berbew | ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118

Analysis

max time kernel
135s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe
Size

96KB
MD5

d8054809d8fbdd647ec9fc65ccd34796
SHA1

c0eff18c26d67ff6d3d0e13e3c21ca77f4d7ba39
SHA256

ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118
SHA512

d1294f5ff59fdda12b70872f360eabff6a777bbe8a58df16419d96331a90e68fb94983c782aebb4295c5a1d6d026442984c30233a28f4624e80fd524246e686d
SSDEEP

1536:PBtc/GmhYa8j34e2rUY1bdSoQpAXi9r589Q3aBH2LD7RZObZUUWaegPYA:PBgG28jR2rn1PIAyg+3aBsDClUUWae

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1724	Olhlhjpd.exe
3628	Ognpebpj.exe
4856	Ojllan32.exe
4684	Oqfdnhfk.exe
3484	Ocdqjceo.exe
1844	Ofcmfodb.exe
4076	Olmeci32.exe
1484	Oddmdf32.exe
2584	Ogbipa32.exe
4540	Ojaelm32.exe
3664	Pmoahijl.exe
4936	Pqknig32.exe
856	Pgefeajb.exe
2388	Pjcbbmif.exe
1092	Pmannhhj.exe
3068	Pdifoehl.exe
880	Pggbkagp.exe
1212	Pnakhkol.exe
3764	Pdkcde32.exe
1032	Pgioqq32.exe
3716	Pjhlml32.exe
4960	Pqbdjfln.exe
2452	Pjjhbl32.exe
512	Pmidog32.exe
1984	Pdpmpdbd.exe
1464	Pgnilpah.exe
2932	Pjmehkqk.exe
2536	Qmkadgpo.exe
3288	Qdbiedpa.exe
4888	Qnjnnj32.exe
4072	Qmmnjfnl.exe
3060	Qcgffqei.exe
540	Qffbbldm.exe
3276	Anmjcieo.exe
1344	Aqkgpedc.exe
3452	Adgbpc32.exe
2368	Ageolo32.exe
2544	Afhohlbj.exe
2852	Ambgef32.exe
5036	Aglemn32.exe
4204	Ajkaii32.exe
1980	Aminee32.exe
3992	Aepefb32.exe
636	Agoabn32.exe
4424	Bnhjohkb.exe
1028	Bagflcje.exe
1664	Bganhm32.exe
4892	Bfdodjhm.exe
2576	Bnkgeg32.exe
832	Baicac32.exe
2316	Bgcknmop.exe
2720	Bffkij32.exe
2476	Bnmcjg32.exe
5040	Balpgb32.exe
1708	Beglgani.exe
4088	Bgehcmmm.exe
1640	Bfhhoi32.exe
4696	Bnpppgdj.exe
2588	Banllbdn.exe
1956	Beihma32.exe
1156	Bhhdil32.exe
1436	Bfkedibe.exe
2812	Bnbmefbg.exe
1744	Bapiabak.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pgefeajb.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Olmeci32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2084	6132	WerFault.exe	189

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1724	4804	ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe	84
PID 4804 wrote to memory of 1724	4804	ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe	84
PID 4804 wrote to memory of 1724	4804	ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe	84
PID 1724 wrote to memory of 3628	1724	Olhlhjpd.exe	85
PID 1724 wrote to memory of 3628	1724	Olhlhjpd.exe	85
PID 1724 wrote to memory of 3628	1724	Olhlhjpd.exe	85
PID 3628 wrote to memory of 4856	3628	Ognpebpj.exe	86
PID 3628 wrote to memory of 4856	3628	Ognpebpj.exe	86
PID 3628 wrote to memory of 4856	3628	Ognpebpj.exe	86
PID 4856 wrote to memory of 4684	4856	Ojllan32.exe	87
PID 4856 wrote to memory of 4684	4856	Ojllan32.exe	87
PID 4856 wrote to memory of 4684	4856	Ojllan32.exe	87
PID 4684 wrote to memory of 3484	4684	Oqfdnhfk.exe	88
PID 4684 wrote to memory of 3484	4684	Oqfdnhfk.exe	88
PID 4684 wrote to memory of 3484	4684	Oqfdnhfk.exe	88
PID 3484 wrote to memory of 1844	3484	Ocdqjceo.exe	89
PID 3484 wrote to memory of 1844	3484	Ocdqjceo.exe	89
PID 3484 wrote to memory of 1844	3484	Ocdqjceo.exe	89
PID 1844 wrote to memory of 4076	1844	Ofcmfodb.exe	90
PID 1844 wrote to memory of 4076	1844	Ofcmfodb.exe	90
PID 1844 wrote to memory of 4076	1844	Ofcmfodb.exe	90
PID 4076 wrote to memory of 1484	4076	Olmeci32.exe	91
PID 4076 wrote to memory of 1484	4076	Olmeci32.exe	91
PID 4076 wrote to memory of 1484	4076	Olmeci32.exe	91
PID 1484 wrote to memory of 2584	1484	Oddmdf32.exe	92
PID 1484 wrote to memory of 2584	1484	Oddmdf32.exe	92
PID 1484 wrote to memory of 2584	1484	Oddmdf32.exe	92
PID 2584 wrote to memory of 4540	2584	Ogbipa32.exe	93
PID 2584 wrote to memory of 4540	2584	Ogbipa32.exe	93
PID 2584 wrote to memory of 4540	2584	Ogbipa32.exe	93
PID 4540 wrote to memory of 3664	4540	Ojaelm32.exe	94
PID 4540 wrote to memory of 3664	4540	Ojaelm32.exe	94
PID 4540 wrote to memory of 3664	4540	Ojaelm32.exe	94
PID 3664 wrote to memory of 4936	3664	Pmoahijl.exe	95
PID 3664 wrote to memory of 4936	3664	Pmoahijl.exe	95
PID 3664 wrote to memory of 4936	3664	Pmoahijl.exe	95
PID 4936 wrote to memory of 856	4936	Pqknig32.exe	96
PID 4936 wrote to memory of 856	4936	Pqknig32.exe	96
PID 4936 wrote to memory of 856	4936	Pqknig32.exe	96
PID 856 wrote to memory of 2388	856	Pgefeajb.exe	97
PID 856 wrote to memory of 2388	856	Pgefeajb.exe	97
PID 856 wrote to memory of 2388	856	Pgefeajb.exe	97
PID 2388 wrote to memory of 1092	2388	Pjcbbmif.exe	98
PID 2388 wrote to memory of 1092	2388	Pjcbbmif.exe	98
PID 2388 wrote to memory of 1092	2388	Pjcbbmif.exe	98
PID 1092 wrote to memory of 3068	1092	Pmannhhj.exe	100
PID 1092 wrote to memory of 3068	1092	Pmannhhj.exe	100
PID 1092 wrote to memory of 3068	1092	Pmannhhj.exe	100
PID 3068 wrote to memory of 880	3068	Pdifoehl.exe	101
PID 3068 wrote to memory of 880	3068	Pdifoehl.exe	101
PID 3068 wrote to memory of 880	3068	Pdifoehl.exe	101
PID 880 wrote to memory of 1212	880	Pggbkagp.exe	102
PID 880 wrote to memory of 1212	880	Pggbkagp.exe	102
PID 880 wrote to memory of 1212	880	Pggbkagp.exe	102
PID 1212 wrote to memory of 3764	1212	Pnakhkol.exe	104
PID 1212 wrote to memory of 3764	1212	Pnakhkol.exe	104
PID 1212 wrote to memory of 3764	1212	Pnakhkol.exe	104
PID 3764 wrote to memory of 1032	3764	Pdkcde32.exe	105
PID 3764 wrote to memory of 1032	3764	Pdkcde32.exe	105
PID 3764 wrote to memory of 1032	3764	Pdkcde32.exe	105
PID 1032 wrote to memory of 3716	1032	Pgioqq32.exe	106
PID 1032 wrote to memory of 3716	1032	Pgioqq32.exe	106
PID 1032 wrote to memory of 3716	1032	Pgioqq32.exe	106
PID 3716 wrote to memory of 4960	3716	Pjhlml32.exe	107

C:\Users\Admin\AppData\Local\Temp\ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe
"C:\Users\Admin\AppData\Local\Temp\ee7ccf2def1c1ff187f6bfd684fddeb8802d5f979640008475a5f27616784118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\Olhlhjpd.exe
  C:\Windows\system32\Olhlhjpd.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\Ognpebpj.exe
    C:\Windows\system32\Ognpebpj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\SysWOW64\Ojllan32.exe
      C:\Windows\system32\Ojllan32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
      - C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        54⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        71⤵
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        73⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1152
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        81⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        83⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:6132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 404
        103⤵
        Program crash
        
        PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6132 -ip 6132
1⤵
PID:5212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
3846418bb7844bdb4e033bebaa59306d

SHA1
ef72704482d09cd0dc07a430fb3e30958e1ab721

SHA256
15c5f4c6038a88310e33d1d7c7d8ee8046f85d178cd8163389ee75b91d91636f

SHA512
faa9383d561776d37156d89ac8da7b017f124fb4f0ce244a40e64ed9f7589016b192e016dba740641f507ae33360b95f9986d89c9566ce80599c153531d68d8e

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
96KB

MD5
516a25ae7217a549dfd29ec0c4b3bb24

SHA1
46310d4b9c6ef2a5c6e33a43e1f5d9614f48a3a4

SHA256
eea1816b45730f6f17a1cdb227a287eadf4b602613c621acea618fd98207c9f7

SHA512
cb111071413491af06b601fcea03a815027687a80aaf9f712afc7b829136505f9ba7bd38d13482a494b52724193d39da35b195596efc04ff4ab9723b5103112e

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
96KB

MD5
cb9e730f214767f95de734992ab39a61

SHA1
6959684089d0bdf6013eda1f8c434a1fcea43597

SHA256
dacb4dad6d0fa555d3868aeb69cbbb59ec5cecb30889275bfbb437f49c2c4c45

SHA512
bb3fcd35aae00e841e9a78ba2514008215c6018c417cc540f477588b4c181176c2b4b3867ba1ada810accf79e0ec60ce27ce193018b51a765490ca3600637d65

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
96KB

MD5
2cc651ab6d73b4d2ca40e6bb47010a6b

SHA1
58c002c868b79cc568fc4fdea66ab57c57106a63

SHA256
594cc2ca4593bf4322b1e6896fc018c2fe71d8df021f27b6cc9fd9b06869c7bb

SHA512
d5d9f27e4654d16a35bfa0a2846d1cc9ba6f24f821bcf8de4dabadc0587dda2d8d033626a044e25638bac31020b3e9312774150c4de787153d2b4256aa729718

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
96KB

MD5
be0af0a70e4d2a583a1c0fcc3102c9fd

SHA1
105c0c15922690059f0beb9f3c70cbc8f871284b

SHA256
acb0e59b547e4d2062884c04737a792ae61f41af050b7effc905e491300e7c81

SHA512
6b6e6a3aa00711652d5008e1b1812e87f76182f2f31853b7aa77934ce21fa53aa1890c0564fa489e5de726788388531b44a2e683499598f7be1f9260e32d02e9

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
b8bc4d7b16c4554861414a41701bf5c1

SHA1
a2dedcf7182a6d96231bc129a6b724a8a08a28b4

SHA256
6e99bfb5340af5fb1a4bfbb81d0d3ef7025b6a377e1a0737eaf7eda424cbec98

SHA512
492fead8e101a9487937bbc01de016695a37a3488cac781d143088b81d59984307d76d7f4e142eebf431f3a87cb4c6d2b867d322994629c82e01eed1844bf868

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
96KB

MD5
ba91795f7e3133e4a549a2ab459d7636

SHA1
090c3c4e106d2fdccc432b120c39e373eec79282

SHA256
36ee3ba1a31bf91e61ec5401c61bd467cbd4fc8a1191b85df6fb3c340ad8277c

SHA512
506662965f6871d479d6e0dd11b0d2cd1571f9223e29e80d73b28f8eb22fe74a64ef9f247f634b0caa3f5642459053e5481d68454f9b1e9999dfd85f8d1d3ca7

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
96KB

MD5
a9e5530f9ec8874dcd12eed56c462bc7

SHA1
d49fce4d2fc94393cab1e22771be42970fed5193

SHA256
300893a2f9894c8d0744b798026aa13d3f1948e1c192dcaf0fcfce9cadb3e051

SHA512
a4b84285a91edbeadbc29b01fa80741e0d9febf5afb0504815ebd9f41de30cf8369edb9c94329c14ff4118d612a51927742bd5342f1b1f591f89c9de1386a547

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
6566c8b46b02a3e870820da01e230a9a

SHA1
3b8a5da042e56b387e675cd0c5cedf4de91b8926

SHA256
a9ff253cdca59366801d5c3db50cb8832d82b37cf87eec6a3ef36586bdded535

SHA512
a48aeba7a447528a293b2b72eeaf5f094c378b650b2211e6f43f7cbff25142f2d0e4f98f412aea2b69272d45e3ef9efd45f8d900cc4ebe49d3738cd925c5218b

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
96KB

MD5
ab3f5a4fa9f5dda3ee999069ec023a52

SHA1
161bfc3e094a0bc47e75d1afd571c1cedabe3c99

SHA256
ddb01a33ee1e4786f8186458251337aef913874905890e7afe5fe83b1ed7ae2d

SHA512
7e03baaa94de7ad7d4ca859a27f51cb99151c6b5fea2ce4702517e40e1402eed3ae84e7cac20a14ea1f5fe0a558ec39b066f3ea1189ca362ab8fa396e194211e

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
96KB

MD5
dc04fe681804da766071379cf6874ae7

SHA1
7d474c5226922003cd1d713e52c62ec7b8ce11cc

SHA256
b87a451513328b80a3c37af0fa2eba7d71a695c910094812ffeebe4ae383a480

SHA512
d4e46df0b12e96a06c024963a37c93e47a4decc0d93526a3701eeb2985fd6158da653d6eb3e33d8aa024a7b79b998a6397bc4336318c8db885ac17f0cfd4c2ad

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
96KB

MD5
c0401ff89e0200437a695e2bde999818

SHA1
b469ff0df69598583306ecb3cf4513e3472c05a2

SHA256
0ced83ca4e9d3931c68ca7216d0658d30cb60960a66fa992218b38a21075c0b4

SHA512
12dd4fd0c2e558e20f41609046d5f0fd07f14b4b8f6538852cfb2880f333d91ab4dd6fe78ef084b1e6422fdef6a2e393a56f6c195ca7a2ef0123a4c0b82266a4

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
96KB

MD5
2d4cc4a86c85803d499ab9e6fb755ff8

SHA1
11eed2c1df526683f0f5efeeeea94f37570c1515

SHA256
522a717f04d01d1a35ee46fd41ca8d689324f1f49cfc935dafa4efda68563d7d

SHA512
4a54eb17441038cb0587e4824dc99bba1a4fc22f28d2d2a529fd56b8045bc06098594765c968a325c99d84f267d527b1140d054fc659c61a28f4fca3c3dc5f6e

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
96KB

MD5
6254d1886db28ac80d3a10cc801c8a74

SHA1
bea642c9acc06702ffbe599c71a8dbf58b083c75

SHA256
ed44612282645b90eada3ca1c2ab4a90ccb6037780725549c2da9b9390022ba0

SHA512
d754fef810f35c17590d93e22b17b654981f0e93bdfbdaf6e2aa63b4bb0e01315a30b529b61ed9ecb9f192bdb01f80fac3d71158a09cfb24d0a90cadd1941c23

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
96KB

MD5
0516de1b3fa13d0bb60148a703e0b821

SHA1
3b07ee79cef0ae891d43a7efa5340079c7df9de5

SHA256
95a99a8c70f3372372949ffa93034bde50152fe8a1a6a582b998f08605b4e52b

SHA512
96a558a6ccb73dfa3066eb1af8abefd732c01845e1e47fe554a775a6cb3866199a382f0b14e6f1158c18a62340a8bc212761fd028f68df227622029de11a7c34

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
96KB

MD5
972fc162ee2cd6954fc0b1c6237467c5

SHA1
7aba42e7f6dff33fe3e9df2175a188327f3afd05

SHA256
9e7b892033a272463f34dca34c353ef35eaecbb1902f9e155b5a4f99a2d1ee79

SHA512
cf03b0a67b0fbbba5fe3cc5908d2e3c3cf5476c2abff75907e7335a6bdc1d40d6c9eee412f967c60d1502021087f0ed519f613402b5f707d945829e66fde6132

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
96KB

MD5
12f2c1c05fd10de410f26b2e47c20e80

SHA1
f96ccdd23078a470e7bc80e92e3fe8107bec60b0

SHA256
16510aaa74663108f7a7b31dba3f2e3b975e0ed13735f3279fff96c28f5aaa79

SHA512
8f472becd29b77c0e3fb950dc5d061f05fcef8a03ba54c37dbc0dc1bd15371c86effcd2373dea11c22c570a716adf0623e067235724e17eb4b5d624636334f95

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
96KB

MD5
2f6601376152c4f30f2e0d16a265167e

SHA1
d461f2025618bf0ea6d2f8371db8ae9937a2cf30

SHA256
420c4601a1d66ca72bbb742fa5a1626be940d1afd8ef09ba495fe6d8d7f636b3

SHA512
604cc89ba5c453fcfa66ec41740d3ac38af7fc4542ddec424d02c4c93733d9cc386ecc82d9340fb443ee4425c5c768e2e5cea4ecfa0ec9ef3c5ac16ca493aa03

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
96KB

MD5
6e30b427e2be194b80850f43fcd87899

SHA1
2e2253fb29e4ea2047b140538e7aa8198739cf8f

SHA256
e6ea7d4f2445e752132df7a7421a799c521059c883ea6da233f9704958fdaeba

SHA512
380177128ba2227fd45880d43bad912bc74e9c48a0cff6e7bb78e09fc19bd46f33ae8dac5f8d19d4abb8ad4534d543a7232c99b86358540433b05d4035ee7ae0

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
96KB

MD5
8e38676da24e861d2d93453e91730726

SHA1
317a3d0b65a0d93d3bea52e5e90f4cee353c54aa

SHA256
4cd152c599aa21ea8d0152b80ba6c9c6f07c0ae9831728edb5edb5cdce243a8d

SHA512
c74371ffeb3a4c77b46d2dd4a4b6762ea948f96c53b383533c3a293ba37cfb0d826f79a09f8b84fcf322fc047c1ee6e0103a9ebc794202a458acf5316e381926

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
cb0d8c52a5adbf600f30314cd8f9449f

SHA1
127d2a0233ace23e7f03f1943faef1e025f575b3

SHA256
f4348dec8391abb24c4c793fe2790ce2940f38035c61e0c611df140c517ff5ea

SHA512
a048882b42fc5e68ba8e9a4c8867dc8f1a6972c3a9062bae1df2246c11956037e6928ca09bd5adca7c6b1885a767e92fe49226f44216f10ed7f424856ef31f29

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
96KB

MD5
7518f3e2f45cd39312affc6d33b801d0

SHA1
e7317187096943396d1d306f8f8e2fac8e687d6d

SHA256
3d8dda187584a38a593f5268cd5f076968ac542d5b43ac452ad15c984511553d

SHA512
e609631507c048adb65da10fa6a7192212e7fc6f905bdce0f76973eee62ebd1fb4a0df63031f48ba2a0353db0f85ed90a948fc2b7fc7a4f1c1d0528ac5d574e7

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
26c6bf494b4460434facaa7d0d20f85b

SHA1
c0fb8a172dcc28f37dc47bb292f582994b53fa89

SHA256
a3458e9b488917c5a42f7fdee82547a5ac873520da2e56e105bb6b0e97311572

SHA512
48df74cc61a1331a3165e2b003a170525aae066cf1f11485665dbb99029980ccb1a0b71eccee49925b7437f9317d813272171f21d267c842a4954e69fc9f2829

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
96KB

MD5
f649a9f1ed3b56980a62d1092d52c36b

SHA1
1551fc424688780d851fd0795731473e5901d8c4

SHA256
24f90d719f3a28104c267f1df1c40140e980594858d647494ee7a93df893d460

SHA512
12790db66f81ce98d5a76c6442b3b34f5b189e5026c3c9294e1e86c09bbfdbe9f41d89f62cad3402d28a27d51746fce429f172f828237c8aea0d34a21fa0ac2c

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
96KB

MD5
f627a2be6266b43366c1c90955052cbe

SHA1
037e81acb45bc30a16bbdfe918bcd4c8fc2d5ffa

SHA256
f4ee769a4ddf2b0ff0c7c908fdaef9362f346a18b259fbf95bc5b2156f5ee038

SHA512
92ecce110b784b59a6de16606bdf4bbf52539c96ec557322c5a3977ab29854cdfd25a08dbb8e234fe7d8f4696aae69eea0576606b5a172a111282c3c4fa0b514

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
96KB

MD5
a35a3cc92699c9cf4bb948f5b2b2b3e2

SHA1
07cec29390cb9b4ae83c01f68c4ca7e3d15cc02c

SHA256
c46e822fe46ed0c25c6212f874edb342e50b8ce640eebe0976e4a64a326be245

SHA512
a38d790a28ce9c03d6d999f2cd599bee344ce0c779ade35232804835d9c640a57c0baf5df862a3829b35e5f3cbd2ec2765f63590f8ab005988ce45df1e66a5f8

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
96KB

MD5
3afafff5033d2a344adb614f4ef02fe2

SHA1
01caca66d032f02a9fa20849dd7b3579b6f89bb6

SHA256
0f5d202440dc0a99c512f127e16e99d32866c33e67d88d9a5ff99e14239485f9

SHA512
b36eae69922fbb3108ebd21742170abc77d2989069d3b90725a592d73d266c082e48d3e24d39f20d64d9a899e9e0c1ce28622ed74542020128ad8592b99a9815

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
96KB

MD5
4478e280435c65fc75c3cb62bc784fad

SHA1
ed1ea47b5d568a6be7a503f00b8f8bb7dfd4fed9

SHA256
6ac7e31b26ecdfbaac2c59cccb7987fe6d74fca913d9f4a8e1c152747446aa8b

SHA512
da8791396052f711de0db95b2f3a0972e1244592fa1ad410dc4732d88fac3235a76a45af0740cd80075b677cff5a80db2d0d2d146344f460f98511ad59afa708

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
96KB

MD5
40c6777618ed0e9498934bced902dedb

SHA1
5d02b7613eebb7b19602b704e3a7372a0de065c0

SHA256
5cb7f5d8c5d4faae420b069d3e2f9cb16da664d65bde5e32557e09af9371e10e

SHA512
a0291f51586cdb7a96b2e40602dbd0264c58fb19cd0d21ea189e87734c477496381a32cf276fa463ba46e30190bbb508115afa2d48b140c879a7be0cd895d495

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
96KB

MD5
2fc878e38481d2dd3bc8a6d09f574011

SHA1
86a85760e830230a7865bb77d4bcad65f4c2d976

SHA256
03dd56b201ef30c5e4eaae4553e46527d120ea62d997fc88d7ab52d6efc014a0

SHA512
7d8110313b36eedace976fb91a7a804a2d9b4fe6042e1db1ff02490c6d0c70c1d6d86bfe4dd21d6713e8c1aa8e87223e61b6240300cf9a8c96553a645a25c147

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
96KB

MD5
66f85edde2886bd5542fd526c94b90a5

SHA1
5ce40e9cf1b6ae7f7a158f9df0117535aa0f8017

SHA256
0bfaa72f23e30779caa0bcb399c4ce760118399260904ae7d3661b9f47893863

SHA512
2e883eaf0a2a682903d1b48c91b4ec663909e81b297dc700d1f1eadf316f6e51de4dcd6e1d78002acab84a7cbbd23361253836189a1d8910e8f0863de1be231b

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
7dc216d252dda4525d8734deb20f5695

SHA1
8fb694fa5bb32a7eb55f5d3dc4f6f3f3893cffad

SHA256
8148da5e9e2722b7052900f895abadd1b2749ee82e1fa6f2dbffdd9d2d1c8649

SHA512
d3005e34965e6e0a3d8294c8ffc561d40c3beef8a40bca91d87f6561a24518d43d6f00db9f3b5bd40fff376b8545e9def51c335bbfd39bb06978f6502c162359

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
96KB

MD5
89065f55a17c5e962d992e7bab64bf66

SHA1
ce366400dc09c212755af22c71a963560a3d3854

SHA256
9eecd7cf2ea5caf85f60653a4e846a33a176ff8b182b1772a786d3c191b6da3b

SHA512
8d2a2b42d6c872b348594a2f333d9f90fd106d22fff8037265177f406ef80b784ae6f6d22380b3da7ead77202988212c6b26764e9de070ee1378de24fb2c2799

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
96KB

MD5
d1cfa4902c408f16cb123314174e8bfa

SHA1
5fffadb5acd57632be3679eed4938fe193f84430

SHA256
574e2d86eeddb5882b45d64fd6a5cf16affb2e69cc034319c27f4eb35d42286a

SHA512
67d483744a7551311ad420fe84791fd48fb173bd250e00111d456dddee90d73f70751eeed8e4b7061efbded1c80e441896fff927e05fe4631c34760e13ebd053

Download Submit
memory/512-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-791-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-797-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-796-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2452-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-753-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3764-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-757-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-776-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4696-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-764-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4804-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4892-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5180-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5224-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5268-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5340-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5464-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5644-716-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads