berbew | 5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
Size

74KB
MD5

3e8e5dcbe9cdf704f2544bd08431b77a
SHA1

83cc1b6c76a42bfcae98c38b9bb489a38806b74b
SHA256

5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac
SHA512

5a325fbd8ab2b8df92a43d5db4f6a11c0f2fb0d914c76e0e1de6b43156074eb4c1ca1c10d65f9f0a1cc64097e430d09d563cd973043399660a8c98725bc02c3f
SSDEEP

1536:7DTSIianicOY8NwHRZaKZW9hvJqXwwqYSP/Mqpw:7PSIywH/29zp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2116	Olkhmi32.exe
4976	Oqfdnhfk.exe
4952	Ocdqjceo.exe
4772	Ogpmjb32.exe
4488	Ojoign32.exe
2944	Onjegled.exe
3408	Olmeci32.exe
4788	Oddmdf32.exe
4884	Ocgmpccl.exe
2052	Ofeilobp.exe
4696	Pnlaml32.exe
2392	Pcijeb32.exe
1104	Pfhfan32.exe
3520	Pnonbk32.exe
5072	Pmannhhj.exe
4704	Pclgkb32.exe
2604	Pggbkagp.exe
1152	Pjeoglgc.exe
1776	Pmdkch32.exe
2832	Pqpgdfnp.exe
4268	Pcncpbmd.exe
3496	Pflplnlg.exe
4060	Pncgmkmj.exe
1356	Pmfhig32.exe
4320	Pqbdjfln.exe
2216	Pfolbmje.exe
1284	Pnfdcjkg.exe
116	Pqdqof32.exe
4736	Pcbmka32.exe
4068	Pgnilpah.exe
4012	Pjmehkqk.exe
2720	Qqfmde32.exe
3552	Qceiaa32.exe
3116	Qfcfml32.exe
3128	Qjoankoi.exe
680	Qnjnnj32.exe
4028	Qqijje32.exe
1756	Qgcbgo32.exe
1376	Qffbbldm.exe
3188	Ajanck32.exe
2956	Ampkof32.exe
2200	Adgbpc32.exe
1288	Ageolo32.exe
2160	Afhohlbj.exe
4156	Ambgef32.exe
216	Aeiofcji.exe
2836	Aclpap32.exe
540	Afjlnk32.exe
1452	Amddjegd.exe
1464	Aeklkchg.exe
1472	Afmhck32.exe
2548	Andqdh32.exe
3740	Acqimo32.exe
1484	Afoeiklb.exe
1524	Anfmjhmd.exe
3780	Aepefb32.exe
2996	Accfbokl.exe
3256	Bnhjohkb.exe
4648	Bagflcje.exe
3468	Bcebhoii.exe
4684	Bganhm32.exe
4468	Bjokdipf.exe
3308	Bmngqdpj.exe
4116	Baicac32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
File created	C:\Windows\SysWOW64\Ochpdn32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Eeiakn32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ogpmjb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5440	5388	WerFault.exe	190

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfbgbeai.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbepcmd.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ampkof32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 2116	3568	5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe	87
PID 3568 wrote to memory of 2116	3568	5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe	87
PID 3568 wrote to memory of 2116	3568	5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe	87
PID 2116 wrote to memory of 4976	2116	Olkhmi32.exe	88
PID 2116 wrote to memory of 4976	2116	Olkhmi32.exe	88
PID 2116 wrote to memory of 4976	2116	Olkhmi32.exe	88
PID 4976 wrote to memory of 4952	4976	Oqfdnhfk.exe	89
PID 4976 wrote to memory of 4952	4976	Oqfdnhfk.exe	89
PID 4976 wrote to memory of 4952	4976	Oqfdnhfk.exe	89
PID 4952 wrote to memory of 4772	4952	Ocdqjceo.exe	90
PID 4952 wrote to memory of 4772	4952	Ocdqjceo.exe	90
PID 4952 wrote to memory of 4772	4952	Ocdqjceo.exe	90
PID 4772 wrote to memory of 4488	4772	Ogpmjb32.exe	91
PID 4772 wrote to memory of 4488	4772	Ogpmjb32.exe	91
PID 4772 wrote to memory of 4488	4772	Ogpmjb32.exe	91
PID 4488 wrote to memory of 2944	4488	Ojoign32.exe	92
PID 4488 wrote to memory of 2944	4488	Ojoign32.exe	92
PID 4488 wrote to memory of 2944	4488	Ojoign32.exe	92
PID 2944 wrote to memory of 3408	2944	Onjegled.exe	93
PID 2944 wrote to memory of 3408	2944	Onjegled.exe	93
PID 2944 wrote to memory of 3408	2944	Onjegled.exe	93
PID 3408 wrote to memory of 4788	3408	Olmeci32.exe	94
PID 3408 wrote to memory of 4788	3408	Olmeci32.exe	94
PID 3408 wrote to memory of 4788	3408	Olmeci32.exe	94
PID 4788 wrote to memory of 4884	4788	Oddmdf32.exe	95
PID 4788 wrote to memory of 4884	4788	Oddmdf32.exe	95
PID 4788 wrote to memory of 4884	4788	Oddmdf32.exe	95
PID 4884 wrote to memory of 2052	4884	Ocgmpccl.exe	96
PID 4884 wrote to memory of 2052	4884	Ocgmpccl.exe	96
PID 4884 wrote to memory of 2052	4884	Ocgmpccl.exe	96
PID 2052 wrote to memory of 4696	2052	Ofeilobp.exe	97
PID 2052 wrote to memory of 4696	2052	Ofeilobp.exe	97
PID 2052 wrote to memory of 4696	2052	Ofeilobp.exe	97
PID 4696 wrote to memory of 2392	4696	Pnlaml32.exe	98
PID 4696 wrote to memory of 2392	4696	Pnlaml32.exe	98
PID 4696 wrote to memory of 2392	4696	Pnlaml32.exe	98
PID 2392 wrote to memory of 1104	2392	Pcijeb32.exe	99
PID 2392 wrote to memory of 1104	2392	Pcijeb32.exe	99
PID 2392 wrote to memory of 1104	2392	Pcijeb32.exe	99
PID 1104 wrote to memory of 3520	1104	Pfhfan32.exe	100
PID 1104 wrote to memory of 3520	1104	Pfhfan32.exe	100
PID 1104 wrote to memory of 3520	1104	Pfhfan32.exe	100
PID 3520 wrote to memory of 5072	3520	Pnonbk32.exe	101
PID 3520 wrote to memory of 5072	3520	Pnonbk32.exe	101
PID 3520 wrote to memory of 5072	3520	Pnonbk32.exe	101
PID 5072 wrote to memory of 4704	5072	Pmannhhj.exe	102
PID 5072 wrote to memory of 4704	5072	Pmannhhj.exe	102
PID 5072 wrote to memory of 4704	5072	Pmannhhj.exe	102
PID 4704 wrote to memory of 2604	4704	Pclgkb32.exe	103
PID 4704 wrote to memory of 2604	4704	Pclgkb32.exe	103
PID 4704 wrote to memory of 2604	4704	Pclgkb32.exe	103
PID 2604 wrote to memory of 1152	2604	Pggbkagp.exe	104
PID 2604 wrote to memory of 1152	2604	Pggbkagp.exe	104
PID 2604 wrote to memory of 1152	2604	Pggbkagp.exe	104
PID 1152 wrote to memory of 1776	1152	Pjeoglgc.exe	105
PID 1152 wrote to memory of 1776	1152	Pjeoglgc.exe	105
PID 1152 wrote to memory of 1776	1152	Pjeoglgc.exe	105
PID 1776 wrote to memory of 2832	1776	Pmdkch32.exe	106
PID 1776 wrote to memory of 2832	1776	Pmdkch32.exe	106
PID 1776 wrote to memory of 2832	1776	Pmdkch32.exe	106
PID 2832 wrote to memory of 4268	2832	Pqpgdfnp.exe	107
PID 2832 wrote to memory of 4268	2832	Pqpgdfnp.exe	107
PID 2832 wrote to memory of 4268	2832	Pqpgdfnp.exe	107
PID 4268 wrote to memory of 3496	4268	Pcncpbmd.exe	108

C:\Users\Admin\AppData\Local\Temp\5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe
"C:\Users\Admin\AppData\Local\Temp\5e14213bd17bf478cabd1d9115872eac96e845f0809c0fdd1f624f97b85bc3ac.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\SysWOW64\Olkhmi32.exe
  C:\Windows\system32\Olkhmi32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\Oqfdnhfk.exe
    C:\Windows\system32\Oqfdnhfk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\SysWOW64\Ocdqjceo.exe
      C:\Windows\system32\Ocdqjceo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
      - C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3128
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        66⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        69⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        70⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5524
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        75⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        86⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        90⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        92⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5572
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        96⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        99⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 408
        106⤵
        Program crash
        
        PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5388 -ip 5388
1⤵
PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afmhck32.exe

Filesize
74KB

MD5
4b72e69913f13db2df09a0281cab71d0

SHA1
f2cbe59c615b1d29a082ab01e9095050fa19fe34

SHA256
a639e451d2ec70c2dd7c11192efb378d5d26824f633802cf647aa202a4e52679

SHA512
11f7ecc033d212867b6579d4e3fe95aef05658536c01b5cded42e95f1747a3a241c12b11d43dfe9545ce6ac32f4715f8edf3a61ab8941f2f40a6cce400842f16

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
74KB

MD5
6dd2b81ac65adc94e91820305e864273

SHA1
76aef860830355d153ee67a5b33df0dae427650a

SHA256
dac0ae1f80576aa8a7ca2fe8741ead94e88b485ab22ec5e47d607920c3006ca5

SHA512
9708d47b39672bac23356397d90017305bc5de0a90ded2911c885c7b8297d62f14d41fe3240fc778caa7ecce922751028803074680a1ce46de246ef001fd1b6b

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
64KB

MD5
1a39f8c0abedb345bf6e6b9eb32db3f9

SHA1
5eac6253efab762703959cedb3ae69e0e3dc8e61

SHA256
8cd5a44ccfee0b4570cce0ff27564d0821c00f5a77e22e05b41a30afc92ce3c7

SHA512
636b42defbf4cacf1ea7fc5a754f87cef5207a665aff9b6c9f65f77290d86268ee1254ccdfbb9039432bd8109f25f1452443070f55e0853b8ae7976b9ad4a1c2

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
74KB

MD5
90cf59781b2050f242d227aa72bb7117

SHA1
6c933f6fc83542ded42f578fc9f5e37794c3e0bd

SHA256
78414fbc2fdc486cb0f042d23ff20e4cde12f8b2e9850c611f3cb866c6d490ac

SHA512
e1789baa718935389bf4a78e71f4e082786ace6cc9666ef630e2a278a2d30197c3beb13ee838a625be3835ddc255330fac67f456eac2085d2e7c64864f16beda

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
74KB

MD5
862f84fa7d6b187e17317bc9e74fbdc5

SHA1
0d43fe97d98f16f9984251ff13a4b516cc3abd42

SHA256
69fbb8eb41e9d6c19287406562d3a289e65649bb8fe86398088ca348456ff8ab

SHA512
4bea55f6fd38e578fa17af0c351a56a49c5edd58af0038c9b61c94f67364cf35b69151e07ca1f369a0257c77aafc1ca35be4934134106425ac1aeeb2a1dc9d73

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
74KB

MD5
75d1d9ab1a48dfad954eaa6a808321ee

SHA1
3b779bc3e86b0ecf4f24d02dce5d0fe2255b692b

SHA256
faaa20c46f0b133fde0e153720c05ca42fa8d77c5a1934743f2f3b4e4ed91bfb

SHA512
964a3c644352a10c6c3e2f942d1a520c23d7788dc1561ee8358b05ab86b5e79fe29c766d9cad8cb3fabe15f87b53cf1b0495a8bda261b54335f0e04270cff184

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
74KB

MD5
0edae2a4e67e8e7e673f3b3e9b483cb7

SHA1
c75e129c00b82d6b922a7e1a83ac08aa22c57847

SHA256
5760adf63e33e478e0763369a736a64a1f2538d3f990fb3763adb8dad5521d96

SHA512
4bbe79cede1abeb41d283d51b4aeeabc9f47e203c3a97f63b04484ddb8939cf6f8e49c240c2ac3169e6bc411f48aa4b359373659e63e4adef409ad7c04ef4b93

Download Submit
C:\Windows\SysWOW64\Clncadfb.dll

Filesize
7KB

MD5
4f7385c95ad077620740ff8727afd2ba

SHA1
4058d3462f72942394110e22ca9ce0b2afa0e826

SHA256
edf285ea87ad463a39c229df944f3d3833e08a8d9eabb3a8bdcc235ebbe703a0

SHA512
847921777d84c150add0621b7ce091ceb76b7f1959141c4c1874507a33b80f71b6bbde9de8ce54c40ba6a4d60401803a90b4b9a22512a0cf0bbb8ccdb24f4e42

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
74KB

MD5
4957fddbd8e7f76d44069a0aa9fa0e4b

SHA1
49942bb3055e4d89beef6a0f626d77d9996103a6

SHA256
b2f4e9cc91cafc3db0dedebe677d7862535f57093c17ebf63461b34db77953b4

SHA512
4f6f916a808fb37c88f558d101af65074cfc81aa393206ab5dfc4dc77e973dbc77d9a8555e17258beb4d12105a08aac6a10836cfa3243cdabe8a275d6f890402

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
74KB

MD5
e96e355d3b1ede96f35ca4c4704f3ecf

SHA1
faf70871d08c140578cd6b60fda023c186b57a6a

SHA256
15521e2ffd1e9d7cc1f0878c2465e041764166b085028977a7c42df0c8b67b99

SHA512
b87b268fdde0df6c8fd84e75697f4b5fe19ec3bfa8a4b3becde545a6eb2c735a63a37dc397b33aefb6cd70526f4223a29447fc2b168663768208e4f9dab9bbda

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
74KB

MD5
301cd99522a1fa79c6854f622ef5e130

SHA1
014b48ae5c18263e5038eef0bc338d63349b138c

SHA256
4b15eac29e2d8916a42ed1c0f1d1ac910866620ff4c47121beeef5ece6a70964

SHA512
3754016fdbc594e80c4a7e76517f082a17e0eb1eef9c60b386321c0a9c0add6b23091b007b9c7065e7fb35ac5eba185e055421cc120776a5b60cd6b106872565

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
74KB

MD5
2b79a82ab6f89698687ac3296b7691db

SHA1
fda4b6bc06879d8dbdf18aaf301aba29465cce52

SHA256
599cfbf30ebd8c54ae8530446f59d0277b59db45d0f9588a0d658a19acd3e42a

SHA512
6e3444bedb715a8cb6fb1ba99c62444c394186790fca7ee6e47429f7db5b14b412ab30c12b3cab7693b3d6f17098d298ecc34ecb4cf60af023e67054cce36c6b

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
74KB

MD5
3f10978b93a83dfb422bff864a6346ff

SHA1
6ea7aa33f52e02a7d6c2f5c3484da0a71ab9cf46

SHA256
9b2beec825a740221697753de52707a521cafae1b3c683239ffcac29fce5745c

SHA512
490b749e91651e59ba302e448da3dae826ec6e788c5289167bd50c95340ed43c42edad393854a77ffc180bebcf1d5b494e09ac217bc55c1a3d510aa16fe92130

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
74KB

MD5
4a40aa833e15f6e04059fcfa0cbb74d6

SHA1
0aa06aea06378ac5011df34ac79474cca80f7f2d

SHA256
9dcff84708aa727a769e7bc9075b58e097618bb462289ce41b7e0089718126df

SHA512
dce2546eefed9345f676580e466fa6d957928e80548e5aca3acd107fbfe10b35a8002573938d61d46fb8c242b076bfad89cdd2c73308a3bf835e06a5ca82166a

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
74KB

MD5
b7cc5dd05282426eac475770c7d3701a

SHA1
c209bfbb66002cd99d5675f4456a185a31f36bd8

SHA256
20ab909fb211311b6c3fd2a8c560139a901f8297d35cbb1bebde772e82251044

SHA512
c32d86b5e81c7399ee33a5720ab8851d2741cc482fde7fffa3459ec676121478ac8f44fc5c2268aba658beffb1939761a13106078518dcbb0fb2edf951b85fa8

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
74KB

MD5
3e5d6e6b3d3cb628c80068f1ebaf4140

SHA1
1f60ec14a0e9c0bc38909bcadb4389001d743554

SHA256
475e3d08d0263469d8229016fb739425b1554798862fb415f5a17ef4f7fffe44

SHA512
8a33f6e3058c90f40f91e3587c7d17f4b661f68cbcdae1281f7a7f8712ea67786610990407dd968ad2139735654fc4de9b2ed727f4c68e8009890f2643bbc7fa

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
74KB

MD5
3f3ea2741761d9e3fb5e01c46f8ae331

SHA1
f169f328172e9f76f069150178bc894c98268e6c

SHA256
99464a1afb10daabd77a6a4d87dcbf53d03eb9b616b81b680ef8296ba194c868

SHA512
5331ba70cf82b7b99a5308f7f060fe9d8d16fbde4815cf80f03a8a5c8942ce702dfbf636664075e1bfa53e4481b02565b80e5115ff2a6bb64e9301cf076a7dc0

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
74KB

MD5
f36d4db0b0d5bc46cd6c2ab657f3f214

SHA1
dcbaf151d8c61f0d540b63540029f6572d4ac772

SHA256
bae9f31cf81a59824c4df87887b398449477149a43aec8208191b30deff26d63

SHA512
ee19c13f0126fef3fba1dcef7c2036888502841ab6f78e12aa9273acf3c0e5c2de298b806bfd8bde60409c1ea4dfe860cd1f4425a102b51e94ef66922f1cb1e1

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
74KB

MD5
ad68b455d3b6f98d07ca9e92665fdc82

SHA1
9205421224dfd52787bcd80d4d916489d1d7e362

SHA256
df4b8705023a90a435713f8f7f3e3db0b273196863a04ed7377894359d6aaaf9

SHA512
07462031d6f1793a0de6669079da0d55daf763dea276ed5a8d3c9b2e2e261373a86e5f13dc301227cb245ee8efa282d98fe338a965066c7e948d20334dae159a

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
74KB

MD5
e18d910b1f69ef143d399b0db45cf32f

SHA1
85dea57954b36a69c83ab46c0d5f3fa63d750afa

SHA256
27bbb99741c270b6a206e6fedb778099f77ffe9bd788a5a912ab79743a10c147

SHA512
a3288c99e52334a549bde76a1fb5f2da279ee35afc0cadea2e85bb1bfef207d4dcfe253644875724bec2acfe818801caec6dc39919f632f17ab3227c47174011

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
74KB

MD5
f3dbcf81e5f68ed8f37d0aa5c1e19685

SHA1
67e08a1d5c15d635e078b3e39a2bcbf693abb286

SHA256
e47a0df7b7160751c03f0a6ec3be9a5a8169d9e1db884942693561a79f63e4ee

SHA512
d83aed84a1931ea4ab784e0bdb6027f1bbaf14bb3551309d7ec82a8e25397c7c583b4de7e387614af9348d21cda5d88886e81810cc37bdc5663596a85912622b

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
74KB

MD5
fed54621a8c4d406d466ca2bd9a83bb8

SHA1
0243d62ca0113e7854a13acfdda468cdf2f7aa3d

SHA256
f214a8ebbf01e41836235874492e928f8e8881c73645d14f96fde56d6188043a

SHA512
99602acedb9977b70d9491c3c7f997d2315567d09698a0bc4bb7e356cb0bafcc3006f7d0b939da7913456d97d8cff0e636b72883c2f8d84d287280fd79afae73

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
74KB

MD5
ed207721d0ed188e7d97f1cf51ce2c05

SHA1
b09ea83b7f536f99ad6df736f1deaa3c8e06756f

SHA256
3769b296c469a0f653c5d080c923ffb8719789466808421310c07156225bd714

SHA512
b3e8bbe83b671523891f24df418410e248ab2e1711cd4d36941b09caac70dda7c56a11ac6b0e243530e7da28b5cfff83f756d15c31f905aa233a29e9d84181ef

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
74KB

MD5
dc072247437cc8babb23c050e2fea4f7

SHA1
7cf0e9f8b9f440dd97386b2f34f5057ec7298f69

SHA256
7b2e65e493c328e5c4d7bbdf56eb7f20c46fe41d5d50b55ee0d2671a5ce7bdee

SHA512
b9af0affc83ebe19322b4046840e1364059f9cd23f8664f9822489889317e25f55ee8812547ea71fe3feaca643e0979052ded3fb881edd1822311b05041de20c

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
74KB

MD5
cd8916973a938f03abf5d2afdd9d053e

SHA1
b96278594fe1e2a34a0815376693a96ffda0726d

SHA256
d6632431cdff37e67a81f2c69685fbcc442c1c59c66abb2808a79ec2ca8a1df5

SHA512
84934b6ab8f17209d7e26034cde04daaf6b05947fade822b00227a4259c4c9e960ed4699c4460e0791539d3ac6984745d0869cc6ee64c4b12769df50f54a6568

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
74KB

MD5
91e1a5f0556b3342d0b74b7b616af83e

SHA1
3f83a712847e40d8315b88200de730d335895f68

SHA256
0afcd259eaa70e8d3d7f975738c4647c630732170db2a52077a5deb7a1b547f4

SHA512
8f707c5e240b554b668ae4c44a88ce40e22b245e8cb58f65d0f71b4bf55ba03ca01b71ec3825168c256c12ff7de4d13ee9139036597b8f7fb3214a22d185cf00

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
74KB

MD5
2617e691d7db7537e5087a825afb1b2b

SHA1
202b54f71e622a7b3c7376fd0129ca9a7aa7ffd2

SHA256
dffd45e2ff144d062dc3821831dd070ceb34feddaeee481df5d95f7fbbfd8a86

SHA512
2cc140d5009f64c9fd8874da76a036f6d944f780bccb4b15c1ad1b3194b452d38cbf8257946ca74b060fc399c8df609febac3b6386a36b268d0a57ade8c00ad2

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
74KB

MD5
dcc472734dcbdf6544f385d6b112adf8

SHA1
de5a1dc1d8bb4087df38a6b2baccc249c88a9dc1

SHA256
e399e591091357bf605e7c602387d6bd755a22242e8e1eeb32ed537fdef4a5c8

SHA512
0a4d0c94397c0b75f850c321cb41bacd691d8d801980ee30a021edae69ff178d7fadb2b9ea0cbbe787134478adeec208c99f5c849b0db17b7df0eb7c8d9828f5

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
74KB

MD5
56c08311434361dc59ab63a7aab6c5f9

SHA1
f3fb30d50ebc0c30a901d86a6f77c3826a7013ba

SHA256
6d368a79c9e6304a23448ec7d0a4033cec9dc736441a538db59ac714ee47c526

SHA512
514ed74edd143c9b9675787f18c082f451ff4fbe5de15d99ab3a7d33188c11e566a25ddcd3e7c89ff2e75e00c99c5f41ac609310c95ee89797225c52a4b2a102

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
74KB

MD5
c222daef13e1c1e2ba8ce5436530e5d8

SHA1
8a009fe1e5730946ebb826c6e1a698a01b5dd4ab

SHA256
6dcd55c206dc5e68c2640ff6d8e0a9caaa3c6a729413f195b655c7966421a312

SHA512
d431b0833dd8477008088470d5c4e8d2a6da6f21e8ea2dac43def54fd56ccf348cc6749ab46487b8ff5386374a8e44b164103ecece8c067a4879310a096ee326

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
74KB

MD5
2d5785c68bae8190b4a1a0104a04fd68

SHA1
f585d20d572fd66a61cd5f9b941c6ec6c5c462ca

SHA256
0adadcb661d45cbb5694b8dfa837c1d9e87c2988eae56987aca95962501f68c5

SHA512
b137ba13fbbd79f298f2a7c88626668163b0831f0dec4f33e97f8126da300b68ef272a320a118ab305242171ebf1ce6eaf8bd0f8612c99ea2d68d3aeebd368af

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
74KB

MD5
9d5ae50c9835900ffccba05c49c5552c

SHA1
4c9fe1942a51453f42b5ccffd8a22e1783b9b3f3

SHA256
902c5c556054661c2f1148cfef824d6ce717626a5aecd62166729e7da77fa725

SHA512
11fcd75149bb06beb4cc394ab3229029f01de1265bd534809724cb30acb6d592804edb8a441dd9dab1b11a830261892aa59c5fdd29507c96dbb147737ccded23

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
74KB

MD5
f72d015502ec6c37d74bc0e980194d09

SHA1
e0a34166fb7521aee88ca80d49b96c1b6e36c0c1

SHA256
c56bed9c7bb893957b214db7084f1937f4d867f30c5cba3b924ec8744c126ee9

SHA512
2673a3a79afbb6569cc6dfb84343854ce6a880ac77ab5a59f962273ecee651056b0e5245b075731c443ce0515434d66e37d997f72387df41702772ef5bdaf6a1

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
74KB

MD5
ab044e7a35409c5a6a4f49888ae0ae0e

SHA1
1809c08196c048f90b5f3459e6de4635fdc62e87

SHA256
adc8c8ae115d4ef43141851023fe80a89d6ebf971923754beaa2fc5c980bf0be

SHA512
f549e597fe178e578269ea7d38dcae23e63419d5080004241b55c1ac40a641174a0f832b448b14634892d864146b9ad02c6fc4bcf58dac4db1d634fa950eb07f

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
74KB

MD5
6bb9dd496a6feed5c5ab446176530655

SHA1
34cb85cada7fd87045fa0714e07d6ccb4726ae64

SHA256
bd1b65f72eaef72bdaf6f4bb8355485233714b4da2697fbc56a15e3f38105d2c

SHA512
979c812469f2384ec5fc831009321bbb62754f8cd444568f263839d58679202e46e3b144ec07cf41a4484cc5e0ca41cb372da97cb76fa6411f826dc3aa07e2d1

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
74KB

MD5
ea9c72f0cac4279a3f9e316c5c137ffe

SHA1
d2c5f5e90b1539422b92011a1cd9cf8ea2fc9b21

SHA256
5d24a7b9ddb7b29c276e2dc6e63ffd99fa5c73c9cb9c23784df32ff9f2caa3cf

SHA512
ca79d98ae4a5e66571d6eadeeae685a11f8ad440fb12a1bf178a3871a1266ab6c4baaec845da3d2cfc28e7ca3d07203d64406d5765b0ac81b7c216f195234d8f

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
74KB

MD5
984047e647d5341b68aada0fd7276304

SHA1
8a64024917dc8538ba3d62f554b8d0a0480aca6d

SHA256
672d45998a143c69c6875bf1a364be4702302e17b6950ea777d164938154c522

SHA512
c6b17cc65efce7353eaf93febd05c0c7749f8aa1f93daf9835e77904d96d3ee7cf11392d7dcc91487e4b4e15ecbfa24387642236cc1f03efd4d3cb0a286b3b97

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
74KB

MD5
99ef441f01e33649105a6df223017b40

SHA1
25dedf5bb39993f04da562b9ec87f2a5451f2208

SHA256
5f8acdca200ea10d14df8d29b738907ed612bb1cabe654c3ee782db432154a19

SHA512
0de9eeac8425d83d43e3f6b769710cd80286453f00ca52f2ac244357826de6cb2b683b28c16f643a7a8d6f3ee11fb5e5e1052f41374b0c92e9f5375780e8aab4

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
74KB

MD5
d073d2ab98c35b6052af4d9355750485

SHA1
2af085f986fcb407514c817e61377b1b6e81e79c

SHA256
de29b246ec4bda32683862bf9e8ecbd76b5444ea91fe1acef5cd10fd5fbecbc4

SHA512
492eda804c4564d172f208cdc69d18ae8bb1d0bf96e134b3b1b15bb7b8b7319719fb1c36330effea5e83bb3977dab93e4de03d52bf4c87ed5cb4e184c2657863

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
74KB

MD5
cce6d820e326b6a439de1120363989ad

SHA1
2696e72c0ebfde457de95b0865178bfab5ba9d4c

SHA256
aa302447d763611761122f98ddb77d2f4a8df52daff4e344acab973ec23a2b67

SHA512
cb49a5d99348f4fbed50bb1a44f5dc4f53e865397ccfd2071f0223d94d7de1e5d7dffaa3383961d5ff680b6b2516663766426aea49cb35316bef25f15ccc3478

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
74KB

MD5
14b72a3fe6000eff9f31665e2e5b696d

SHA1
e2c26f5acf169d02dc50831ad21bbfcbb09d5cef

SHA256
a7eff966aaedc504cc0579d73119f94057a92cbf67a91007626aa9d4aaf57db6

SHA512
d7ff8bc1bd816f673051142bee967eca1387f321e5ea3126d4581d6a2618884605777c01285c219c8ac0f0b96ca63999d1ea2113ce9bdc5de2eff48758bdface

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
74KB

MD5
c6a3f2a5f1c96cd05ec4419ab0fdf569

SHA1
8406cd8e01ad1f4853ead6eafa196073ec388657

SHA256
b984831a6cb31eec4d1f8573200cf113e66c48aed37fa212432be5fe5e1f9944

SHA512
3b31743532ed051f5d91cfb09f8d5ac539bf7d07976a914fb431d386574b02ac80bb35ba77bd8ce583fba2781917dbbd671418100835bc02963f823342e742df

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
74KB

MD5
1d46b7ee08fe5c76201f1a6360037d75

SHA1
ff58e7ee5237ff290b18ed67bf5892e73e2ae73f

SHA256
e85c83ad655b909c4c040531d11f45ae32015746699e7e1fac7328617efe8b52

SHA512
33008263a1b10559c37dbe203f951ec551b8dd417796b5076c59b222d86663e82bc75c7595d371cff1a0bb12824b53d799d98f6a82c308360fc231593fe9e8bb

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
74KB

MD5
ddbf175da70e716d603211cd28ba9513

SHA1
39cbfc80bc52029a7b735b3e7d439bafc78038dc

SHA256
16cb56cb20e830462a1a245ef162227e58f5f4ac3a97e22c2bc06842dfa8d726

SHA512
784356ce8131fad12422740a2a935f6103813390030c1b844bd989a11b547fe691637f1baa7b4eb3b5302916d3350c06fd88f096d9b0df52e767b0cb3f922f19

Download Submit
memory/116-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/216-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/468-587-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/540-352-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/680-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1104-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1152-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1284-216-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1288-322-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1356-196-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1376-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1452-358-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1464-364-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1472-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1484-392-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1524-394-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1756-292-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1776-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1840-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2052-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2116-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2116-551-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2160-328-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2200-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2392-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2548-376-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2604-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2720-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2832-160-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2836-346-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2944-586-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2944-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2956-310-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2996-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3116-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3128-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3188-304-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3256-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3308-442-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3408-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3408-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3468-427-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3496-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3520-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3552-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3568-544-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3568-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3740-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3780-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4012-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4028-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4060-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4068-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4116-448-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4156-334-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4268-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4320-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4468-436-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4488-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4488-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4648-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4672-464-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4684-430-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4696-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4704-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4736-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4772-572-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4772-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4788-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4884-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4952-565-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4952-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4976-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4976-558-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5072-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5156-466-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5200-472-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5208-594-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5244-478-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5284-484-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5524-490-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5564-496-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5604-506-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5640-508-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5684-514-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5724-520-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5764-526-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5800-532-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5844-538-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5884-545-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5928-552-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5976-559-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/6020-570-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/6064-573-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/6108-580-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads