berbew | b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe
Size

55KB
MD5

2c6ec193ca9c7f009a52ec2da8c01a80
SHA1

23b07138cd09ec77f8626e3456530faa49fccb18
SHA256

b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581
SHA512

a768bebbe62a206531250238be2e1a7f81a7e4ff9606380b40b9af9e0d6f4a0694da80d6406b1d28ea9f7678c76a405dfb59ad43fb1dbc630f2915c0aa45b916
SSDEEP

1536:k3+SoG0wyORYX43xzj184T/QAPYS22L+d:kOSoG0wy58xV84T35o

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2124	Ndhmhh32.exe
212	Nfjjppmm.exe
2372	Nnqbanmo.exe
4308	Odkjng32.exe
3752	Oflgep32.exe
4876	Opakbi32.exe
3232	Ocpgod32.exe
2680	Ojjolnaq.exe
4360	Olhlhjpd.exe
2460	Ognpebpj.exe
1200	Olkhmi32.exe
4032	Ofcmfodb.exe
3716	Onjegled.exe
1728	Oqhacgdh.exe
4208	Ocgmpccl.exe
3320	Ojaelm32.exe
3520	Pmoahijl.exe
4268	Pdfjifjo.exe
3944	Pgefeajb.exe
1888	Pjcbbmif.exe
1972	Pdifoehl.exe
3888	Pggbkagp.exe
4412	Pjeoglgc.exe
3756	Pnakhkol.exe
1452	Pqpgdfnp.exe
856	Pjhlml32.exe
908	Pqbdjfln.exe
3056	Pnfdcjkg.exe
4356	Pdpmpdbd.exe
1820	Pgnilpah.exe
920	Pjmehkqk.exe
2288	Qqfmde32.exe
3136	Qgqeappe.exe
1512	Qjoankoi.exe
1732	Qmmnjfnl.exe
1444	Qcgffqei.exe
5080	Qffbbldm.exe
3736	Ampkof32.exe
4632	Aqkgpedc.exe
620	Afhohlbj.exe
3992	Anogiicl.exe
4496	Aqncedbp.exe
4636	Aeiofcji.exe
380	Ajfhnjhq.exe
2112	Amddjegd.exe
876	Aqppkd32.exe
2060	Agjhgngj.exe
5056	Andqdh32.exe
468	Aabmqd32.exe
3272	Acqimo32.exe
1468	Ajkaii32.exe
3236	Aminee32.exe
1496	Accfbokl.exe
4616	Bjmnoi32.exe
4836	Bmkjkd32.exe
64	Bcebhoii.exe
3400	Bfdodjhm.exe
4916	Bchomn32.exe
4232	Bjagjhnc.exe
2968	Beglgani.exe
1136	Bgehcmmm.exe
1908	Bnpppgdj.exe
1276	Bclhhnca.exe
3104	Bjfaeh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pmoahijl.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ocpgod32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pqbdjfln.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3728	1204	WerFault.exe	180

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2124	2088	b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe	82
PID 2088 wrote to memory of 2124	2088	b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe	82
PID 2088 wrote to memory of 2124	2088	b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe	82
PID 2124 wrote to memory of 212	2124	Ndhmhh32.exe	83
PID 2124 wrote to memory of 212	2124	Ndhmhh32.exe	83
PID 2124 wrote to memory of 212	2124	Ndhmhh32.exe	83
PID 212 wrote to memory of 2372	212	Nfjjppmm.exe	84
PID 212 wrote to memory of 2372	212	Nfjjppmm.exe	84
PID 212 wrote to memory of 2372	212	Nfjjppmm.exe	84
PID 2372 wrote to memory of 4308	2372	Nnqbanmo.exe	85
PID 2372 wrote to memory of 4308	2372	Nnqbanmo.exe	85
PID 2372 wrote to memory of 4308	2372	Nnqbanmo.exe	85
PID 4308 wrote to memory of 3752	4308	Odkjng32.exe	86
PID 4308 wrote to memory of 3752	4308	Odkjng32.exe	86
PID 4308 wrote to memory of 3752	4308	Odkjng32.exe	86
PID 3752 wrote to memory of 4876	3752	Oflgep32.exe	87
PID 3752 wrote to memory of 4876	3752	Oflgep32.exe	87
PID 3752 wrote to memory of 4876	3752	Oflgep32.exe	87
PID 4876 wrote to memory of 3232	4876	Opakbi32.exe	88
PID 4876 wrote to memory of 3232	4876	Opakbi32.exe	88
PID 4876 wrote to memory of 3232	4876	Opakbi32.exe	88
PID 3232 wrote to memory of 2680	3232	Ocpgod32.exe	89
PID 3232 wrote to memory of 2680	3232	Ocpgod32.exe	89
PID 3232 wrote to memory of 2680	3232	Ocpgod32.exe	89
PID 2680 wrote to memory of 4360	2680	Ojjolnaq.exe	90
PID 2680 wrote to memory of 4360	2680	Ojjolnaq.exe	90
PID 2680 wrote to memory of 4360	2680	Ojjolnaq.exe	90
PID 4360 wrote to memory of 2460	4360	Olhlhjpd.exe	91
PID 4360 wrote to memory of 2460	4360	Olhlhjpd.exe	91
PID 4360 wrote to memory of 2460	4360	Olhlhjpd.exe	91
PID 2460 wrote to memory of 1200	2460	Ognpebpj.exe	92
PID 2460 wrote to memory of 1200	2460	Ognpebpj.exe	92
PID 2460 wrote to memory of 1200	2460	Ognpebpj.exe	92
PID 1200 wrote to memory of 4032	1200	Olkhmi32.exe	93
PID 1200 wrote to memory of 4032	1200	Olkhmi32.exe	93
PID 1200 wrote to memory of 4032	1200	Olkhmi32.exe	93
PID 4032 wrote to memory of 3716	4032	Ofcmfodb.exe	94
PID 4032 wrote to memory of 3716	4032	Ofcmfodb.exe	94
PID 4032 wrote to memory of 3716	4032	Ofcmfodb.exe	94
PID 3716 wrote to memory of 1728	3716	Onjegled.exe	95
PID 3716 wrote to memory of 1728	3716	Onjegled.exe	95
PID 3716 wrote to memory of 1728	3716	Onjegled.exe	95
PID 1728 wrote to memory of 4208	1728	Oqhacgdh.exe	96
PID 1728 wrote to memory of 4208	1728	Oqhacgdh.exe	96
PID 1728 wrote to memory of 4208	1728	Oqhacgdh.exe	96
PID 4208 wrote to memory of 3320	4208	Ocgmpccl.exe	97
PID 4208 wrote to memory of 3320	4208	Ocgmpccl.exe	97
PID 4208 wrote to memory of 3320	4208	Ocgmpccl.exe	97
PID 3320 wrote to memory of 3520	3320	Ojaelm32.exe	98
PID 3320 wrote to memory of 3520	3320	Ojaelm32.exe	98
PID 3320 wrote to memory of 3520	3320	Ojaelm32.exe	98
PID 3520 wrote to memory of 4268	3520	Pmoahijl.exe	99
PID 3520 wrote to memory of 4268	3520	Pmoahijl.exe	99
PID 3520 wrote to memory of 4268	3520	Pmoahijl.exe	99
PID 4268 wrote to memory of 3944	4268	Pdfjifjo.exe	100
PID 4268 wrote to memory of 3944	4268	Pdfjifjo.exe	100
PID 4268 wrote to memory of 3944	4268	Pdfjifjo.exe	100
PID 3944 wrote to memory of 1888	3944	Pgefeajb.exe	101
PID 3944 wrote to memory of 1888	3944	Pgefeajb.exe	101
PID 3944 wrote to memory of 1888	3944	Pgefeajb.exe	101
PID 1888 wrote to memory of 1972	1888	Pjcbbmif.exe	102
PID 1888 wrote to memory of 1972	1888	Pjcbbmif.exe	102
PID 1888 wrote to memory of 1972	1888	Pjcbbmif.exe	102
PID 1972 wrote to memory of 3888	1972	Pdifoehl.exe	103

C:\Users\Admin\AppData\Local\Temp\b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe
"C:\Users\Admin\AppData\Local\Temp\b697aef12ed1d257b9c78fd8c6a9073f508b705b0058fabd25aedadf6c538581N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Ndhmhh32.exe
  C:\Windows\system32\Ndhmhh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\Nfjjppmm.exe
    C:\Windows\system32\Nfjjppmm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\SysWOW64\Nnqbanmo.exe
      C:\Windows\system32\Nnqbanmo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4308
      - C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        37⤵
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5080
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4632
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:620
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:456
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        80⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        85⤵
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        86⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        87⤵
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        91⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        93⤵
        
        PID:716
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1140
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        100⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 216
        101⤵
        Program crash
        
        PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1204 -ip 1204
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
55KB

MD5
1cd75107ffa894746597b87a019281a4

SHA1
25bda1b4c4a56e7df2077ec9d913503d4158313d

SHA256
e7bd4ccd9f9215d03f476afa1a7e35366850e2b601462c8405ac8950ae5a30ad

SHA512
ce53e7476701d8b4d5130700f9d02f771ee6b25fa92858184846ad30a063900a76c6f5a30260f321a1718b5b6bb68439f12d0dbb339b0205fd539c56cdce72b0

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
55KB

MD5
8873669ad45a1183ace5f83b624736b2

SHA1
881e66a332dc46394ea822aeb67e632241624768

SHA256
459e7f7af25b6dbbec8f62b5ae1ef910412eb89aa367d13906651b4a101151c3

SHA512
9d4dabd0f4d9a7b9ab9d4d7c836fbdfdc781f9cf51cb02d7366a99cc91f20fd65f79d696c0b664cd03d5164b9c6fba40ead9f0989fcd67112edeac0e326bca26

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
55KB

MD5
c267d2c69a1631a7beed189f18c9ea18

SHA1
11b37e2cf4d8fb96794d8a15c6cda52c966820d7

SHA256
784911553c62f964f009a2c31121a6ef00195dcaa818f460d3878633725851fa

SHA512
88044e2569e30f07cfcfa13753dee9539f8352935f254adf2612c02a0c322960bb632d96761d59476fa4dacd4176a7e9d1d12d7ab953d6270abeeb407279f210

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
55KB

MD5
1268481db43c7d80e6ccb3d58f23d2e4

SHA1
a900928ed42f1b9b80d6985cdc858a44fe0be9a7

SHA256
bca8a22866c2ef4db37407f7ba74151b2a6c0c1f73689f34647ae446013cd983

SHA512
a5ac7aa90872ffbe035a673fd9121b6529473b005f7636c752511f6725fd10915f047bf9b352e015b8d4e9a770324317828b7b3a685502c5d86351569e53ff35

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
55KB

MD5
e2160a96054bb70d9686e7a5326ad15d

SHA1
947b72b6cdfcb5a30388199f9e0091255ac6712a

SHA256
52dd14a43fc8ecb7eb1b76806f21811b0cddea687657d640e784c8cb4e342321

SHA512
ef07aa37dd801e94ccfd3f9476264b03b5ee5ad4778a8b1c34e376fb8b2ebdcb04be69522a50525fd7ff0cd6c00e0169ca15b0002a8447ec5847539f11fb8238

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
55KB

MD5
7237182842d04bb7a110a1aa6523c62a

SHA1
5a91285a89cd662d475865752acbea6fdbc3f18c

SHA256
118ac845e33e3b0aed744c419acab121ce59123fd72ad166ad70ac81887c20be

SHA512
6fbeba7b6e1c79aeef581e428163f588a1219f72a5f10bb1850de4116d00776074e62b14095d27ac73c965090f11fec7d77d2aed5ec05180f867ec1469738df0

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
55KB

MD5
834d49dd369e906a8b9be90644882bd7

SHA1
805c4f1857f6086b16b2716fed50d66954e42718

SHA256
59506f8089b85e6978e60fae690a44292ce29f3f406a8d5d666a25f988173bc6

SHA512
84c7c3ac3d1f66ddb38da099ed8ae9a12427e43e06b2a337f96cd25bcce4736002e8eb44ea277b99b33dc5d7ed5d7fb2059feedddfb3d52e1c0fbda622d99b5c

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
55KB

MD5
83504455f2823d8d2a8a6fe3b69361a2

SHA1
f78792036f8a1e2d8ae39043fb5251617aeb95d6

SHA256
ef174b5516e7de4b6d133e8fb814c6a7f1c5fe8dfc20f260b02d6da9c9ccfb08

SHA512
dd2777ac058cc779e3385adb709c2a281bec8ab36af9bda35034d56feaf74b2b0e8652e8fc58545dd8bd13bdae39570b69288c1b042745e4407cdb51ec64a483

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
55KB

MD5
26bfc33e94eadd111cc464f74d138aa4

SHA1
51fd6ae5b55e983c00b9dfcccec01aab8ef14fc5

SHA256
f5a269e6f3797aca02fcfc6ee88714ed2415e64da1225b9027857294782aae1e

SHA512
5c0a11272d6436d2bf904d3f8535a3fcd6f8e99fabaf49a1e9a65143c41507053f452080988f595177d8b17507d5346b319828e1acee69f041ce002b7010501b

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
55KB

MD5
e0990b42f83df468e2b47964c259593b

SHA1
788dba537d610c979c2e5c970f342f3bbd4c2bee

SHA256
7643790fdc31b92f296b9673fbedb68d8897e680db4c5c01104fe42d910d0857

SHA512
209cfcce45e2cfdbc2c6906f467e586680560b870a37fe260bd2eab1df4ac213bf151a0839422f735a0eb48fdb49be368155e68e9e83a34ba08a856eb0ffdf2c

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
55KB

MD5
8bae733f8e1777ff8effed6167175ece

SHA1
096121db628a2750ee7074dd79820a8478e96af0

SHA256
fa308b6c8e47167e6087ae27fd0fc26796a87037bbf520934c97137c4ea4abd2

SHA512
7c6737e24e56766ff2e25a22e4e42511550bd51f6620639d138308e4e9709a38eb77a92c2697bf7a0e533e604b54caaa4810f6232a19679e157bcc36210148a0

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
55KB

MD5
585664e02ed903639fb46bf1bad6df01

SHA1
59f9a17ff06bf760b197cc335af2b27de70656b6

SHA256
5ab507d7a0d4d1f5f4493ba620b815f91a7bc2e1ea125e9fa6499dbd1b9675b7

SHA512
5c05921ec4ad85e538bf7269bf996c39c3608b6ff44f57c2f82fbe37baa0d491ac28af5e5e612634c1cee933f221399a4041b3805a80aad9b302f50b3f27b050

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
55KB

MD5
67ff76e526b5c3b1570d1e802ae56507

SHA1
6c627310c9ba9560f7512f52b39fcbd00858c8d1

SHA256
3124570292fc36898c793c57f22b4e793f8f1000f8e82bd7934ab9da9224c558

SHA512
48cc9fc8ec9a39c630b46977679071797f66803a3f32ec508b03156967caeeb7fccd08a65adb7f87f8caafabac0c2599067b24bdb35b02e41d808fc8f5f0aa13

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
55KB

MD5
4fe89fba2c4232b49907ba38707c7594

SHA1
fa80d9f0a535ef6cb9ab77191a4548c63a8eda20

SHA256
64d78bc2b396559d53d04fc7836510c7184139359483e492bc6159fe7afd5e14

SHA512
52ced159d2be5429bb45b15b813ca77f45a26c9855fb71c0ee5be7f6969c3c46b43adf67750c0f38499231387d8672ac3a4f7505bed18df59bbe45478bb0c47e

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
55KB

MD5
15b2e901c7cb4675eeefbed0f305ee8a

SHA1
cd43df218da3e8b8e96a66e52f873d686e382347

SHA256
a0b443f8525c11de26db409ab3628a34b04cff675c51b250a0fcfc96e58a5cc5

SHA512
d80b031d586a3048fc743d2ab8c86fc906ceae354952ab772248b173e64d668e30ec95f987dbd585b9f3b1509d185d0c8f59940d90068ee7b4e04c4cf8eddbf0

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
55KB

MD5
580c552ae170aebecbab948fa58c3fc7

SHA1
4219b8ca05f65ce131e4e6d8ded45be53e53b002

SHA256
ac883b39ec620837290db5ee03c5aa264eaad88604d10cccc57f3f4fe408c5a8

SHA512
4ce5b8c5a3844c4dbb135c9ed35e1c22540d4be21bf1535926467bfd2291ea0899ed99cde042d81ef78ae803cf03acea815b8778de236c76fc7c4d706c227e83

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
55KB

MD5
156cac33b35701783ba27bc940cc6e3d

SHA1
93e7dd76037292e9a350db950da2c45589cb58ce

SHA256
ea7e684733f2b9b090c2ba2f91416d73288155867e194b504a98bdbbd2d19037

SHA512
8322dae225960a798fb8a181841a86ec101129fe1939c841f5fa91082e746ffd4dcfa49c66b61f7117efa7bb0af38ba0ef63da02d9d2a523d41d557e532406e4

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
55KB

MD5
8552e0f0cc049187fc162005428847ff

SHA1
dbed5627baca80b2e32b623628623df0ad5a10af

SHA256
bee380419e9b0e6c3af7e23df967f6d995df4ba37a93b5126faf015aa9f7e72c

SHA512
392e984766fb2de294ce915b6422c5037b345f49b4a556f993d490cd1dd0c0dd2a84ce9b570425395dd4b6fe21bfb4f921bc95bbbda30b7b7f9a9d119a2c0642

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
55KB

MD5
5ebca238db421da13c34d81c942d37e8

SHA1
e06818357542c898b73bcb34fb2a2480c8b4f175

SHA256
d7b0c65770b213c97bff8dac536d52468798413fc1640ffa6a603360f148619b

SHA512
72cc9d71b17daa008592b5c2be6d7972bc661a8fd07155f3a9216432a0f813dd735d81d5c390fa824c0e70ecf13ddb7c7a1a234d06b0bebadc1d033dafd406af

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
55KB

MD5
fd69b9a24660ef87fee5e6444e0bdf13

SHA1
b5ac0324c2da903df0a06ba8e4787008d96306c1

SHA256
6c88e04bd83fa3e273153fc4fc8965fca0e7acce2894866c24746a252d0168e4

SHA512
7f4e6ecb8bd3e157ce750ea53886669bff910889057f21d6aab8db7ed1ac69d6588f49019e58362d2db82570d350ebfd53972f6eafe22fb7e8c3113c99bf23af

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
55KB

MD5
cf019dbb3788eeb57d9153c7fc7d9f2a

SHA1
490c5f84fc092696208a382507c6999c72defb10

SHA256
36d962df5b40bd64f132c890e8489ee51d802719898cd39dc0f2165f223f352b

SHA512
64b3efee3aa697ecb038757c81fd9c1636b5b6d95d093e8fad3f54cf8274f2219c2395784e7d8ea3196c499bb8249500c610a6ff47e47be80e68e826de3a3185

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
55KB

MD5
7c7c6dea60f33e54e9cfa30228f99079

SHA1
db64e98dd63d192ff39ea56c5af264649e6097ca

SHA256
37ec8f2f041d23fc26e01240698a2b3c416d2fb962c2dd020e001d8e6f1798d4

SHA512
12143b1d59e72b526ba4e1275ea960cfe309b91a75612acbef78c867ad2e9f648ab15f2cb172f5d21cd88ed1a41b1564bd8bcb4761bb494a2d9e1f004d5a50d6

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
55KB

MD5
3297a829122b8d7d88dbbb2586c76045

SHA1
b34a69872a89350e2b6640234fc76b0da745a081

SHA256
ace1041cafcad96cc5da6af4359df15ae7035233c0a5a948734957a93b13d3b4

SHA512
37ca8ff92b2df773ce9b470bd6fcefaa965e3cc424d2d916c46cb77b5df7e337073d52ada835e8b6aaea0407c3532aeae7f0ba5cf2e1f0eed3e3e6ffb7293dea

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
55KB

MD5
a1c764d0ce2bb14219d88a2ce60fd473

SHA1
4f5d893b92f6cb88997f385023ca3d4db1e926f8

SHA256
479f9c8048f925e670a2fe2091ee7ffd20a4c05162e42163f9b1479a3ab30df6

SHA512
581faa0a832e82a604db9f9d673528fe601df91c25a93d3e8e64b009b93d5c45f5e652db5db2d06c49afc47f3ac103b781bac70a54243abd110128596424ca9b

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
55KB

MD5
0f89fb3152faac67ac48eaaa604a0d5c

SHA1
b8c7e0f55cb8c00e980331a3d86c5437bbe13d20

SHA256
7f2025beee423932f3a83d224e8e53e378a8e1432a2979a9e6ddea0649a4e1dc

SHA512
3deb4aff0b7577eedb85c64cc43e461e8b698e605b6f0282d84e309c1a10e74cc95174b8d3722b35a2037db0518aaef594e71ff88a837ef74746e0f1ccfede96

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
55KB

MD5
9f9c91a57bc9d93934a3c314f377fbc4

SHA1
ba52fb867bd943edb60907121dc4202b3dad32b2

SHA256
c919be7efd3721e263483159904c6bd2e816a6f952df1dba6bd6338adc8079a6

SHA512
26432135ba2e6b64dd4bfb56fe38322aa10d5600de55068f234c0d3948738244b5560ee1d6585051b255a804b45ed68eb6bfda46f3c02b01aec76fdb196d847c

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
55KB

MD5
0992b173701e6fef647f967ccc9e751e

SHA1
1c751fd60ab72109b39fc1c572743571f563e6d6

SHA256
b9bc44918e435ce6a5679f6f42985a99d175c8f2fcbda439955c93203b786d35

SHA512
d6ffc4bb59e18bb90af2073dd822ce5a7fa55616a203263e5512aef5ac31255d657dcf797bd841166cc1979057c1ceef5d9290cec47bdc132f06f37d1a404f29

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
55KB

MD5
24d5b0953c6744309f397fbd691b3079

SHA1
1c14dc53dc78caee6f97ef2c1d2b58f1f0512946

SHA256
5383a2b6037fe9382f49719351fb4627b0c4f26c386b00d693e173edb47a8483

SHA512
625510e74d072130616e1cb47c234eb9dde4fa62392dc8ec0ac8f81c3c2020eafbaaa05ce87678fb37556a559b6c91ec921641d0107b3e99019516e1b7edd0d9

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
55KB

MD5
fa1eaa1fb195a765359924f9fd41a432

SHA1
041175e5f93a093802515fdb22abb2295943872b

SHA256
70829e9b8b323210bac14b1aef3377126c5589c0ab9a14c88f6c1b35ce5412cd

SHA512
1cf541a8b6980857a8595c42ef06773dcec367ed7902bdae89bbb6aee89bedd9bc8a95a18e86ffd66c9e5935798af0eacf848afa4d9cbd7cf709aaafa173fb2f

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
55KB

MD5
5781d435409474bcf6dc4d3b5c356fb7

SHA1
4d9be22d7428283106d730abc2d6c536a0dc41bf

SHA256
804842429df8a460786d0ce9edccf9d237f2c8b815407af24618fbe400766f03

SHA512
b65bfb6c119b6a13ad3a29ef5153f3789c769ebd76d39c2ffa7a27d2d3e28431ba6103b44976b372884f7f2804ba47a71f8c978649acbf7f5286950553e08930

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
55KB

MD5
6583b37a7572e9859918bcb4f22437ed

SHA1
30868add44a629a0f8086e9a37188260e6e87984

SHA256
3c35fbbc9617e36be7c7535dd76e6ca82a09d584ffa0c651fe1150e7ad85e55d

SHA512
ee29ce85e993d9171a039d29dc44a377c1479b3b76a1f2b337b680f5222a82b81e895d27520c6eef2198f02cb46a43ae775da6fb551ba85c53649d835a9dc64f

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
55KB

MD5
76fc3062a1c03d1e02b07fc520c22aab

SHA1
a796f753744f56407f580b4b9f81a1008ed41641

SHA256
20d19496dc83e75871bbc0ac4112ec34efbfb9f3ac5e80256a2833ee7c60e96c

SHA512
10130071c9595af0396ba8d0512aa852c8d41dbd4f173a9d446a2ea140c7988ff74e441db71bdb39005b0c14ac96d1a105331cf006ea6c5bbbad46cbf4681f39

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
55KB

MD5
1edbf48287bd5ab027abadae65854bd3

SHA1
385241cd8e37f2d89ced285442472d80607a01d1

SHA256
0beb3aee9960b9a5699c6f2bb94a56a5c707d022cb8bbf060c29bc2037bd2fab

SHA512
d211e0656836ed19c3f70a3af2fea2f20d1d1a5e6f1cbb74a13952644bf051e8f2d5188c4a144b5de2fb4ba185e384c3f3a12e716b40fcbb2a886f7439d31d14

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
55KB

MD5
62f13679c7cd1cc2836901ee3d9cd6f7

SHA1
90dd5ceabd93fcdc8768270330220e646111105f

SHA256
87e5bf8564845edab722f07a822ea0208a772fd6fbed6c3c4f7ad82a6d7a3ac1

SHA512
597e9011853fd72b478097860b43b9b75b6d00d3e709b9766aafc3e7e6e7eb6422dc882686cdffe17c612df3e25192b5af8e742f3e4dceafe9247f2f743af9fa

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
55KB

MD5
fb16b95320de7674422e0b13dab403df

SHA1
458018aca84e227a25442f910395ef7f789fb657

SHA256
503e96549ed8b67f0228c1a961f57ca4c93f6f61279230e6d9a9380d395936b8

SHA512
271bf42d780ed280213e2390e8ed401d6b3ef601d094c30692bf2723b6a10146b8e7f95a2dfba625f011a99e33b3972d3217d2fc200f0af20ab29d4847a8ff9c

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
55KB

MD5
0d16a787be05ed5b7b90cbf6b9b2049d

SHA1
f9b1a152efc7dd5d82ed0d0e1db43eab12bb5f0c

SHA256
87d43ce3df3eab9cd02aca3dd5e1e163a391dce07124b04f5fd431ee3eadad78

SHA512
0ca72fd4d56de0c76ee45d48a50305f47705f6ea496530ed4652d238c074a5bb35469740fc0caf645c411353dcebebe8854807b5002bd50f22b5b12b5afba1eb

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
55KB

MD5
737ee4a76beb7d6374e34fdee4403d2a

SHA1
58e9da18f7dede31b8a3696c954c82d4bbbad72a

SHA256
286da9c2a379d4f63817a80000c6bcaacb33338fc461939b04e3722d75752a9e

SHA512
fc87fcd1c7111b0816dfc8cbd2b91e991a1e129ea474a6bce9e8930d4efc4efdf6cb96bf6d7741f1c53a0aec8651777a86e8fbed618467c93a8705b082c92560

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
55KB

MD5
49f1fe3ffea91b90d4765ace744708ae

SHA1
e63b95683b1a62459d13c8bd3be31137e6180ce7

SHA256
c9b478c5b2013e67ab70a4adc0bdd100035e80dd7329fe5a40f3f56cefb677c0

SHA512
fbf681151ca3fb7f827f41508633a5e595a0f8c2c5100c0640ea2e1f3f7181663d128a862e83ffbc1f2b34dd7900683e2a9c138ff0fcf740a239c07bb1484de3

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
55KB

MD5
809bc984aec0fa87b83b3540143eca27

SHA1
629c28ce1e516efb2c75f77a1b452810b8d8f6e9

SHA256
f599543eb9771c332ba02db3db11db843dfe023498a8a3f61e234cad3beb712b

SHA512
1af163e0f8837c129c2bf1a0bb1fdfd5b8d6620b9b57d82102827ad44f3e22cc71f20bbb51bc1f69ee61abc0e29ea3df8d1c7212638d16e0cfef8c1948089aec

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
55KB

MD5
8b209de196be6a520d18bcecb63b6430

SHA1
6d46869ac42b957225ed707cc915521b4ca5666d

SHA256
5bca6c1233ba9d9aed07e89ce71fe357fd6c46937021782fb9f61b4fcc21a5f8

SHA512
76909923ffacb19d660c5061331f463da5ac3f67d0ee7d98761f69664355a2e353fa402e8abaa834f4d12d6d48e5742f9dc3debb2edc51fe52780362def0c2b5

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
55KB

MD5
207f2eb6a6dd5daa6e60e9520ec9a225

SHA1
85dd99960dd2f8ab6e6551cfaa3b2efb0d63b41a

SHA256
30789da4a4da9d9295e857689459a4d4cbb00cbf4ff9f7cc58e6d2328fb244af

SHA512
2d9904641fca989e4c76b02b9d6ec087aa71ddf8e061986106876893eb56cf33bf8f2d8811acdf9c8671e4b57815416e785108b5742cad6743ab22880327d921

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
55KB

MD5
d86c0d7adeee64733db7e411b50a5959

SHA1
03aab150e34233e96be978302b55266f2df85b1e

SHA256
0bbdb57cb17259e95930bd096ae01c6e3dab3730ea2e72f0107611fe68a3eda4

SHA512
101894db95748126c69e790579135fd24f207e245e95cfff59d4efbb030a2b5e73f1409b7bbd5654984d47e289552f0a50406331409714a1d40bdc69c354a1db

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
55KB

MD5
f5914c652dfbbdac5b11005b682d7e4e

SHA1
0cba0b5ea0755b0e8d981267d635c90cefb97b00

SHA256
1937e8b6111f6c70b7e01b5e96cdce484cdad54dac81cf6f1c6b3b7d36a9f972

SHA512
8e12af2dbdfe08c4f7cbe6dfe31bf5fdc3c7ce942c5daa7be4c7ca10b071c1ba43c4d164c5f96d39d080d89ac398e644f8d76347c5f089ad25fab20c4e992319

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
55KB

MD5
51e5054a613bfcf23bcd5af39ea1deee

SHA1
9e810eb4449cae0df66d014ef8a00ccec840f03d

SHA256
606fce1b253765f7db607a941cf1cfeafcecd9202699e4c56438f3581ed3e587

SHA512
4ffbdc8bb8ad736ad650d76a54f6541908a704bf6cc04098683efa75b41ed347312f0fda3cb4c08a9a68c122d5ae4d1a96c3906ac68eb4ec23866d9899ccd43d

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
55KB

MD5
81a7d26afc81cf57c0a1a8d9358dc439

SHA1
fd70855b6f9559fac86c978323b7d7f283e341e8

SHA256
a860f6af649cba6c0aa21aa5117d5ff1463a13abce5da49e2c1dd7f238a432fe

SHA512
f65b44a7aab83f3f0abf53d21c1d523c9fe8f357b625dcd59352078f86f7d244703c9809b4d50495dbaec10c6ad876e4b9aab85c54772815a6e934029ea93e5c

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
55KB

MD5
ffd2549790d3d790b475917e9f663460

SHA1
861852c7b7d0f5aaafbd12ff78bda2cbe8561fca

SHA256
9456533bc35c5695c1b055b94c5af4a96f0dd133028c3d7af179bb9039e66342

SHA512
121e150a5fc616cb816968544f1c4fea06bb87126c58168f132b02186a8010e8d9546ba1b88da3cd410c38baadd7d9997bd1641489d326dd8e860f06446e01ef

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
55KB

MD5
e0b46a06f75816f44e57b018e227d712

SHA1
d7794d82449edba1d10eb770a0b74f364ebe25b3

SHA256
6adab2809df811499d21ed47e60526fafc9096b09bf548350467031469d4da93

SHA512
cfe6c78b7ea1b7fa43516698e9472e3be5d78f39df2d96926aca9b435df72aea624ced91f350477e838213ab6fdf948940c0e56093c929d8cd529263141bcac9

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
55KB

MD5
170e4ccb0c4d21c44dd5fcdbb499626e

SHA1
024c3a692fea41dc9ff65ef4ee9bd1024989888b

SHA256
61d9fc503de3ad30e771799d40f5a6173d0c05df9c0c5995f37fa194ad71ae32

SHA512
ef2306d6776af8d6ea0d9d432132b866fcb01f269c57f48e13ffe9a25095977bb892405a644619fe41d1527431098bbd90bc84c9a9748e73f4cf41c0bcf7214d

Download Submit
memory/64-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/456-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/908-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-676-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-675-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1512-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2112-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2124-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3104-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3300-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4208-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-797-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads