berbew | 9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
Size

318KB
MD5

c178b1ef769f680f923fa7dafd1de870
SHA1

b72e6dd6dc6854ebf9ef5aa462ef150e0cc7e6bb
SHA256

9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7
SHA512

e17e128651d1a7a3d9e7a8b836bad24222997a83f2d66fc73524bece698e2599b5d1dec30749b6cbf62dbf603c66a2a08094e628ed8c742123f2fe2c5b552316
SSDEEP

6144:eO2SsM/W2JbRVEQHdMcm4FmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:hlfWeO4wFHoS04wFHoSrZx8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjcip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pofkha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplimbka.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omklkkpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndqkleln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obmnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npjlhcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhhdnlh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbjeinje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npjlhcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oidiekdn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhhdnlh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njjcip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbjeinje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndqkleln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdbdqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obmnna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
2368	Npjlhcmd.exe
352	Nbhhdnlh.exe
1868	Nplimbka.exe
2912	Nbjeinje.exe
2744	Ndqkleln.exe
2640	Njjcip32.exe
2620	Omklkkpl.exe
2680	Oidiekdn.exe
1232	Obmnna32.exe
1936	Pofkha32.exe
1716	Pdbdqh32.exe
1160	Pojecajj.exe
2228	Paknelgk.exe
2244	Pghfnc32.exe
1132	Pnbojmmp.exe
1996	Qdlggg32.exe
1568	Qkfocaki.exe
1372	Qpbglhjq.exe
2484	Adnpkjde.exe
3052	Bceibfgj.exe
580	Bfdenafn.exe
1596	Bchfhfeh.exe
2052	Bcjcme32.exe
2560	Cbppnbhm.exe
2116	Ciihklpj.exe
2748	Cgoelh32.exe
832	Cjonncab.exe
3020	Dpapaj32.exe

Loads dropped DLL 59 IoCs

pid	Process
2096	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
2096	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
2368	Npjlhcmd.exe
2368	Npjlhcmd.exe
352	Nbhhdnlh.exe
352	Nbhhdnlh.exe
1868	Nplimbka.exe
1868	Nplimbka.exe
2912	Nbjeinje.exe
2912	Nbjeinje.exe
2744	Ndqkleln.exe
2744	Ndqkleln.exe
2640	Njjcip32.exe
2640	Njjcip32.exe
2620	Omklkkpl.exe
2620	Omklkkpl.exe
2680	Oidiekdn.exe
2680	Oidiekdn.exe
1232	Obmnna32.exe
1232	Obmnna32.exe
1936	Pofkha32.exe
1936	Pofkha32.exe
1716	Pdbdqh32.exe
1716	Pdbdqh32.exe
1160	Pojecajj.exe
1160	Pojecajj.exe
2228	Paknelgk.exe
2228	Paknelgk.exe
2244	Pghfnc32.exe
2244	Pghfnc32.exe
1132	Pnbojmmp.exe
1132	Pnbojmmp.exe
1996	Qdlggg32.exe
1996	Qdlggg32.exe
1568	Qkfocaki.exe
1568	Qkfocaki.exe
1372	Qpbglhjq.exe
1372	Qpbglhjq.exe
2484	Adnpkjde.exe
2484	Adnpkjde.exe
3052	Bceibfgj.exe
3052	Bceibfgj.exe
580	Bfdenafn.exe
580	Bfdenafn.exe
1596	Bchfhfeh.exe
1596	Bchfhfeh.exe
2052	Bcjcme32.exe
2052	Bcjcme32.exe
2560	Cbppnbhm.exe
2560	Cbppnbhm.exe
2116	Ciihklpj.exe
2116	Ciihklpj.exe
2748	Cgoelh32.exe
2748	Cgoelh32.exe
832	Cjonncab.exe
832	Cjonncab.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Plcaioco.dll	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
File opened for modification	C:\Windows\SysWOW64\Obmnna32.exe	Oidiekdn.exe
File created	C:\Windows\SysWOW64\Gfblih32.dll	Oidiekdn.exe
File created	C:\Windows\SysWOW64\Oqlecd32.dll	Obmnna32.exe
File created	C:\Windows\SysWOW64\Pghfnc32.exe	Paknelgk.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Nplimbka.exe	Nbhhdnlh.exe
File opened for modification	C:\Windows\SysWOW64\Oidiekdn.exe	Omklkkpl.exe
File created	C:\Windows\SysWOW64\Obmnna32.exe	Oidiekdn.exe
File created	C:\Windows\SysWOW64\Qdlggg32.exe	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Nplimbka.exe	Nbhhdnlh.exe
File created	C:\Windows\SysWOW64\Ndqkleln.exe	Nbjeinje.exe
File created	C:\Windows\SysWOW64\Bdclnelo.dll	Nbjeinje.exe
File opened for modification	C:\Windows\SysWOW64\Njjcip32.exe	Ndqkleln.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Nbhhdnlh.exe	Npjlhcmd.exe
File created	C:\Windows\SysWOW64\Qkfocaki.exe	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Oidiekdn.exe	Omklkkpl.exe
File created	C:\Windows\SysWOW64\Pnbojmmp.exe	Pghfnc32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Pojecajj.exe	Pdbdqh32.exe
File created	C:\Windows\SysWOW64\Leblqb32.dll	Paknelgk.exe
File created	C:\Windows\SysWOW64\Npjlhcmd.exe	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
File opened for modification	C:\Windows\SysWOW64\Nbjeinje.exe	Nplimbka.exe
File created	C:\Windows\SysWOW64\Njjcip32.exe	Ndqkleln.exe
File created	C:\Windows\SysWOW64\Giddhc32.dll	Njjcip32.exe
File created	C:\Windows\SysWOW64\Pqbolhmg.dll	Omklkkpl.exe
File opened for modification	C:\Windows\SysWOW64\Pdbdqh32.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Ojefmknj.dll	Pofkha32.exe
File opened for modification	C:\Windows\SysWOW64\Pnbojmmp.exe	Pghfnc32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cbppnbhm.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Qpbglhjq.exe
File created	C:\Windows\SysWOW64\Gaokcb32.dll	Ndqkleln.exe
File opened for modification	C:\Windows\SysWOW64\Paknelgk.exe	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Pghfnc32.exe	Paknelgk.exe
File created	C:\Windows\SysWOW64\Kbfcnc32.dll	Pghfnc32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Qdlggg32.exe
File created	C:\Windows\SysWOW64\Qpbglhjq.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Pjdjea32.dll	Nplimbka.exe
File created	C:\Windows\SysWOW64\Pdbdqh32.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	Pdbdqh32.exe
File opened for modification	C:\Windows\SysWOW64\Qpbglhjq.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Qdlggg32.exe	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Npjlhcmd.exe	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
File created	C:\Windows\SysWOW64\Nbhhdnlh.exe	Npjlhcmd.exe
File created	C:\Windows\SysWOW64\Omklkkpl.exe	Njjcip32.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cgoelh32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dfkhndca.¿xe	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	3020	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pghfnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbhhdnlh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbjeinje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjlhcmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndqkleln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obmnna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdbdqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdlggg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjcip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplimbka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oidiekdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omklkkpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Paknelgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpbglhjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doadcepg.dll"	Npjlhcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdjea32.dll"	Nplimbka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obmnna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Pdbdqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npjlhcmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbjeinje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndqkleln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlecd32.dll"	Obmnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbcjo32.dll"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll"	Njjcip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Paknelgk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpbglhjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pghfnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qdlggg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcaioco.dll"	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkgoklhk.dll"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Paknelgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll"	Pghfnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkid32.dll"	Nbhhdnlh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhhdnlh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njjcip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obmnna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Qpbglhjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhhdnlh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfblih32.dll"	Oidiekdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Qdlggg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofkha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pojecajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplimbka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndqkleln.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2368	2096	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe	31
PID 2096 wrote to memory of 2368	2096	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe	31
PID 2096 wrote to memory of 2368	2096	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe	31
PID 2096 wrote to memory of 2368	2096	9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe	31
PID 2368 wrote to memory of 352	2368	Npjlhcmd.exe	32
PID 2368 wrote to memory of 352	2368	Npjlhcmd.exe	32
PID 2368 wrote to memory of 352	2368	Npjlhcmd.exe	32
PID 2368 wrote to memory of 352	2368	Npjlhcmd.exe	32
PID 352 wrote to memory of 1868	352	Nbhhdnlh.exe	33
PID 352 wrote to memory of 1868	352	Nbhhdnlh.exe	33
PID 352 wrote to memory of 1868	352	Nbhhdnlh.exe	33
PID 352 wrote to memory of 1868	352	Nbhhdnlh.exe	33
PID 1868 wrote to memory of 2912	1868	Nplimbka.exe	34
PID 1868 wrote to memory of 2912	1868	Nplimbka.exe	34
PID 1868 wrote to memory of 2912	1868	Nplimbka.exe	34
PID 1868 wrote to memory of 2912	1868	Nplimbka.exe	34
PID 2912 wrote to memory of 2744	2912	Nbjeinje.exe	35
PID 2912 wrote to memory of 2744	2912	Nbjeinje.exe	35
PID 2912 wrote to memory of 2744	2912	Nbjeinje.exe	35
PID 2912 wrote to memory of 2744	2912	Nbjeinje.exe	35
PID 2744 wrote to memory of 2640	2744	Ndqkleln.exe	36
PID 2744 wrote to memory of 2640	2744	Ndqkleln.exe	36
PID 2744 wrote to memory of 2640	2744	Ndqkleln.exe	36
PID 2744 wrote to memory of 2640	2744	Ndqkleln.exe	36
PID 2640 wrote to memory of 2620	2640	Njjcip32.exe	37
PID 2640 wrote to memory of 2620	2640	Njjcip32.exe	37
PID 2640 wrote to memory of 2620	2640	Njjcip32.exe	37
PID 2640 wrote to memory of 2620	2640	Njjcip32.exe	37
PID 2620 wrote to memory of 2680	2620	Omklkkpl.exe	38
PID 2620 wrote to memory of 2680	2620	Omklkkpl.exe	38
PID 2620 wrote to memory of 2680	2620	Omklkkpl.exe	38
PID 2620 wrote to memory of 2680	2620	Omklkkpl.exe	38
PID 2680 wrote to memory of 1232	2680	Oidiekdn.exe	39
PID 2680 wrote to memory of 1232	2680	Oidiekdn.exe	39
PID 2680 wrote to memory of 1232	2680	Oidiekdn.exe	39
PID 2680 wrote to memory of 1232	2680	Oidiekdn.exe	39
PID 1232 wrote to memory of 1936	1232	Obmnna32.exe	40
PID 1232 wrote to memory of 1936	1232	Obmnna32.exe	40
PID 1232 wrote to memory of 1936	1232	Obmnna32.exe	40
PID 1232 wrote to memory of 1936	1232	Obmnna32.exe	40
PID 1936 wrote to memory of 1716	1936	Pofkha32.exe	41
PID 1936 wrote to memory of 1716	1936	Pofkha32.exe	41
PID 1936 wrote to memory of 1716	1936	Pofkha32.exe	41
PID 1936 wrote to memory of 1716	1936	Pofkha32.exe	41
PID 1716 wrote to memory of 1160	1716	Pdbdqh32.exe	42
PID 1716 wrote to memory of 1160	1716	Pdbdqh32.exe	42
PID 1716 wrote to memory of 1160	1716	Pdbdqh32.exe	42
PID 1716 wrote to memory of 1160	1716	Pdbdqh32.exe	42
PID 1160 wrote to memory of 2228	1160	Pojecajj.exe	43
PID 1160 wrote to memory of 2228	1160	Pojecajj.exe	43
PID 1160 wrote to memory of 2228	1160	Pojecajj.exe	43
PID 1160 wrote to memory of 2228	1160	Pojecajj.exe	43
PID 2228 wrote to memory of 2244	2228	Paknelgk.exe	44
PID 2228 wrote to memory of 2244	2228	Paknelgk.exe	44
PID 2228 wrote to memory of 2244	2228	Paknelgk.exe	44
PID 2228 wrote to memory of 2244	2228	Paknelgk.exe	44
PID 2244 wrote to memory of 1132	2244	Pghfnc32.exe	45
PID 2244 wrote to memory of 1132	2244	Pghfnc32.exe	45
PID 2244 wrote to memory of 1132	2244	Pghfnc32.exe	45
PID 2244 wrote to memory of 1132	2244	Pghfnc32.exe	45
PID 1132 wrote to memory of 1996	1132	Pnbojmmp.exe	46
PID 1132 wrote to memory of 1996	1132	Pnbojmmp.exe	46
PID 1132 wrote to memory of 1996	1132	Pnbojmmp.exe	46
PID 1132 wrote to memory of 1996	1132	Pnbojmmp.exe	46

C:\Users\Admin\AppData\Local\Temp\9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe
"C:\Users\Admin\AppData\Local\Temp\9a944628e92d3d478e5835d4eef16dda1311af19c3079908badd40cdc0956da7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\Npjlhcmd.exe
  C:\Windows\system32\Npjlhcmd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\Nbhhdnlh.exe
    C:\Windows\system32\Nbhhdnlh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\Windows\SysWOW64\Nplimbka.exe
      C:\Windows\system32\Nplimbka.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\SysWOW64\Nbjeinje.exe
        
        C:\Windows\system32\Nbjeinje.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\SysWOW64\Ndqkleln.exe
        
        C:\Windows\system32\Ndqkleln.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Njjcip32.exe
        
        C:\Windows\system32\Njjcip32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Omklkkpl.exe
        
        C:\Windows\system32\Omklkkpl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Oidiekdn.exe
        
        C:\Windows\system32\Oidiekdn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Obmnna32.exe
        
        C:\Windows\system32\Obmnna32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Pofkha32.exe
        
        C:\Windows\system32\Pofkha32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Pdbdqh32.exe
        
        C:\Windows\system32\Pdbdqh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Paknelgk.exe
        
        C:\Windows\system32\Paknelgk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Pghfnc32.exe
        
        C:\Windows\system32\Pghfnc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Pnbojmmp.exe
        
        C:\Windows\system32\Pnbojmmp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Qdlggg32.exe
        
        C:\Windows\system32\Qdlggg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Qpbglhjq.exe
        
        C:\Windows\system32\Qpbglhjq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Bfdenafn.exe
        
        C:\Windows\system32\Bfdenafn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 144
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
318KB

MD5
20121412058f244ab21d7c761cb0986b

SHA1
d06824e128435b00f481474fb63624300f6408b7

SHA256
0b29a23a2dda7ffa865b2589c5e93f03592550d0018fcc43f9304a1914c569ab

SHA512
3807053622a39323bb563c83407b2afb4195d09061923c96810224c30c8676c6426e4e7c5813d3bbd83d466c7fda52a16543cf956cfac6bdc6e0e6e25769c19c

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
318KB

MD5
49b759424490ed6b3f5acdf741a979ff

SHA1
0d58f266ad300ca0ac5f5c3779652cdbc6dc6ef9

SHA256
518bbf74bcd430e2c9f083a12965734c7f7216e1ca73a6bbfbeba46a36b5626b

SHA512
3fb47eb59fe562027bf93943f1866f19618515ed3942d90cdc5d0b5efe4a90a34ed0a18f8042b0b847aef516e97d78b26e2c47b5346efa61a17d55fae3f9484a

Download Submit
C:\Windows\SysWOW64\Bchfhfeh.exe

Filesize
318KB

MD5
a92f20aa0ce15c3388a6f542162659e5

SHA1
4e410372599518d7f0fccc5e8a33453128ec41f3

SHA256
c32f9cb3b1852352bfdb63d8dca4834e72c4a7b37ddf177937d66a7c63d5b69a

SHA512
f61240f5ee2491c085000d22f5951d5440392d108393fef83f11eb2399a59327602de94081c9bff9dbed4d2d9a2225616df1e37a78f0c97ae2a101d4da773352

Download Submit
C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
318KB

MD5
f6cf2a9695b2b664dcc94dbd8a239073

SHA1
eaea79545e58bdb0be6e8fa384239108ecd00adf

SHA256
6a8a7d11cd94dd43597cd8014852090f1e8cea1c624d8c9ca79bd0b2b6249644

SHA512
ab68a842f64887e6f2901dad79ecf9eb6868310d5deacd3fb5ccb325f14401d91a88df68cc1c838333b08d02a4fe5c7063231021be97955af716155d8be859bb

Download Submit
C:\Windows\SysWOW64\Bfdenafn.exe

Filesize
318KB

MD5
7518caac77f0950d3bf00793bc6de7f3

SHA1
b4077e6add668c5123b86909661c152cf541db01

SHA256
587dc14d17f7f526d6a274d9beef7a6d74c776456aa882855f1ab8d6e2be64d2

SHA512
c6a7f34d466e1fd017bc75ea51cd0213579917a12ca49bda86b81446c35993e3f56ce2e2eb6ed21dac6d6ec6205afe0ea1cf8a2d2285293fb5c31af743575a37

Download Submit
C:\Windows\SysWOW64\Cbppnbhm.exe

Filesize
318KB

MD5
bb82c0dbd9eaa16194e3b6efb458e037

SHA1
b42423b5fca3fccc81e60c5fb25a3d60decf9eb4

SHA256
034dd618cbd597193428563c625a69c973ada5a292a49ba276f975a403ccae74

SHA512
0b0cf87457c021995fec75343cf4370d1bfc7f76643d99441dbd3463a526406c1d53c6425a59cf9da506c373c6bd5f86f7a8882e5021a718889d9fbd1a958f8b

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
318KB

MD5
2703f479800f04b3b2d0949e6c55fe8f

SHA1
1fd603d9058860f49091528f4676ac3fe3a9ac44

SHA256
9625011939262638b6d4ede32c691342c2aec1411c84a0b582143344b028e852

SHA512
9d151dcb8286fc11ff86c1d95c8f07bd8f81e4468a7291b0c57731c76923f9999351b19beea136d02d2849346ce8833f7fee4ef6be5e84e2a882625bb3f6b2af

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
318KB

MD5
865ecd2a1f67646f258b4d046e5a33e9

SHA1
a5f9a0f7376852ac9917d2dbaaceba29fed8798b

SHA256
ae1610ae26d20c18aa5969cf1b5324f9d08dba57c5e026b6d9c990d163652c82

SHA512
8c6ab6a5b71c5ef9ef8ecdaab109b9643baee69dbbf99a25288e0b75f013153cd6e63071088a931e0e25f3aa320fcf6536f48f16c01b4aae52a4fb9fe2e38d00

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
318KB

MD5
5b14f01c7468f1a8f275cc4d26ac2d71

SHA1
766dac1500ad3b34ecce671e05a47fd6e3f5764b

SHA256
bc9ed6b17e86a26bd58fe52655e671378ca0bc063b42deb6838112be35f2fb42

SHA512
a9b9acd7c85939d1e8cdd9783940a41091e7caa12d2f52022cef09a27bcd164bef31d4e9bc8f394ed1239a048f49808aa03dac7ea816d5d4e6cf2a40edf902de

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
318KB

MD5
360f02cf1a60f55ea2094f335bd2d9f8

SHA1
dd99b18ab0562c952601a459bac029d8a3380481

SHA256
417ca591a041e1c9c0e1da057a572f7728d272b9c0873862b31e3638856379d9

SHA512
78650c2d0986cdf31df47a3b69b6cf61c179d16f43ade55cd1cf70883127725b6d4837b9a5c90adfef60a034b875905e3969c3dc3a380b4687bcd96f0139cb31

Download Submit
C:\Windows\SysWOW64\Nbhhdnlh.exe

Filesize
318KB

MD5
48cb51a4a36d1e0e872ac18cab4588e3

SHA1
85115df1577feb92c41334400b349e292a4bb1ac

SHA256
1e278e879f54bea5257173d177f7adce8d296d681ffc1735f3a174660e81cca1

SHA512
2ca94ff4d21baea3b9da1c8a4f843c39354e0e1e944416c8b1582922dda08e0f0156111b266c4619d8b7890cddafc76ee9fd63d9299fbc976b17881302dba07d

Download Submit
C:\Windows\SysWOW64\Ndqkleln.exe

Filesize
318KB

MD5
b56a77dc7e7d6d510f888941d1c39eef

SHA1
4ca6300f03a68e544dae4b954aa7c1e8c8ccc258

SHA256
9e29eff65446cbab514f765f197c2663ea88480e88c1b89a49e73e51eb8d74f4

SHA512
41cbae4886718c97aa0a87de1a814749c846868798cb99c36c1c0d6b9340bbbc46aa81a74a2e3997ceee068a251cec0c5f8f63360b5e947c9ae45b14fba4e6ec

Download Submit
C:\Windows\SysWOW64\Nplimbka.exe

Filesize
318KB

MD5
9e4314886e92383521c9ee404df5d8ad

SHA1
b8f34994c5325de3b2ebe7ca6e8e64139f575f21

SHA256
67eb045ad4a57cd2e47243b46a48fb5f2e2a698dc1712c63c763e047000abf4f

SHA512
3a8be20084c12211d991bfe9f3da0344da9d555369247384be6d3f7e9eb8a43cbcf41f9428f7c79e51f54d44505371a30253b4e2c3f9707583148314c77e7c67

Download Submit
C:\Windows\SysWOW64\Omklkkpl.exe

Filesize
318KB

MD5
af26a7766512baa646fd72f6aaa3f448

SHA1
0a2fb8dacbef9adc90c6baa2cb044f0c976555d8

SHA256
59a14d4e2567e86226ff26aacb9a878241ad99c089d4cec8925d2f45f850a652

SHA512
fe612c578baca77e38a707fee81b96a23f6bc793f59eaa80b03a8948128ce64f7a0efd5334145c350c4737b114810ad4442773e3eb4ed5c86be8c97c51e9f494

Download Submit
C:\Windows\SysWOW64\Paknelgk.exe

Filesize
318KB

MD5
33f0305541fa9601e503ee39c2819545

SHA1
7988936b5325e1205c2947d2fd0f17d6b5a7aab9

SHA256
ec1c51cfce49d4e0b08ee15f495b0232da222ab15c7c4aee58b1f2285fcdec63

SHA512
1b5cab853b88dd1f774738efdc895455499fe1ac584113279d42a5a5c6e8e364bac67a0b8ad3f2ed68960f658cee3f578f992ead4a9966208253bd43a87a485d

Download Submit
C:\Windows\SysWOW64\Pghfnc32.exe

Filesize
318KB

MD5
dbb009174079fe81182175c6ae89bc57

SHA1
d0f3eff6c9f92291c6fab93a69c895382c4f6677

SHA256
0f518f38791a2c1263638e68a00388ba90c67ee2d0fd6264afd161355934a9ff

SHA512
c5c9ba738c9fa241abe1f460e247996148bc9cfcb31a2dbb5868bdb6bdb829b956a5d68b0a45c44d90d409fa5aed7aab8ddbebfe31c0209d99267838a62f0733

Download Submit
C:\Windows\SysWOW64\Pnbojmmp.exe

Filesize
318KB

MD5
8b5ad5f65b912a016dc0aee5042a7d5e

SHA1
febf424b685e382fd54efca8778b0d2f0e11cdfc

SHA256
7ec248b5af4d0bc7e5190fa7f6f2eeea37ee9a45aee88dfc57b67785523d52aa

SHA512
50fa38d1c8db4778c714d3a0592fa52166392419a037aadd62655b8b1cb5e8f2869d0bf480758952992c0395ff1fbc236c8c05fa08aa2aacd411ffd0922629ad

Download Submit
C:\Windows\SysWOW64\Qdlggg32.exe

Filesize
318KB

MD5
feda2908342c03bdafe400782d066b55

SHA1
3669bade94e2483f8591ff0a9fd62d153228ae88

SHA256
3ca8b6584bc334329dd3e329974b392b6fcae377860e538b0cb155c3b7a61e50

SHA512
02bb2e85bd9af7e9b41b0234635412dd0f38e5ac9d0e750e3e97f879f38f03f6a355886e7568ec30db3c64179eb8292db2310b6ff76a915dbcd7475eb7840557

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
318KB

MD5
bba978370fc4265872f85a7ddfc727ed

SHA1
a16e97654b97a18b076527717ff3bf2451c0cdb5

SHA256
73be90668c34fa1cbbcd4f272d7d1b3d4624aa75b962297488750a6208052640

SHA512
4978526b1fb204cf95f9ef4ef3b56a25c264e078591994cdade4317edd79a71bc55c800de5ac0bbce57b648ed4639cbeec1b280f4ab758bce85b0e3dc2740e0a

Download Submit
C:\Windows\SysWOW64\Qpbglhjq.exe

Filesize
318KB

MD5
085b1e13b77503e4b384b12a0dec3e31

SHA1
0a109d0236dbd1625f3305b45209a257ccc7ceee

SHA256
369acb6d9210b3eb2987cfddc6ec353a36c3f611698b47e8e34c13f513e7c317

SHA512
fbb7cf871ab8397dfa6b93f393cdeffb2933fd986b1b21ea144b26d33e92c28d53b3f45f7778a6ae237323b1bbd62183f4a8b836d5734f6fb80e0f386dad6ea4

Download Submit
\Windows\SysWOW64\Nbjeinje.exe

Filesize
318KB

MD5
50e6a9cfc02680974f86b92ff0f0a4d4

SHA1
8bc902879ca5fec20f274c72551b8405b50307d3

SHA256
126695dec0a39b02ca5160635f364dc493845c71106d7870ad49a05f118a2669

SHA512
b3888b3ac3469053db5a27f9938837c7b93bae39c95f9df463771c2fdd9117bd53aee559dc1828ba9de7214a8a9369e5b0a9c86ea6ab791632211df6ee0d66c9

Download Submit
\Windows\SysWOW64\Njjcip32.exe

Filesize
318KB

MD5
5f099d28aecb28f3a6c07837ed27b1ae

SHA1
0874f9f3f22d9ae3b31b64a2c2fa89bafb37497d

SHA256
7ccacc4e096590454bc7172917ba8754d7281e17772a99858d8187945aa20b08

SHA512
262ae4da2a77c9ef0cb6199439224c1f51f3ac5d7c7247a44a9b3fc314552a2f4b3d975b17d084f5dfe380bd665931c1586f25b20543a09edb3dc78855cd93e2

Download Submit
\Windows\SysWOW64\Npjlhcmd.exe

Filesize
318KB

MD5
a2d7a5da81cd9ad7ca9a11becaf0ddf0

SHA1
cea26c532e5adc912a8227df9f9163c3f89c9ce7

SHA256
8a29ebfa5c55f217df9c7903c8223507af53f1d5de770580313e5360f893c50f

SHA512
ff4b3af91b65cb27dd387c252d473945fa65931fa05ed8c5cc010de5779c5a3d4bc214b60547e877ba1fbd413ebb95dfa1cd4be092eb6eeed13fc7e81d3c3589

Download Submit
\Windows\SysWOW64\Obmnna32.exe

Filesize
318KB

MD5
c8d753fb41969b40758919a87c9cea05

SHA1
2e017ffc848fa259c536a6f56e7876afd6273b30

SHA256
de45c66c0ef67abdf2f2cc7b3ed33a011bcb2da03f39f79f09543e64ce8c0d84

SHA512
ea5f3005d91c5b8c77f2ba5b8b652ae797dda51fe2992b9d9a2be3a75ca7c9a9226e52f2dc6070cee2d55cf1eea133234168d23defb81ed1cf023dafc2f24dd8

Download Submit
\Windows\SysWOW64\Oidiekdn.exe

Filesize
318KB

MD5
dd0ce8d48cf8e047182ada3225645aed

SHA1
d116fe4c0a5e03420c80f85ef0cd375324efba5f

SHA256
382a779b6a7bacebce3562ddae4902c5ce0df9a9004aba160b1fba65e39ea806

SHA512
3658e7d8d35f7132894fbdc83c020bf3f525b59562c82e2697e40efbedfc942b0b5dd370eecc465b8c00a788939cc6a05d24fca4750d0535b95766779e607ff9

Download Submit
\Windows\SysWOW64\Pdbdqh32.exe

Filesize
318KB

MD5
aa91e3960128515ed0e133b67c5e278f

SHA1
2a3bfb4966f51afecaed01eebcbce6c91a65f1d3

SHA256
90d3adf702baee56ce795eab13eca766b11bcc512b4b9e5ddb6decfaa7cdcb65

SHA512
5ae9439890b8a16fba8fde2637ea145dfdaa28a349b2cb864d6e44ef40a45b4bdc7c5bb6df6b82a4428f05fe90837731546767b01b555a68e1039f6f3bf6cb78

Download Submit
\Windows\SysWOW64\Pofkha32.exe

Filesize
318KB

MD5
28218b8931bed0ab611cd3ef809f6497

SHA1
34a64be150a0cdfbd6f68671be2c56b6c0392432

SHA256
928e751c39b304b6222a6389468b38fd6574ecac0d55fca16e3f48d7beebf026

SHA512
1ef913596df8a104bda6cae7501fab2b9bcaa5a2cc9c6536b84189747a315f89493f288ae5f04ec574b63a4121be06c8848671c4ba8e1fa1fb4279080f70fc15

Download Submit
\Windows\SysWOW64\Pojecajj.exe

Filesize
318KB

MD5
61415d4c69b3e206212716086605cfb0

SHA1
c3e681dcd199d5dac142a0427be6f05f991d4cd6

SHA256
5948986d98c54d17f06e5ad8a7b625094d0e519effb912effa8c216ba0ae99c9

SHA512
51fbf8bbe901cee95dd6cab06029ac93a97e37b306f14ab5c48b5cd4e488183a5279d981ce3c72b6451ac9053eb19f29495c8f1120e125dcc6dc76f098ee5eae

Download Submit
memory/352-399-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/352-402-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/580-373-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/580-275-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/580-285-0x00000000002D0000-0x0000000000349000-memory.dmp

Filesize
484KB

Download
memory/580-284-0x00000000002D0000-0x0000000000349000-memory.dmp

Filesize
484KB

Download
memory/832-347-0x0000000000340000-0x00000000003B9000-memory.dmp

Filesize
484KB

Download
memory/832-353-0x0000000000340000-0x00000000003B9000-memory.dmp

Filesize
484KB

Download
memory/832-375-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/832-341-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1132-372-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1132-231-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1132-369-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1132-230-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1160-166-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1160-235-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1160-223-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1160-396-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1232-118-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1232-382-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1372-250-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1372-374-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1372-248-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1372-249-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1568-408-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1568-234-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1568-244-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1568-245-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1596-292-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1596-286-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1596-296-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/1596-366-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1716-387-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1716-389-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1716-146-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1716-160-0x0000000000320000-0x0000000000399000-memory.dmp

Filesize
484KB

Download
memory/1716-159-0x0000000000320000-0x0000000000399000-memory.dmp

Filesize
484KB

Download
memory/1868-412-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1868-50-0x00000000002D0000-0x0000000000349000-memory.dmp

Filesize
484KB

Download
memory/1936-139-0x0000000000340000-0x00000000003B9000-memory.dmp

Filesize
484KB

Download
memory/1936-136-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1936-398-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1936-144-0x0000000000340000-0x00000000003B9000-memory.dmp

Filesize
484KB

Download
memory/1996-370-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1996-232-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1996-233-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/2052-306-0x0000000000260000-0x00000000002D9000-memory.dmp

Filesize
484KB

Download
memory/2052-362-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2052-321-0x0000000000260000-0x00000000002D9000-memory.dmp

Filesize
484KB

Download
memory/2052-297-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2096-13-0x0000000002040000-0x00000000020B9000-memory.dmp

Filesize
484KB

Download
memory/2096-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2096-404-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2116-363-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2116-332-0x00000000002D0000-0x0000000000349000-memory.dmp

Filesize
484KB

Download
memory/2116-317-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2116-325-0x00000000002D0000-0x0000000000349000-memory.dmp

Filesize
484KB

Download
memory/2228-224-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2228-410-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2228-226-0x0000000002010000-0x0000000002089000-memory.dmp

Filesize
484KB

Download
memory/2228-225-0x0000000002010000-0x0000000002089000-memory.dmp

Filesize
484KB

Download
memory/2244-227-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2244-228-0x0000000000300000-0x0000000000379000-memory.dmp

Filesize
484KB

Download
memory/2244-229-0x0000000000300000-0x0000000000379000-memory.dmp

Filesize
484KB

Download
memory/2244-379-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2368-18-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2368-403-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2368-400-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2484-263-0x00000000006E0000-0x0000000000759000-memory.dmp

Filesize
484KB

Download
memory/2484-406-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2484-405-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2484-253-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2484-262-0x00000000006E0000-0x0000000000759000-memory.dmp

Filesize
484KB

Download
memory/2560-361-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2560-359-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2560-315-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2560-316-0x0000000000480000-0x00000000004F9000-memory.dmp

Filesize
484KB

Download
memory/2560-323-0x0000000000480000-0x00000000004F9000-memory.dmp

Filesize
484KB

Download
memory/2620-103-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/2620-104-0x0000000000250000-0x00000000002C9000-memory.dmp

Filesize
484KB

Download
memory/2620-91-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2620-386-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2620-384-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2640-388-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2640-385-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2640-90-0x00000000002D0000-0x0000000000349000-memory.dmp

Filesize
484KB

Download
memory/2680-383-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2744-76-0x0000000000480000-0x00000000004F9000-memory.dmp

Filesize
484KB

Download
memory/2744-390-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2744-394-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2744-65-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2748-339-0x0000000000260000-0x00000000002D9000-memory.dmp

Filesize
484KB

Download
memory/2748-340-0x0000000000260000-0x00000000002D9000-memory.dmp

Filesize
484KB

Download
memory/2748-355-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2748-358-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2748-333-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2912-392-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2912-56-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3020-393-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3020-354-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3020-367-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3052-377-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3052-274-0x0000000001FE0000-0x0000000002059000-memory.dmp

Filesize
484KB

Download
memory/3052-273-0x0000000001FE0000-0x0000000002059000-memory.dmp

Filesize
484KB

Download
memory/3052-268-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads