berbew | 961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 16:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe
Size

704KB
MD5

dbfb93bf262eea76d0b3741388bb04c0
SHA1

760674bc54172510b187dad4e495831842c0b7f9
SHA256

961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3
SHA512

ca8a2e1f10e59a90ddec4fd8468c0a5e5e594ebd1ac6785daf214596634080d34333cb1387161ce684b1346d1e8c3798b390530f02097568faac3a024fd7d269
SSDEEP

12288:qBxBaph2kkkkK4kXkkkkkkkkl888888888888888888nusMH0QiRLsR4P377a20i:qBxBaph2kkkkK4kXkkkkkkkkhLX3a20i

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncdgcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncdgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpnhfhf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2876	Mcpnhfhf.exe
3196	Menjdbgj.exe
2456	Nilcjp32.exe
2888	Ncdgcf32.exe
1172	Nphhmj32.exe
2792	Nnlhfn32.exe
4932	Nnneknob.exe
4324	Nnqbanmo.exe
5036	Ogifjcdp.exe
3960	Opakbi32.exe
3432	Oneklm32.exe
2700	Ofqpqo32.exe
2656	Ocdqjceo.exe
2044	Olmeci32.exe
1468	Ojaelm32.exe
1232	Pgefeajb.exe
4524	Pqmjog32.exe
3980	Pnakhkol.exe
208	Pflplnlg.exe
2660	Pqbdjfln.exe
4736	Pnfdcjkg.exe
4808	Pjmehkqk.exe
220	Qceiaa32.exe
3036	Qmmnjfnl.exe
1952	Ajanck32.exe
3060	Acjclpcf.exe
1324	Aqncedbp.exe
5100	Anadoi32.exe
2032	Afmhck32.exe
4784	Aeniabfd.exe
4584	Aminee32.exe
4560	Bjmnoi32.exe
4848	Bganhm32.exe
4344	Bnkgeg32.exe
4316	Baicac32.exe
2924	Bffkij32.exe
4992	Bmpcfdmg.exe
976	Bcjlcn32.exe
4968	Bmbplc32.exe
4676	Beihma32.exe
2028	Bfkedibe.exe
5096	Bapiabak.exe
4964	Chjaol32.exe
5068	Cndikf32.exe
2104	Cdabcm32.exe
1020	Cjkjpgfi.exe
3728	Caebma32.exe
2192	Cdcoim32.exe
4244	Cjmgfgdf.exe
1240	Ceckcp32.exe
1788	Cjpckf32.exe
8	Cajlhqjp.exe
4184	Chcddk32.exe
3304	Cnnlaehj.exe
2600	Cegdnopg.exe
4420	Dhfajjoj.exe
1320	Djdmffnn.exe
3540	Danecp32.exe
2996	Dhhnpjmh.exe
2384	Dobfld32.exe
4360	Daqbip32.exe
4664	Dhkjej32.exe
2248	Dodbbdbb.exe
4004	Daconoae.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnneknob.exe	Nnlhfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Menjdbgj.exe	Mcpnhfhf.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Nnqbanmo.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Onliio32.dll	961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Odgdacjh.dll	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Pemfincl.dll	Ncdgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Nilcjp32.exe	Menjdbgj.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	Oneklm32.exe
File created	C:\Windows\SysWOW64\Ojaelm32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Olmeci32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Nnlhfn32.exe	Nphhmj32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pflplnlg.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Mcpnhfhf.exe	961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3736	2712	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Menjdbgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncdgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcpnhfhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilcjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapgdeib.dll"	Nilcjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empblm32.dll"	Nnlhfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nilcjp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpnhfhf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odgdacjh.dll"	Menjdbgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 2876	4000	961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe	82
PID 4000 wrote to memory of 2876	4000	961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe	82
PID 4000 wrote to memory of 2876	4000	961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe	82
PID 2876 wrote to memory of 3196	2876	Mcpnhfhf.exe	83
PID 2876 wrote to memory of 3196	2876	Mcpnhfhf.exe	83
PID 2876 wrote to memory of 3196	2876	Mcpnhfhf.exe	83
PID 3196 wrote to memory of 2456	3196	Menjdbgj.exe	84
PID 3196 wrote to memory of 2456	3196	Menjdbgj.exe	84
PID 3196 wrote to memory of 2456	3196	Menjdbgj.exe	84
PID 2456 wrote to memory of 2888	2456	Nilcjp32.exe	85
PID 2456 wrote to memory of 2888	2456	Nilcjp32.exe	85
PID 2456 wrote to memory of 2888	2456	Nilcjp32.exe	85
PID 2888 wrote to memory of 1172	2888	Ncdgcf32.exe	86
PID 2888 wrote to memory of 1172	2888	Ncdgcf32.exe	86
PID 2888 wrote to memory of 1172	2888	Ncdgcf32.exe	86
PID 1172 wrote to memory of 2792	1172	Nphhmj32.exe	87
PID 1172 wrote to memory of 2792	1172	Nphhmj32.exe	87
PID 1172 wrote to memory of 2792	1172	Nphhmj32.exe	87
PID 2792 wrote to memory of 4932	2792	Nnlhfn32.exe	88
PID 2792 wrote to memory of 4932	2792	Nnlhfn32.exe	88
PID 2792 wrote to memory of 4932	2792	Nnlhfn32.exe	88
PID 4932 wrote to memory of 4324	4932	Nnneknob.exe	89
PID 4932 wrote to memory of 4324	4932	Nnneknob.exe	89
PID 4932 wrote to memory of 4324	4932	Nnneknob.exe	89
PID 4324 wrote to memory of 5036	4324	Nnqbanmo.exe	90
PID 4324 wrote to memory of 5036	4324	Nnqbanmo.exe	90
PID 4324 wrote to memory of 5036	4324	Nnqbanmo.exe	90
PID 5036 wrote to memory of 3960	5036	Ogifjcdp.exe	91
PID 5036 wrote to memory of 3960	5036	Ogifjcdp.exe	91
PID 5036 wrote to memory of 3960	5036	Ogifjcdp.exe	91
PID 3960 wrote to memory of 3432	3960	Opakbi32.exe	92
PID 3960 wrote to memory of 3432	3960	Opakbi32.exe	92
PID 3960 wrote to memory of 3432	3960	Opakbi32.exe	92
PID 3432 wrote to memory of 2700	3432	Oneklm32.exe	93
PID 3432 wrote to memory of 2700	3432	Oneklm32.exe	93
PID 3432 wrote to memory of 2700	3432	Oneklm32.exe	93
PID 2700 wrote to memory of 2656	2700	Ofqpqo32.exe	94
PID 2700 wrote to memory of 2656	2700	Ofqpqo32.exe	94
PID 2700 wrote to memory of 2656	2700	Ofqpqo32.exe	94
PID 2656 wrote to memory of 2044	2656	Ocdqjceo.exe	95
PID 2656 wrote to memory of 2044	2656	Ocdqjceo.exe	95
PID 2656 wrote to memory of 2044	2656	Ocdqjceo.exe	95
PID 2044 wrote to memory of 1468	2044	Olmeci32.exe	96
PID 2044 wrote to memory of 1468	2044	Olmeci32.exe	96
PID 2044 wrote to memory of 1468	2044	Olmeci32.exe	96
PID 1468 wrote to memory of 1232	1468	Ojaelm32.exe	97
PID 1468 wrote to memory of 1232	1468	Ojaelm32.exe	97
PID 1468 wrote to memory of 1232	1468	Ojaelm32.exe	97
PID 1232 wrote to memory of 4524	1232	Pgefeajb.exe	98
PID 1232 wrote to memory of 4524	1232	Pgefeajb.exe	98
PID 1232 wrote to memory of 4524	1232	Pgefeajb.exe	98
PID 4524 wrote to memory of 3980	4524	Pqmjog32.exe	99
PID 4524 wrote to memory of 3980	4524	Pqmjog32.exe	99
PID 4524 wrote to memory of 3980	4524	Pqmjog32.exe	99
PID 3980 wrote to memory of 208	3980	Pnakhkol.exe	100
PID 3980 wrote to memory of 208	3980	Pnakhkol.exe	100
PID 3980 wrote to memory of 208	3980	Pnakhkol.exe	100
PID 208 wrote to memory of 2660	208	Pflplnlg.exe	101
PID 208 wrote to memory of 2660	208	Pflplnlg.exe	101
PID 208 wrote to memory of 2660	208	Pflplnlg.exe	101
PID 2660 wrote to memory of 4736	2660	Pqbdjfln.exe	102
PID 2660 wrote to memory of 4736	2660	Pqbdjfln.exe	102
PID 2660 wrote to memory of 4736	2660	Pqbdjfln.exe	102
PID 4736 wrote to memory of 4808	4736	Pnfdcjkg.exe	103

C:\Users\Admin\AppData\Local\Temp\961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe
"C:\Users\Admin\AppData\Local\Temp\961fd7c38732890016ebe6015f6c1e2f13808dcb6f76c450a3b35b8ed57f1fb3N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Windows\SysWOW64\Mcpnhfhf.exe
  C:\Windows\system32\Mcpnhfhf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\Menjdbgj.exe
    C:\Windows\system32\Menjdbgj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\Nilcjp32.exe
      C:\Windows\system32\Nilcjp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\Ncdgcf32.exe
        
        C:\Windows\system32\Ncdgcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:220
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        63⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        71⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 216
        72⤵
        Program crash
        
        PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2712 -ip 2712
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
704KB

MD5
ea7c430bd43aca0fba6518ed70f0a897

SHA1
73fa31b938a889921695f00ff4ed306d7910d61b

SHA256
4e4bed9400ae0998058d86db6b9ef71e3c09b119f2bc78ee67401bb579564b98

SHA512
b2b0abe3a04126155e7fd3385f7933ffe6bbc50e17d00e3beca20454efb39535f23633bf52fe66b7d6e8c8e41cc36ebd6a850a52539bf7ac9a8f53651d962439

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
704KB

MD5
e60da8751b5d95defc670f7b344f46ad

SHA1
53a6bfd2e5ed9a071684c29817b667ae4d4b2ba0

SHA256
35f0e29fd606054e33f9fe8c304b7fc92f11e3dc0c4583896cdd79441a343401

SHA512
6e14194b34a143e77ecd3d05a5ea0d46247ca8559c4233cf7a374ec11cf629e43eb11a954ae92d21d35ebd2515e382204a2f279de3f9f1d549c3d0cf8b872bc7

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
704KB

MD5
b4f3cf20a792a46622b2fe6d9bcf90a3

SHA1
96affacbd13a931d6b53c49e099d3fb21f470b59

SHA256
e6cb0d930c2eaa5aaa45f9f02fcc8adf1f0c467363575f48cf00259d96c16338

SHA512
2f532e1d4a6e1c5a97ab67cdec496d8235085eaaf6284ef6cc646e42f86c52d0e8271f3381a75b6ad475420b37c371657131957c12dbf54181c56a9531cf7db1

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
704KB

MD5
9913bff8b1f2e9b4478debb3a36fb2dc

SHA1
b2328f14a234eaa585dc3154f61d2f1c365e05c9

SHA256
3a4770fb447fc121b0055a44857fac73a69b76160a65561166709adf4f53b925

SHA512
73e4bd3421e1af516f787ad82d6c355fe696aedd2b07e15be1e37f2ff7abc3a64b1b3b9975cf33bb31d6a08e8d2c53ff112d6f2dd1c862cdb00351efbd8f354a

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
704KB

MD5
b7bb6529be25dd35908e004ca6c5b457

SHA1
800438bb2e94563bc7de7269c2c521d82adc7595

SHA256
977a4a4def88a1cd54827b6bd8ed5d524c931a3e60de6e190c98e5fe1eb3f3f1

SHA512
a60c93ec01ddf9c911ed12b14ce9e104f00c63053860ee2896c7c67572c971f9a1f0f010413a38fc9ab25f6be12959103a8ce944510461bed2ef93a5f597a74b

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
704KB

MD5
25aea40c6c23a31ab83816dd8df34a61

SHA1
df1b3a2e2ed9d4fde04f409d7a80ba2c889a2588

SHA256
2863ae3e183a1c194e6aeb6b226fb55e953cdcd5283de9a42a040de9b5577b3a

SHA512
f8449e085407ea9f221a85ed3545d4d67e0cfc021b5578bf3c21cdabc81710c8ab9b6b858729ca68a076bfa1ca793340b7d5bdca3ea627e0b1ccc07e0842bae2

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
704KB

MD5
1c369c9266c1c43ce8ef445888de5bb1

SHA1
c9e1fe42f8575b71339a8d4b838d92b3f157cd54

SHA256
f446face519c9e6ea503c8b0e1cfe3f506d343c28af9babf7d16d2594ef38f11

SHA512
19498b6b460949d9be9da78fef16dba00ccdd5b860c400a0be1fd6398d650ce39e8832da0706dd660f05349ada9d5d1f09b939a4b76bb79f1c7434ae08f4d9c8

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
640KB

MD5
ab3ea1e8029635e90182ae588d89b619

SHA1
33d3374d1e2e619503031be924b6981ef56e1e61

SHA256
f113c65877b8b159715d0073b6bf773443ea9d1a53835d93cb37f7adbe844150

SHA512
d0eb1169d92311772aaf658f969c8c370c9ca65c42d719cd46203bd8f72b86fe6af320ea79bd9d8c81298ebcd2aec99f8bcc939b0d1363d06f20d7ed50cbea78

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
704KB

MD5
83e4272bf6e4f7e44be47a2b3f56187a

SHA1
e19de43b13379f9badc52ee949116b69a3adfcda

SHA256
eab8fbf84cbc2038da71d28aba69d93af1ad589179d13b4989ff9c8116b3bcb3

SHA512
941c713e6a59c3dab5cc58c33fc3bd23312ef611832b4384f54733dfafe1b26982acb2691fea2b53d939eea378f870b662ac0b01216d7a21f83fbf71e5be7e09

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
704KB

MD5
efe6b585d71c3412c074132fc346851f

SHA1
f1d7762d9a9a41951c098941075f907dcff19be2

SHA256
df01f668fdd9475f25fd74d383d9bc04797d9497ac503317c182011baf45f0b8

SHA512
a9a933f7264748fe8d16fb36c503a595174a0c33044743eacc9fb4a1ae5c148c92e18864615e10c4cd45add448f1309e3696932455ce28ae6ee7cd8334cd25bc

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
704KB

MD5
53cac5b7f8f37b501d5ce71e1b89a1da

SHA1
edb35687d2721e8c39dc7669faff54f8eefec292

SHA256
d7e9e9a57b895b87af780fe02b912272dfb098c6bea3ee841ea4b85ae558eccb

SHA512
265f1d40e54cac39c6912cb1c40ff9a16d318f344da161c99f2492cb793712b18db45bc352e6670285a593e592ae56872eafd75844a42438fca3b89eae789d3a

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
640KB

MD5
a789d94a87b9cd365514ac783eb939bd

SHA1
de5f562466be45c99a9f53549ac5a1f67e5a29d1

SHA256
11b46ddca4d99ffe21b55806fed42adfebf970d05870adaf52f55632b0ef466c

SHA512
19b9922a229641dc42d4def6e6c6278d14732250f7d05ec6f13113a91d3220c576a6ed895638ada7de47f8a450d2318f5dcc98076885fd482445383816b0f864

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
704KB

MD5
67a283c523c01e4ff35e2bfb550ce912

SHA1
245b9fd0cdaee0cef3c5963fa0169fa334b0effc

SHA256
eda441ba4e1f7b92be7adba6c217e0bee7ac8c0737149d7cc6d5f26099482ae9

SHA512
e65fcff20043d93ba667341593e1db94fa138e355fa285898f3a8ae58628a9ace601394633e5fc51d6c61ec09e60928a73910053f525c0d7c3894a10f5ae8282

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
704KB

MD5
f61d847e8f7ed25d1d58a34840a26b70

SHA1
93a1d1db559bfc9fed614a15312450f1af3d515f

SHA256
3c12ab762ea0f53eb94debc4d73b45105aca8e246e9c486a2c5136e621d3fb71

SHA512
9673979a756f1f58ad40285682f0e1f2063179ba364f1b9e4ee5ed422b475c5b7de6d3cdfc80b650d6440400ff803178369d7063322ba8f85527d7b0a7f46f5e

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
704KB

MD5
8c8d70d58574b0a44a14b2d43a14e965

SHA1
df9064e5508a841ba35cdb2b51485a5a394703ac

SHA256
5741eaec5136c31395a9dff85c1a9ff331cedbec2258b255c8b036f4f5f71561

SHA512
daec01e1463f04a568e113e79c3f0de44deebdbd4f91cb6d21ba426cfb1f318d527eb8eb41761117e4071599dfbae87eb721203cccb6f19e2c0515407bac2eb9

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
704KB

MD5
29dd85da088cd7c5d1f11bc5275264ad

SHA1
b4fdf3808e27fc20178e755cfcc43c1ca99d6847

SHA256
19d87c3cf1463d40c4aaeae79e682a468b4fb05d8912be1facdfdf2ba756809a

SHA512
e0eb604a7611cea3c448f7e7527235e216baf04d2ef6a1dd3826e37c18875176433d92cc1119583570ae5b38aff49a562b1022e1dcf6b5769950748e0f85a8c8

Download Submit
C:\Windows\SysWOW64\Mcpnhfhf.exe

Filesize
704KB

MD5
8683c39bcbfce5341a4b93e12ec61a02

SHA1
01414d6eb71bc122f8e66e2d71304ed686197151

SHA256
4175e39b24f8678f3a851b48a3138f61e24de0e5d50d9af9bab5183dc3108e04

SHA512
b35e559997e5c9f8409426e9af0973a04c941fee0ec22cc29532797753863b9f4c52cf0f32483901ff3c7334b97f48e44ddfa71102353007b5139ef4fbcb1633

Download Submit
C:\Windows\SysWOW64\Menjdbgj.exe

Filesize
704KB

MD5
3e73e246462a7d840cc432fd773a8451

SHA1
882102f867c9b8f986d6e88afab5e4878120b69c

SHA256
4e97d33ec780c6f9cb08894c20a5d85efd39b16793383d7c49c433293c26a54d

SHA512
684eac0eb6a4a6fa22dd22fc61dde4b6147c76f2f03e5b14317708f50ddfd29a0f21b1f9b933ae5493652504cdef5207c3fed1d5054daa12a3a89943822b7788

Download Submit
C:\Windows\SysWOW64\Ncdgcf32.exe

Filesize
704KB

MD5
15f6bbc076d30571f9b24659941f9eb3

SHA1
ae40c4cde7c863207b2f8571732f8d31fd0bb61e

SHA256
478508b5c16be0546dfa76f52c3045310c601eee995affbe81511aa3e16cfebe

SHA512
462c83b38fb53cd3ab03986f80122e4eadac4d095684406cc48b5abb252adaf5c3ac4fe11a7c1fa8e8d919f8ca22824f25da9c0c6528e2aeb34a2aa58855777e

Download Submit
C:\Windows\SysWOW64\Nilcjp32.exe

Filesize
704KB

MD5
57e3d3f5b37aa76a96bac7c9438da056

SHA1
a29e2fa41a57f7063aa61f8aebe879df4418d902

SHA256
a868eeabd3f660dcc5bae3d90af342dc7b94abc1b2727a04be2e64e3a139e05a

SHA512
2844ed3ebf1f42c4487c0d629f412c385c5b0129c7218bf8011c10dc5ffe8cdc0688e97f87e5d5a1226fe9f88e3bb4b2bac3e8577294fb4828e37902c190a6a3

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
704KB

MD5
2098cc5ae87a487af9b2f8b68a93fc44

SHA1
8374121e247671e0415029499c5e5cb676933d22

SHA256
83bb95e001b0165fa6870ad145d5018f3aba258b43861d32d968562abd9bb0b3

SHA512
3747d277935c61dddd7d4b4ae2d62351683007a0398b44a3bcb1e1b76ecb99de61a7f3752cc236dccaed45492492d9db66ed50577d00e09ffe11f431e346c46f

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
704KB

MD5
9b0356b5c9b4345f640c086db08b9ebb

SHA1
ff93a58384649b4d70e17a6b9fc42b22ba4257c9

SHA256
0f97f2109378e86fce42825fe5a840e842773d3672cf57feff6192edc67d833e

SHA512
ca19b7f909cc8b7f00158d67c6587a54953493069381831c6b7cdaeacf486a9f5073180f1b16db35511c6e881fe3b64c22c0d103a3daff468003e72d8bfedda3

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
704KB

MD5
b9c47a38db0c05dea47d8f802383487e

SHA1
c1e71be18f2dcdfec3ceef88e9d2eef616943232

SHA256
e0b8394cacea3dbdc9164aff61a377be4a5c74034e694ef055d02dec37d6c188

SHA512
270e99094231d7181235e0d209ca5e3686dbfa20befcbe6ba0dc5671d97a40dcf02563184de293b6cf6bb007a047c89e8bac5dcb311ad0111999cf2f8d4fa61e

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
704KB

MD5
34166bf5b89bc8ab6cf2bf3d1a5f57f8

SHA1
3192806f3bbbb5a23010532fec0a1e664946eca0

SHA256
1419188ea239295152b20ddc2465e780dd2e7b70fe32dc1dc85487c68b0c5b60

SHA512
a7289ccafd851d5b45430c10fa4eb2fa1dd9d2a1853cbcb762343bacbefd767c2bd2a49a9975a81b369cb249076ead6d7ee0d0be7f0a94b18ddce5a68a7ee716

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
704KB

MD5
73e86f697a6a3a3eb36052edcc9ce05f

SHA1
907586d8c32c40503164edb37e8fec3074f63d81

SHA256
3e20fe2d1bcf0aa0f1a241ad31a66b881fb3c16e2c6d6db6965ba4368e5713b1

SHA512
6ff3354bcff6506c537c2072330e1630de81f3ca43abac726257577b49144f8dbc7ef50bb8f4d3e1adecc71f220ed892a6f1b9066e50ecc16845cd032529e996

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
704KB

MD5
d7dbe3ee67bbeed654e9f252d5772e07

SHA1
8da1d866429c714a9913c8556a199971e729a5b2

SHA256
43bb3bc8b6f27212eb76d0e9b82ab5009818f19bf5d8f5c5d452135e3b568722

SHA512
de450f8346f8b0f6c6fbae3c927a4de64d6633ab1f3627fe101784430dfe4b4bf9cd017867bae7b32b039181481ac1673bcc84fe798fab1fc2aaf24ef3f91230

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
704KB

MD5
36114c62ee945368c7c706500bb2b08d

SHA1
8aa22e4555be82665217454528d448fc27ae49cc

SHA256
0b8d73f15e442278af3cfeb0fc611869ab2f254cec158ae1b589d81718b88669

SHA512
dae58fb53e0f690f5fc60ecad6d7ddd6ad821199a0b8aeb36502f4a8cb717dc0f4f81c676d93561ed91dccf41c1ec60db9a0fe574732b5f895834a8e77f9f932

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
704KB

MD5
90d16d33a718193fc7ced18d43c6a43f

SHA1
16b36ddac844cefb57837083b4b1e25798dfdef9

SHA256
cfb520b09138f33f9216c6ba3ac9f3b604b15ed1a80967eec0a351db566b864e

SHA512
51218e07ffadae49ed23590836c1da3a55380cd3a58dbad72c2819a0b668b9693cabbdff34f1dbcba7e82eb1489b472c504813098b9baaaca588049bb802ce68

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
704KB

MD5
5418d9c7f850c9b48a80e7ac608dc478

SHA1
9c3db4b2729fcfe35bdc1a61ad53ab952a73439e

SHA256
7e7d9bfe64188b44e9434e1559b47f746d54263044626704de43d8ced7e7e2d1

SHA512
e19ff4883d027481bab5e99d5886fb103ab1cb800ce7ad591f77253a846eef98a39d7ceb593bf9b3dea26488068e7adf595f27f036e8b11c0e8e5040692e574d

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
704KB

MD5
761bc77f347b0b6478a1fc584912219e

SHA1
8c41995689ef2da8c2ed142d0a562d3dd49be5cd

SHA256
626fa7f8625ae356ccdc99aca7f0cd32c74ec1b194b99a73759e9d875702c5a6

SHA512
f86fbea9318f68386dbd0296e8fbcda2e1b21cfc971a6fd9a33927e7f4ecbe20e06ee03ef6b21132377b2b2374fc162e1973141c29bd64c7788518f7f54f3df7

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
704KB

MD5
9f552c46a8871af59e71d8fb08ec46e8

SHA1
e8975e9cf7dbb3b6adbd2b3547a6ba2923d28181

SHA256
43c1b85f25af9193dcff31e35d002f26965cec3a16f4c8971acf026b9163737f

SHA512
15f93be35044c3f8c72fa883168ef2fbe6239ce010111bbe252a5fdbb558144ba50049251ca8ca6c179710f627187970db952e6d4c7dab4aae5e9c18874eaa21

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
704KB

MD5
3e02f0c6291431e6140ea9c444ab9bbe

SHA1
3a109f79cc57ec507a3cf3db5154d5f96ddd6361

SHA256
375ea6d43bf9b6a4a8451e40333f2b7462a7cdca6bda9806dadadd9adade3455

SHA512
c77f8b69d563f9eb3d783bcf23f4e61eab43bccac6887bda6c36ea30cd69567f0042c19f64c11de96167a6bb15885936e0b54b59223994fd6563c2c9ed9cf8e4

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
704KB

MD5
b0f512eff3d1d4ef4405402459bb78e3

SHA1
5d241b61d6ebff80963b874d838987786e2e1eaf

SHA256
e5683b4cec9297c67547138a5e46cb989a152f3aca8b32b703fd2675e9a5c937

SHA512
7002f794ff54a016a0f7d21fe1f98c683751006ae3b8e5189452141a902e03a383fb8fa1703e8ad89ac377fe7eb63d2b7105b2452dd166ce9d9a85232ff1502e

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
704KB

MD5
aefedc791ca6ce338907cfb2f9416f1e

SHA1
5d7fbd5b5cfea4e2abc9ea66498bb8f03e29c593

SHA256
014d9c3eb7c14f9dfcd143438cfd979684b012f72458f5d32306e75096c1688f

SHA512
36624a42b98caf26be492a48a2c459541d478724843a2074227bd45f663eb48feb612d2137a00ce00987cfe3ef46ec8e969df06c44349f693fe6c0ac87388074

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
704KB

MD5
431baa61bc7781f2d8d9736e859c558f

SHA1
72d216eb6a291ce5a29495a2ac688f3d2c9a2cf3

SHA256
1f2d39c8f0d950505a64c9b866533d6706e7f3fc15366530cce8d5b826c0a3bf

SHA512
b23a92a5c0c338f64f077e3f2c62e4e8f89be660ac4b8ac74b677ad55c6467d4508359a5516397e7b501537a6c84e1c9ba42d1815dfae182e8adc45f28d0f8db

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
576KB

MD5
55bc1a763263a51a7286c7868ea8dcaf

SHA1
d369fdd298fe5b3800529e11bd2949b3f9e3c8f8

SHA256
356445dd5c9076b0b6a4f221e11a459080ddfd8bcdc0fccad85268a704af4368

SHA512
ff087ad74fb7d6112044719d3c28a44a3705aaf3084c8e9d3cd7716f5552d89d21d2a010263daf09fa333395be40849bcc7d6637cf3afeca97d69c6624580416

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
704KB

MD5
6ed717852bcb7b777cde2494b9785d75

SHA1
acbe49b73c3d19d9b855eb6bd31623fb9d6434a3

SHA256
4eb43370dca8482355af5cb434130394740ad34ecc2e1217f470d31aed897ff9

SHA512
a5df1fce1074f52f3b281cf5d701da1a02cb8ed0ca395fe6d099bb7c7e025456329240225b0473005002ac9440294b346683b2c7ac22ef82c5294c66c1f0616e

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
704KB

MD5
14b900cc0edf85e59c1fb08020cb6898

SHA1
6d1c136b25784961301d8fbcf040464b6087d53b

SHA256
0336e2e04c89721fdf3f8b5aacd43f4a465828ae11b3a19cbb4be6d868aa70d9

SHA512
e1c55fc549a9800ab6f1bb5034ffc019768848ea57700f23338dd4394df5e842492defb3a3c757e5da7c7c47cbacbdec156285cc9f6829c6c83b23c51883b551

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
704KB

MD5
447a789ef1f6b886dfd4ac38f89e11da

SHA1
90986d19c133eddee01fe8876d00a46487cde328

SHA256
5c3ec39f8d54c6d63b3822464692e1fc3e8e780b9d367cdb0e4ad4a3e04b1d1b

SHA512
653f0f9d022a8c687c975d549c91e51675401ad5b8cf9c432cd1881020003ff2e9f1e4944ded6d7febd2253c660dd81b334f7528bf9e0b8b0d2f1ddfe3794f5d

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
704KB

MD5
dbb428d07edf7de7ab25cd100ad77677

SHA1
b807299c8ce95205e04664da38c40fc0cffdff80

SHA256
4d7b2eb8a9e796ed4ad9d1c848af663b6a6f69faa1b058dfad05c43ed986b5d4

SHA512
e46695ea30c8b93a9be722f5c1d6ddc8eb0a416aa13eb72d0e21d53d142a3880324589a49ade39756f27dd40a1c3740722de41a541875a720765e03024d89bb5

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
704KB

MD5
9083db862df80bc45523a3a7e4318128

SHA1
c3f328a0de0a91abfffe6b0b5b70d03fc92a4911

SHA256
b14b6fb0ce94558de530b729763643854650a4713faeaeea2c189fb61a1ab6ca

SHA512
1bdc6f164dc908c7b1780a5fb504cc67836622f668fdc8f5b2d3ff347e84776d0cb3d6759f5c113df7beb777f8c770ad967f0e9059804b55786e061275fdb10a

Download Submit
memory/8-419-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/208-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/208-250-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/220-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/220-197-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/976-321-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/976-390-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1020-377-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1172-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1172-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1232-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1240-405-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1324-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1324-234-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1468-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1468-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1788-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1952-299-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1952-215-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-411-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-342-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2032-251-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2032-327-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2044-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2044-205-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2104-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-391-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2456-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2456-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2656-196-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2656-107-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-259-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-171-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-187-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-98-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2792-133-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2792-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2888-115-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2924-307-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2924-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3036-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3036-206-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3060-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3060-306-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3196-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3196-97-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3728-384-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3960-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3960-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3980-241-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3980-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4000-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4000-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4244-398-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4316-300-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4316-369-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4324-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4324-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4344-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4344-362-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4524-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4524-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4560-348-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4560-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4584-341-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4584-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4676-335-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4676-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4736-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4736-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4784-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4784-334-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4848-355-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4848-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4932-142-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4932-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4964-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4968-397-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4968-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4992-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4992-383-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5036-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5036-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5068-363-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5096-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5096-349-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5100-243-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5100-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads