdb

SHA256
eb428b6a172aed5f55b0d07ba67deabc944c6de598ead9843bf3c50497ea0dca

SHA512
c1b26af9ff2a1defc9d1bfdc5947fae6077d860471e12cba8fb9f25c09ce96b3c28d5d77a4fe8b636210630f5af750ebddc5c59530c30bb689c55400ffc97685

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
96KB

MD5
01ea926e44c23cb25afe1c304865bf5d

SHA1
f16e19bd099d2c5116cd19e926c37601404ca729

SHA256
ff817383ed965f0235ee8afa3e7bd2e974052520d25b65eeeb3e2691b27aa6e5

SHA512
ceda39e79320efcac410a8753046889412b8c599586beeeb37d8e31c5560c5d8a33c339965f83bcd387463d242d4493acbac13b6db8b208694279278ea128199

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
96KB

MD5
4e1cf12e5eb990522ca09dea0e3b54bd

SHA1
cb24caaa5801d9fb3ac21d7d0a85d5f2bf1a03c2

SHA256
bc8cc9bbd387fd3575fec03368c3157bb784b0ae7104f873785b3b716ede3f15

SHA512
49051738df89184688b0fe7460c282d4562ce090a8997b0c19408649b3340bebaf2a5d24e98d80795cca0b6eb023d818b7b328ae011ffc4692679022d183b7bf

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
1f099e232cdb64f3ec8dfd50d2241087

SHA1
d61b134a5504c9c714cbe7e2a9839e9afb158b41

SHA256
65d41e2bac588d73650bdeaeee378ed5e892f72d1c6f5a0f433c6350a35947f1

SHA512
6a3008973fed40984696d1e0e448f0b17901d8f74175c104458e6b554ca2aff9b30bc0c480a1ec7bbec76ba722c3ba44f47cf767ff528ab806d84fc797dbc1a6

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
bbe6576eb34129c140611bfb767f7fec

SHA1
e7028502c1645d170ef22aed7d550f86e326c0c4

SHA256
092d360b32a28e0f55fdf098682ac5fbd84f489eb1dc2fb766b1c6dd81488468

SHA512
c2ff3f3188930fc9723f84ebfabceb05432edecf6d2aa905f4e16a99988a58905578fe164a8958e2d98fa8992ab57056d3cd1b63b3464609dc0855fb34413903

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
96KB

MD5
403875d35ab7a5391dc1553a22f8a4cb

SHA1
9cecf9074f097c0e151b47f61b7e6bf68377d6b4

SHA256
1afa3249197bdf50ec2611310c5fa97281afa90190ed5b1c35b1e6a3cc825fdc

SHA512
0ed7a9cdac5f6bbfba8fe25a56baf0dca4fb2824a2a4fdb2558735f54517b43c5a426e406b39b1e2b0fae85311e6b9b73bb42acba979b12b9a489ffbb5ee1f31

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
96KB

MD5
4102a0127dc74a92c105553e2a095504

SHA1
2843e12585ae7a5975553c7d1de5472e4ee29d80

SHA256
7f5dbf0878fa124a87a56ba2e1a90c79b173283c235979b07200b9b0d76afb18

SHA512
fff0e4130ce0b10a80add45e5cb1f42565fb86863a916a91f552de4f7428c43186add8b1ef29e1a67028f0663f97fe45f0d301b0f583d44655739146f6768949

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
96KB

MD5
b6b91e4f3cc5ab98567f3464c7a0df45

SHA1
8fb1897156ccddfd8e4f766bbea120354b063791

SHA256
a929c03ff8c5a7e21133f9a41942f6c00da4ef4a570192ed2ca29bd890258868

SHA512
a67652f1bca844e1111d793b3e9ab49e3c418da3cbf70c9932637b7c2ef2b4226f70a569ef9357de6a9c7976616481363978bbab05173a877cddba1ed936e328

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
96KB

MD5
ba740298c1689bb73442a3ad75fef2bd

SHA1
d5742086241be84f5c6be1e34c89280968f76cd1

SHA256
afcbfdf1f74435540c697249add33ff8937c63df6ee754c7dda347080697c408

SHA512
b74581412600fccce49a72474ad43612227199ef7c919394e7c7e27653793b7a398429cbd74352e3150d8e05bb0b44b14b79e474db75ff56460aa44c2f2e94d9

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
00c62aea1f498baa5670e262435fa0c4

SHA1
e4393068b127640629eaf529153cf65be4c9ad47

SHA256
e5e99418ee0625cde8a1d7de257a4e7ed6ce73c9a4e97d0f2cb5bec3ca0afab8

SHA512
2af78d3bfb8e0d0b369c3f17e380bcfa034d3576dc40c1df01f71b571c96da1de82383a1f87fa415cb3fb11bce79ecb74fd924a6292fd246050ce1363fd8678c

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
96KB

MD5
179d2be651d9fe41a5d43f88220deec5

SHA1
f63a61cb76869ce4f9c6b9540ae4f6fd92d7ae12

SHA256
6a97901aed0027e32855f27472dc0f23522b26f813bd9056ef28d354d7a38ef6

SHA512
479ca0dcbdad4f1cab226f430e056ade29c79c630d5cf519500032a0b810d07a3282b955ce9f583faf330a51d2df8935bcfa7a69831669697efe26812e44d2e4

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
96KB

MD5
8b70ec1bd68e65aca361ead88add4968

SHA1
ffbf15e53d3dffc3165f52aba1d21c4d7cfb0993

SHA256
18d9ab6b023235d86396b9c7146ae2e9651e0352815d4e4694e0c3f2a769019e

SHA512
92e58b0878e87b3d75e019bd258b01c19fbbe7045f5cffe9ed9d79c432012cf1e5ce61deaa7baaa3f2b4f957f9c6e8679c921a56625f8142c0bac7a80eeb9cc0

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
96KB

MD5
20dd4e491ae17015495a3536cf5d046e

SHA1
9b3c7ad4f0be951db8bfbf102b1fba96c185a5ca

SHA256
29ba40df6c8deed349471e5e2376bc5f70af5ec40289aaaf4426736000c4e61a

SHA512
809400d130aac8fd4a3e24028edf8b10e961e68986e1202591be4e05fcbe8f09bf90567bbee43cac783976f7700f064d3ef7cb72bb70871b217c332a2671d066

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
96KB

MD5
93fc3dc308097f9e6d30338871f2d8bd

SHA1
2faed2784117c37eeef55607030fc09473890c12

SHA256
1626af27c8642c9e02f5f002bc0efa4f02f9fa8a473c9f2b013c28f49720575e

SHA512
ad457cf4efadc26aada42797f445e1536099beb337b6327da7573d0e7bbde66558435182bae6e88a9984fbef99dff74923ef7de55a2bcda1dbfd0dfbd3eb4f05

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
8a18d3bcdb78f418108e1fd4475685cb

SHA1
1ab15a78bbc40703981b9d6d76968df4d146e23c

SHA256
5695088e347d45e892758f784b1633cf4285df2eb958ea4500b890077c307f28

SHA512
9244440a96035d47a651eedb5b7fa8e01bc172b035b362f83f37b6317b838de4541ea6ccdc29b6d9b48e6a1138599d6ba40812022d26366c94ddde1ae77f8e90

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
f80dfba6c1007027c03d0a0d43026eca

SHA1
a2e6454d403e1f6311cbc8e718728c3b0124ddc3

SHA256
35c5aebdcd6bd2e6c8b489b67aebda123024cc0e68c355282fcbe78f0c4ec171

SHA512
4f5ad9f6a1139dc2f300cbdbaa17e14b36f74b1e71a7db3e81aa73d0eaf1d5050fb92c60c5c4a94083b06863c681252a0b42234e3b5f3facb3e9121dbcfaf608

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
96KB

MD5
1d25b24aefb3c7b7ff7004509a21c2c3

SHA1
90ba4af8700898a148259f0ab53191cdd6ea7507

SHA256
d8b3693624ed7ae341139f8a89770012aa4f2937cb284dea82cf778728d31c33

SHA512
a9c5cd6ff2de2d8300c42638832f914da3bbab5e751f1628ae89a9d336dec81fc217daf15122699b2e75f189e3ea8febc68b133e40ac283a68aa33475664bafa

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
96KB

MD5
312e1ee171d65e8688d97f7abb1f26d2

SHA1
4599f22f529ee8030d75843fb4b85c77e06c01ea

SHA256
799ef649daf1c2177cb8d8857c597a7db0ba1ef0cb7e043cd7cfbdaab34ae1b9

SHA512
e7d385a96e2732e373bf0577c024891ef7573034b6c362bfe9d18db78ed6040b6e1855562419553f818ec795db5778af536e6b99b40a8a6d7456231175e32e59

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
96KB

MD5
2920b2e38759fb251087abec382fa19e

SHA1
c02ead5ce9da5f8d6570c74332e4e318835ade57

SHA256
3e2a06b702871ad88e0d8e770bed5881ed908c85b1c2a59386526b7bd0a9ffc5

SHA512
b8bc6a37dd6d34a4275784a95bbc49e8465f46b485a83f5faa8913a4b52cd44e3308ba011f9eec70b5342a5bad4bea1be6d39256ea5c5cc93c2564a358d139d4

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
c9a2af45d8b60ffb821303bbbb1e15da

SHA1
f44660dc9e220a6dc523402d17d80d75e0631f52

SHA256
65820462295f5455490ef5e1a0dca2c0ffa7e7d83c13ce3d243265716fa892e8

SHA512
ca60adc381785547a41c1a75b5772117bbad1b37cd3264ba2045ce22a67fedc11149d96d4f6af4b59f9550874754be82e2729c4b4f4ffcd721e7b03fb3686b31

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
96KB

MD5
49b9c179fb27b814c5279eb46625ce5b

SHA1
927ecc9b5177f4e4ca7ba7adf4bbd7dac918ce53

SHA256
718ba32066fd0a10b3242af99bf4a2190ca54cbc50448953dc0fbd99a07c0c86

SHA512
9c94a4c1ba629d28ea80d6adb65af14fc73fc2bfcde8e12d1ec05a8c192daf55d39afd2e70d09ada6d2d653b050eab769dee9097b727b9b6a6c1a61058cfe3f7

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
96KB

MD5
ec66e34d5eacc6e38b95dc81d1ce3fec

SHA1
984d7281545dc3f487e30970224adb5a9f7730f1

SHA256
a51f8d8b7bec31c0e8f8b75d763b05e6bed8264818f8c460ad8ceec1bc54f724

SHA512
2fe01eaa1597caa3194595d587803fc5574c0b5f737f457c321af5328bf246da6092ab22c3a262a2b560f27802ca74763954d7ce336011949f0c70b3d78d59d0

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
96KB

MD5
f53399a9d641a708ca75f5fab3537140

SHA1
c70870c892a5e308a6097a91de3afb80bd452255

SHA256
5c05d4424a7c01560a14254f458c2393a1ed740f63d13a3762f8911a3c94d567

SHA512
ce6eb6c22902fe4503daa899970bb8914f78fda209bb7465d26e613a54817f42b3b1a31ae734a048cfae6c8bf8cc360c0639717b66392365f0a9dcd95b7cf5f5

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
96KB

MD5
1fb726a44cf202e9699afef773de40aa

SHA1
f9991a325d4b7edf59c2b962ad5906297a4f569b

SHA256
2d01712a2f7ef68ec7d61d7d8fa633dd693e9bb4e1b90bea05ebdc17d161e4fd

SHA512
37b2c08460dfcbda0be6b795e8b923240419fc8ce718f0279bae2ba75b1c5fb414eee2c2405167d6ee931bd4d57c4ce3de6ce40384df51f82ab271872a53e8dd

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
96KB

MD5
cd24df9d6527f8cbdf6aaee0c1b2e6cb

SHA1
539b9476e19794862cf1de1016ea5c14c50c566d

SHA256
c73be7ba965b6e21e62530984642afb94e29d08b0eeb468d83af6fed26e286ed

SHA512
1c2b95c5c7468dc136f06c4b218ab3f11989a1038858f59c8c04d2f187e8c89f7852810ffdbe301ad79148f34037db54194b25210b1c074c00917396982480d5

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
96KB

MD5
97bd3427e3eb17147f42fc3e4d681c54

SHA1
4a9ed1753b377fbff0fca73bf2e91fce7fc98e8a

SHA256
2e95d17edd6c832f40946f782d29d5d06373a42c3ad1b22663278c6b8dcdfd55

SHA512
e34ec9db63f5218f75847bcb21ad17f9727c5bf4ed5bc10e93c0a83838330dbf571bffc0c8d5e7df618cae79263f3fc436d1920d5aaec07213d5631c5bf38136

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
d798db4e94ba48865e4785f24fd2edbe

SHA1
76b4f6b520d2e6969e14bdec964b1f076d3cd223

SHA256
3ae36e14d7f7be421adeae68addc9b8c7419bda9b93d50def5f22806126c1c75

SHA512
9e68fe50a0987c9795b21842f20db750c3d67d92c7cd3ceb5905ece3529190703557ad5ddff55d3812d055a0830df22b6943fc18fd7147759659781a59540dc7

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
96KB

MD5
0aae62fc74a3f2cb6dcac7868a2478ab

SHA1
2471bed0872aff7fa32c4f087062c2b389cac4ed

SHA256
95b81cf9dc1227dee570f71acdfbf649b0e29f42fb4f2fa46c1d7f229ae6b9eb

SHA512
5fa5ced435b00535c357e7d5c2752d0b5d36ac2c2e247f1cbfe857586a976d3ff446f103fcbf8bc147af2c005d6e9f0cc455a1d8bc2eddc6b745bc2e5b9b1742

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
e66c55da695e3329c86d74c40cb47cd4

SHA1
d3314c3ec6f7c03ba8ee505fb4a745bacef18732

SHA256
9761f616e180d9f0aa859919340f4dc740cade42ff605fa0823b8945ee92818c

SHA512
172081131ff7c8c5c05b5dce6a58464d0eaabc4251cd30b8f78cc1e972f2b76f73fc71e3ecab0edacce73a7ffcb2878a5d7f095d26f6dceede0de97c5069a415

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
96KB

MD5
43a308052a7e59f565436501c1a984d0

SHA1
3849438cc4ac818acaad5bd3308044c08a1f6d56

SHA256
d9caf7931d572800754a144d3d13226828c93e500d20dec83292e88fa4a6a9f2

SHA512
38a5d18f5685c8b4dd07d7054a32ab0c78edc2103f27a2bd763c518cdbf19c4aa9cf3e738b14fbfe17bab443066914aec05b238380d1c632da39ecde08a06082

Download Submit
memory/64-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/704-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2560-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3852-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3880-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4136-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4568-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4860-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4864-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads