berbew | f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe
Size

91KB
MD5

ead871a4b0d022146df8337e9b5bba90
SHA1

f2e0807c244d7840f06351694961ba82651a0a6d
SHA256

f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237
SHA512

1cf825c84baebdb9497049ed5c5cee78fe150e8bd2e98b88e7215622f0d41a4efd39a95521ad17ddac63ec0d77f4b23bb929104c0c930a6a5e00f17cecb47169
SSDEEP

1536:cxkDBwE7v/F5nCppMppppppppppppppqppppppp3pppppDQTE24C3SlLBsLnVLdq:/rv/F5nSDC3SlLBsLnVUUHyNwtN4/nEi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4600	Nfjjppmm.exe
632	Oponmilc.exe
2060	Ocnjidkf.exe
1020	Oflgep32.exe
768	Ojgbfocc.exe
4384	Ocpgod32.exe
4476	Ojjolnaq.exe
2360	Opdghh32.exe
4544	Ognpebpj.exe
4284	Ojllan32.exe
3616	Olkhmi32.exe
2376	Ocdqjceo.exe
2904	Ojoign32.exe
3088	Oqhacgdh.exe
448	Ogbipa32.exe
2212	Pmoahijl.exe
5048	Pgefeajb.exe
1720	Pjcbbmif.exe
3548	Pqmjog32.exe
1520	Pfjcgn32.exe
4136	Pmdkch32.exe
4768	Pgioqq32.exe
4812	Pncgmkmj.exe
2548	Pcppfaka.exe
2396	Pjjhbl32.exe
1040	Pmidog32.exe
4372	Pdpmpdbd.exe
4904	Pfaigm32.exe
1664	Qnhahj32.exe
4428	Qceiaa32.exe
60	Qnjnnj32.exe
4992	Qffbbldm.exe
3996	Ageolo32.exe
4484	Ambgef32.exe
2712	Afjlnk32.exe
3236	Aqppkd32.exe
3524	Ajhddjfn.exe
440	Acqimo32.exe
4380	Anfmjhmd.exe
316	Accfbokl.exe
3044	Bebblb32.exe
3772	Bfdodjhm.exe
1968	Bmngqdpj.exe
1812	Bmpcfdmg.exe
1716	Beglgani.exe
3884	Bfhhoi32.exe
3728	Banllbdn.exe
3636	Bfkedibe.exe
4184	Belebq32.exe
4420	Cfmajipb.exe
1776	Cenahpha.exe
1792	Cjkjpgfi.exe
2940	Caebma32.exe
2248	Chokikeb.exe
3620	Cagobalc.exe
2332	Cajlhqjp.exe
3148	Chcddk32.exe
3576	Dhfajjoj.exe
3764	Danecp32.exe
724	Dobfld32.exe
800	Daqbip32.exe
4696	Dhkjej32.exe
1928	Dodbbdbb.exe
3700	Dogogcpo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ojoign32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Oponmilc.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Ojoign32.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Opdghh32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ocpgod32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1096	2152	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oponmilc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqckln32.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 4600	1116	f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe	83
PID 1116 wrote to memory of 4600	1116	f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe	83
PID 1116 wrote to memory of 4600	1116	f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe	83
PID 4600 wrote to memory of 632	4600	Nfjjppmm.exe	84
PID 4600 wrote to memory of 632	4600	Nfjjppmm.exe	84
PID 4600 wrote to memory of 632	4600	Nfjjppmm.exe	84
PID 632 wrote to memory of 2060	632	Oponmilc.exe	85
PID 632 wrote to memory of 2060	632	Oponmilc.exe	85
PID 632 wrote to memory of 2060	632	Oponmilc.exe	85
PID 2060 wrote to memory of 1020	2060	Ocnjidkf.exe	86
PID 2060 wrote to memory of 1020	2060	Ocnjidkf.exe	86
PID 2060 wrote to memory of 1020	2060	Ocnjidkf.exe	86
PID 1020 wrote to memory of 768	1020	Oflgep32.exe	87
PID 1020 wrote to memory of 768	1020	Oflgep32.exe	87
PID 1020 wrote to memory of 768	1020	Oflgep32.exe	87
PID 768 wrote to memory of 4384	768	Ojgbfocc.exe	88
PID 768 wrote to memory of 4384	768	Ojgbfocc.exe	88
PID 768 wrote to memory of 4384	768	Ojgbfocc.exe	88
PID 4384 wrote to memory of 4476	4384	Ocpgod32.exe	89
PID 4384 wrote to memory of 4476	4384	Ocpgod32.exe	89
PID 4384 wrote to memory of 4476	4384	Ocpgod32.exe	89
PID 4476 wrote to memory of 2360	4476	Ojjolnaq.exe	90
PID 4476 wrote to memory of 2360	4476	Ojjolnaq.exe	90
PID 4476 wrote to memory of 2360	4476	Ojjolnaq.exe	90
PID 2360 wrote to memory of 4544	2360	Opdghh32.exe	91
PID 2360 wrote to memory of 4544	2360	Opdghh32.exe	91
PID 2360 wrote to memory of 4544	2360	Opdghh32.exe	91
PID 4544 wrote to memory of 4284	4544	Ognpebpj.exe	92
PID 4544 wrote to memory of 4284	4544	Ognpebpj.exe	92
PID 4544 wrote to memory of 4284	4544	Ognpebpj.exe	92
PID 4284 wrote to memory of 3616	4284	Ojllan32.exe	93
PID 4284 wrote to memory of 3616	4284	Ojllan32.exe	93
PID 4284 wrote to memory of 3616	4284	Ojllan32.exe	93
PID 3616 wrote to memory of 2376	3616	Olkhmi32.exe	94
PID 3616 wrote to memory of 2376	3616	Olkhmi32.exe	94
PID 3616 wrote to memory of 2376	3616	Olkhmi32.exe	94
PID 2376 wrote to memory of 2904	2376	Ocdqjceo.exe	95
PID 2376 wrote to memory of 2904	2376	Ocdqjceo.exe	95
PID 2376 wrote to memory of 2904	2376	Ocdqjceo.exe	95
PID 2904 wrote to memory of 3088	2904	Ojoign32.exe	96
PID 2904 wrote to memory of 3088	2904	Ojoign32.exe	96
PID 2904 wrote to memory of 3088	2904	Ojoign32.exe	96
PID 3088 wrote to memory of 448	3088	Oqhacgdh.exe	97
PID 3088 wrote to memory of 448	3088	Oqhacgdh.exe	97
PID 3088 wrote to memory of 448	3088	Oqhacgdh.exe	97
PID 448 wrote to memory of 2212	448	Ogbipa32.exe	98
PID 448 wrote to memory of 2212	448	Ogbipa32.exe	98
PID 448 wrote to memory of 2212	448	Ogbipa32.exe	98
PID 2212 wrote to memory of 5048	2212	Pmoahijl.exe	99
PID 2212 wrote to memory of 5048	2212	Pmoahijl.exe	99
PID 2212 wrote to memory of 5048	2212	Pmoahijl.exe	99
PID 5048 wrote to memory of 1720	5048	Pgefeajb.exe	100
PID 5048 wrote to memory of 1720	5048	Pgefeajb.exe	100
PID 5048 wrote to memory of 1720	5048	Pgefeajb.exe	100
PID 1720 wrote to memory of 3548	1720	Pjcbbmif.exe	101
PID 1720 wrote to memory of 3548	1720	Pjcbbmif.exe	101
PID 1720 wrote to memory of 3548	1720	Pjcbbmif.exe	101
PID 3548 wrote to memory of 1520	3548	Pqmjog32.exe	102
PID 3548 wrote to memory of 1520	3548	Pqmjog32.exe	102
PID 3548 wrote to memory of 1520	3548	Pqmjog32.exe	102
PID 1520 wrote to memory of 4136	1520	Pfjcgn32.exe	103
PID 1520 wrote to memory of 4136	1520	Pfjcgn32.exe	103
PID 1520 wrote to memory of 4136	1520	Pfjcgn32.exe	103
PID 4136 wrote to memory of 4768	4136	Pmdkch32.exe	104

C:\Users\Admin\AppData\Local\Temp\f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe
"C:\Users\Admin\AppData\Local\Temp\f916cb2790fc58742d76213bfd9f175506be1e2f2f0234582c67858f0edbd237N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\Nfjjppmm.exe
  C:\Windows\system32\Nfjjppmm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\Oponmilc.exe
    C:\Windows\system32\Oponmilc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\SysWOW64\Ocnjidkf.exe
      C:\Windows\system32\Ocnjidkf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3148
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3764
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 404
        67⤵
        Program crash
        
        PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2152 -ip 2152
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
91KB

MD5
0db57b4fe183fcb3d185cb4ceeb4fa7f

SHA1
1828af00c417a985f0b9ed3f26257f6c39961a75

SHA256
04fbf8aa88790fc18b3045a6f673ee961a2959a553499e7ebd11634946d4b5bf

SHA512
12093d8becac318da1628e33c926fdc78acc22db36c9dead7b5ba874322725be68838d71532b4c48b40e178a5dc39a1197be900ac6df7bab9fe9d3f9235d1db3

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
91KB

MD5
974b3a9dbf8ae3a750ac5f324d7b08a3

SHA1
455ef9274d4c13b62385a703cc09b6828adf395f

SHA256
fdc734bb5a2d87975431ae1f7c121296248264ea00cdba68ce3f570798dd34c4

SHA512
bbae22e9977d1a62aa85c7198e39b0684d7ebd9a5c3c2a47004e53b30088c2ae7972ca782add76cf7af6195b5becd6caf05dc5b4cae2672e1f74a33d4e4fdb96

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
91KB

MD5
f8afba69d97c69dd382ed0d4bbf78121

SHA1
ef53d7913d548780a6c26de24c97325037f9e850

SHA256
5c178a744ab9cd4a66d4e3bbde3df94046018174b90bc448ef110f2596f088e2

SHA512
e3f79ea00015ee68c3217a2a7979eaf22c51a8de132178596338a553b789d57d2b5771bde2a14f2ee76ab7e7d4748fdc7de83d1e7af70b07785bc58d65e1faff

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
91KB

MD5
380925a07445ed94e28523b9d603255b

SHA1
61f19c7cb079b7d7f53679f7b59bea6b65b5aba4

SHA256
5a2c303096c19faf05ce2feece9ad89f2ccff81647b5fa01d2add7c20bc57a9f

SHA512
931edfa3cb9a73bf012137e133e332377922cfb88b85f8ab88e136ec2a652a5c6c1334cf2c46eb6c02f8f7f96bd21ab09fd4110e9611f9ea97b5b4f053a1e7ac

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
91KB

MD5
a8618459bc4db2bd4d48b3c4a12b4b52

SHA1
2b25f7db5b29bbdad5d9154b612167337fde306e

SHA256
a4bfed912aae3decbbd57b2d5a6fb437bc9a40f2a726ee5db8f81ea4b542d21c

SHA512
6a6b0e58b2776453aa10e2643765b5c61b5e8262da413953028fe4361c34e3a2aa52d47b9568db2aefbbb311d7e205699ba09413b00659f8f711a59dc08100ca

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
91KB

MD5
5b8d8825031e91f1d5ff3639bb21fadf

SHA1
20ac64ac93dd8502e722c4c22318044dd6dd070d

SHA256
631c92c859fca46c6aa870023d572cf996fce7ac957be4757c372844f7f38f44

SHA512
cdc04f38553c0d9db1a0f29e5f19440bb51f3e7b9eafde5ea03b606336d0d54bf6a6449127b884787e50d35747071a9118164acfa29624909621b490cb4b7ee3

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
91KB

MD5
fa476ee929744ab450dc1e71932e53e5

SHA1
1b93abee29a62907c97155b5734fd740e161e55d

SHA256
904066ecb973e6221115d1f6c76fc993469de5426603a1d93e6ab71ca2338194

SHA512
19b572ce0ff3554ce00b2c14024d61a101b5ccba0c4872cd2a1d948c1618e3124e08a2873c4e7b2978ccb3f4945851b88482727a604a3c4768ec0ed78f2f50cc

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
91KB

MD5
04ab510a3082ddf788065f3d279e5889

SHA1
048321d48658c6585a30f3362b49da4b90485b4c

SHA256
d7fc8fe699facc58249fe377118b7053ee72179f5b44194ec4f49bed6e46ec93

SHA512
cf5b6cf5c862ca94498128996fe4c994d08b9f39098f7188e2a4c7fad9b6076641b89d062e98ce3739e7f802ed7a70a8d232f2d1e6141fb9e602efdacccd6d26

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
91KB

MD5
a537905364d278300e76d86237f04b1b

SHA1
4208a3167b11b3eeee2a8f079918a3b04c698d40

SHA256
04dcfccc603093a9d7753c2171720e8519a2d5b227b2e551ff345ae9360274f0

SHA512
847bb24b40e8ba0c2a0f6b16a3fb424b7f6f7849749346797a3e87eb9dbbe88b6188a50e8c7823a9aee04aa2fb4cc1048d6c974598f2bc8ff13ba2ea99690992

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
91KB

MD5
eb50d3f835ba2a4d118c00fa964a4867

SHA1
35e3208edbdecdd679cd50468fe9e46789d339ce

SHA256
fc98edbe188d16d1a9d025cf3f7301db540ad49dbef628b2f2ab5e2a02c9dc34

SHA512
0efbed3490fa3d43334c91e267a4d215979c1647939de6651c76499c00ed66e38bb994429eaa3a91774394c3828eb2b7c68a5280f001bb63eddd94a40460f438

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
91KB

MD5
6486328f7f8ab402fbcd0ce4e30ac7ad

SHA1
7511b5d96a391ead7a45554743e043899324766d

SHA256
aee22be9f4ad3c94babfd09582f79a24ad4322ce518914d547769c3229acc29f

SHA512
0dc714b2b05e2ca87ee0b9b642b0d3ffda555206d6f3b485adfe24ef22ec412a1531040204629024493fff90cadbb1866efca07bf06ab0b303a921ef5ea03253

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
91KB

MD5
1ca482266848a2c08b3885596cb25abc

SHA1
ed75d1f5468c425cfbebacba6f592d0af75a565e

SHA256
d03d6ed635802cb2e539931f38f7c6edc125280fbeb18a0ccb3bd455a42dd20a

SHA512
c4277da789bcf1aebfb8da0908441592df6d75ad13edb77871f977c360efe34a208326cb6efee66c31fc59473ddbeba470a9686462f635a60566014262d4bb55

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
91KB

MD5
de5ad34976be56caa01272786b0af091

SHA1
e7aa9d7975347803c796b85cb152f1b4d5a42a0a

SHA256
b3ec4162dd314d61aba606440142d01a8c7242081d722aa98bca989ab04713c6

SHA512
4a89c85a1db238ce9576d61f3ef38dfbf1e9ea8aceb82f5c0ef0cdf3109edde34e52364ca2d90f88edb49575ca66e59ac04542d9d5366d7ebfc11c1630006e34

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
91KB

MD5
91bc658727030571d2a018a3d6c98f66

SHA1
41527f4a5759f1ba597b236be2a8dc8718ce5e56

SHA256
7fb0e7648debecefb564e9f04aff7f3d98a3d221d7be81aa9ffc36b5a1a292c1

SHA512
c7fba9fc41977e349889f3aeed1c6d5b0bc8e04568095b508dace2bf1b5213ee09bf64fe834c67a4ebdec5d5990739a3dce588d818e8fb9b8d50aa2f601f7333

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
91KB

MD5
3f92c06f2b1506f5da106afeb062e2bf

SHA1
cdd15f480e8fc19c46a1a23da4f5bb9e7594df37

SHA256
8a9fa6e01c7c1c33577da92dc11d2874534c620d11c05c1de02e052635b46c39

SHA512
cc9f7189647371ba56168d519308f6ab92e8525ab1bee288150c587effb6e4c6e853033b494275739d4f44aa6a6168839f9c5fa39e9d91b6ef0cec5cc462ecd0

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
91KB

MD5
f005fa8585f876171f041c7cf64fda14

SHA1
1bb20e97d11b3832e50144da489094043cc31c7c

SHA256
dbd26d1ffbd771af04c9c48f2f321ee11a0520defd67da3db8b7be693f63edf9

SHA512
6d9bb83fa15804684d5d35c56d836db6dfb8f9fc1727548f9638216cfa3a74c2fc699739a9592ed477548b3125ca4e70adf9be923268882274dc12d69bd50014

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
91KB

MD5
401f0a58177ac65282543e57b0fcea95

SHA1
59be553a13f77ccef996efd84006901152a92b5d

SHA256
14af98385a7fb9be5ad5174226d195ff6394f18703915fdf34580adc04405950

SHA512
d13cbcaf26add7f89b6c2a04c8c854a7e7082e1a2ad5d054eeb96cda04cd5fb0d7e7560435b097e79639f683f680db698f3078e469abd2651fa79c17bb540b6e

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
91KB

MD5
0a4908503023255582852fca26ccf1e9

SHA1
94be9442a5916171ea48f7196614fc65a4edf290

SHA256
3891d576a590b494773bfbb76ef693196ae13e876c6c46a0ca5d8060ccfaa109

SHA512
9aea4c8ce7376c13464057084fe6edd530b623d8f63eb4a616aa4a086ac4897b778bff7839ed550802996a78387fa99bdb68eaacf052e0944a176f71dbb849a3

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
91KB

MD5
cda12db6143e7fb8d87943f142d7d62d

SHA1
681d1afe5e34cd002c43a19d018e51011ea5e357

SHA256
88cf068ff64d9b6cbcd069352fd95b0261dbb23b183207d64a7831f36ffee957

SHA512
c08d40e2a7b7e21d16deca72b9911b4f442cbf495dbcc89c86195c0fc573d68dc7f8bcfdf8b9ebacfcb90d8256069bf927a79aeeea4a9bcb5de9521a96f41f4d

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
91KB

MD5
d9e12cc76f64ee681c2841602addf41d

SHA1
7bb2ead1749c277aceb818abde16fcdb7ecbbfb1

SHA256
1db1ba5eb84a09dff14055fef11eab0e57e634941028bcfb5f27b3177bbd6e15

SHA512
9a49c2b7c392bac678de42f4eddc4ec6530ad0ef8feaaf3e24753f16919d2609839cab5fc7eee0f37deb36cce3b219e40ef85b8a66e7bb079355fd6841c07261

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
91KB

MD5
a4979d74f536819ac1d82bc2a947cb19

SHA1
fb8db3d3d266e78a32d352d950cfbcdb919a3a01

SHA256
474b968bb74a0f1ffbd606120f6bb23d817336cdf05306c6db5eabcf3644cb8b

SHA512
7fa42fdc22190bc65a9d702eaac80fdd9380c021bf38a74d94d198d0a566050d476cab68e7e612bda83f02fbd8974eb878c577ba25e5ed2471006aa192f2d22e

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
91KB

MD5
d103ab331e70f766df3cde1d7fbbb322

SHA1
4823c8dee1c50237cf23c29926f775382211e312

SHA256
05b735ec400b81915f0b8152d2b6f555b2e28b2011dca34e3439df60c697c646

SHA512
ae6864e0e07d9f008041474fb276076f79ab2c3bb087a17f0ce35532d9494351a676442e8d393dbfc071ab9599a444dc7f51c10bdfa21d2e2d5ec6d688997eec

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
91KB

MD5
f3bafa55a1f4715a483e3d311b73e8ec

SHA1
7d76376974b7171597a414f9894eba96070625c8

SHA256
ae54231f23305cad8d6f0a9cfd992cbdebc1cc16adeeabd77c4b8ed355b4eca3

SHA512
d241feabfee021df3edb75044a73903959e052a236dba40592be7b3a7a6b5e027d176d1081995430206145e42c2ff932b7e7d399a0fcbea25f2eb6c2bef08afb

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
91KB

MD5
8e0557de9203fedc3170ef05e2b5c655

SHA1
f66306a25997c50333c894974fad920cb4db9ccc

SHA256
324150f2043db6b68ebe67e1e5d2e69c28b12fbcfe414af966b94c7781069558

SHA512
5d35e181c8f3c2494dcc5f0bfab346968fa4dce4f8b52bf1d040594d88c7bf4842da597bc31620a1be34cadfbba307f10e03c02c2e8f8c8bcd8234b90403c6ee

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
91KB

MD5
20f29f57060416897df03a13152136cc

SHA1
c99636f2c031ac9231ad7d0f3d2b07e6b0f6585b

SHA256
36e7dec29e2a013005dade3735b282f081ecbada4e6fda27ecbfe7dd0ad9b4a5

SHA512
1e04316f500dfa215309c6ccc47a7e52c1e7fdff2d750e03a67b4a213ff3f83cfe791726d5f6ad63d8b4eb45f456c3f10bc0e2485d2b8286a7292fd24ef40145

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
91KB

MD5
013212e5db8c19a137505ea0d004c3d7

SHA1
a8abff33b3f25c0d5e03a991f4bf19a91758420a

SHA256
898f7e58adeabb22144729ce51ffeb802f2b356a802f3b4907bb5eb45db2cc50

SHA512
545900369b9ac881c1b25eb3e31adfd5b8e9dc2c000106c6e44f66f02c0bfa7559782265dcf4c16e1192e411ce5554bfae5bdd9fd7b491b116c37d6943fa9b61

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
91KB

MD5
4a15885b5ed54d8182a0555e9fce883f

SHA1
4253962c15e38a0f2412de8a6dab41f657c909f5

SHA256
61d57c6e15a4947b9d9691e9844247c2c055d1b8f1df4ba974b5e627eb80de91

SHA512
7c5488020c3309b47d1b99dc14d49f5c6fa0da9e19848e125fb1c20ed4f89320b3ff38737713871b6adf7b61b5792ff081beb5393a585c5f85c52adb51992b94

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
91KB

MD5
1ae1622571ff6eedcdc559603154aeed

SHA1
ba8b964f7cf2028a154e47cc743cb21b103576cc

SHA256
55bb134e6279af17c150d4ca8178ce9bbce94013c8190132e3870ed23c338d37

SHA512
98e2daaa22faf8512598a4000b1c54cc1f3ca08c925639acd461ae30f2046f4b76378352eab6351f0564b129ab93bdb45afcbb98b4f7eebf9d4e4e5b51765a02

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
91KB

MD5
4d0d3f6e82ba8f9fdc57ab6dc274941f

SHA1
1a1fec578211513df6e1cafa5fe91f55f4de2fe5

SHA256
0699844d3c6258cf5be127b559457a496ea15e6bfdf4e71ed6c3a975e5c206c3

SHA512
1352c80dc56d17c36aa1c74ac025cf85a0c222f683aab9224d162aa1d1d4badbd213621a85935e91eecd073f487a8fb2455f78fb73c038362e03969396c7640f

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
91KB

MD5
37b47c0b3ac978efa94d9969042a36d6

SHA1
c61c1bb1061516d37225db47c862bac94cec32db

SHA256
47e541efe36fe61dc77d537809bf5c58a3ca0cb5f1cbcbc36e98b776235a0ee7

SHA512
b7782afc9daf459d19254e60d56a506c0ce3c3b84fa394284fba107bf8053bd24396c19a491908d063d1279db6a9c6fe993e9c10213d93d5facb6918886d7b26

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
91KB

MD5
4f3bbaa152de21403ad7afbc214dbe44

SHA1
9a5d8bc25640b3d6ea4e2add7b89156d7dae5992

SHA256
212faf7fb60de1cde38c0efd40e5adc10d770ef346138f5c72405130dc101814

SHA512
f92e8158c4558cf41ea7c2ab72eccd18d8a8065b25ffaee406311bdf0e07259b33fa693c2887df00ae480add7cd7545a87d63273801a63974efd2f91b8478457

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
91KB

MD5
082d504ec697d2f4dac6dced4c6c2803

SHA1
6630cb3372f4957de8f347cea9686803220d495b

SHA256
084746cb51b5e0c32294e3587121757967cac4709984d3039508a6a1499dbd31

SHA512
2c6f73bd896a13c00f7b73f0d0b167eb05f1db341c2f79614604feb3c41f7d26f6b9b3189056775445ad0d306a2737af11b415b170519b7bc404d99bce7a08f3

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
91KB

MD5
983a5db82545a4b644db7d3dd2859784

SHA1
a325023bbf21ec38f65a2efae7625a2aab24fff5

SHA256
b0823f5e7cc750cda56dbc0cf296de00ef0963524b23143ba465d0bb47770e7b

SHA512
834ea5f7c0f36c3c361f90b2d6453b62c712a693c47307e72b700d5eedd78e3a0d224001e4fbd220be25b8ea5a7ca7cee53b1f18582b7e686c3b13d43f8cba1b

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
91KB

MD5
360fb76c0837bb965d01bbcf681845b1

SHA1
7957d87baa9032028e90cafdb025d3447ab7d82f

SHA256
78cfeb3eade30327f30972291d6d3ba0cf26736096d50c1a46ca5d35d0a64d96

SHA512
94d235da49d2d383f100ba486cf66bea77b33ee700179967442e3028b04b4dbc9dada392d618b2162123c92c6e898df7d8e6288faca24cca8fad0c042843fbea

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
91KB

MD5
3cba55fa314a21dae8770dfecd34d321

SHA1
24321375bcd9bb5087fdbc86f47c5e5346fd2f8a

SHA256
62e805e9b371e500b01146ff4d310afe4c66b7637efe69285da1e0d6992fff07

SHA512
e3bb8af7e7f073d909a67f8b648c94e284b850c71cdbff13618654cdb10ba334a74be8629da24c3e900dfd650218f7e7754f19c7124495b0883fb35643638dd2

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
91KB

MD5
a2d8f77d7dd923896325684db360bb91

SHA1
9ac8fd9a7ec6b5bccca23169746349823a0a1775

SHA256
4286cd04adadcce1dea717f1ef3ae96f14b2e7a1c7ddcaa177ef61a5d3f090b9

SHA512
6aa67c91b6820fc07f9ef70aaf758c15e1ea211601257409fabcccbec16b927f357591e257e9340fe0e83ffaad334c7518fd67d684456718d27a8a1be4f6477e

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
91KB

MD5
b1d374056c52590dd92d40f04f5400b5

SHA1
1d54c715799831d3d8b15d3a5c6e98faf7746020

SHA256
194ba1d9c71d426de7776420c8aef413ffc6c775606d32729a13f130e24ffaef

SHA512
e684c70de8e57f382eac2a8adf371e0a4d9de1e2e637c954d86afd8d7b7bd3f1bf81008060c841461b5ce9f1c2b1d9b9c7fe22f4a494953e27638eebda1ba862

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
91KB

MD5
ffc1d2c26a546d3b6f6308cfb3272978

SHA1
c230678592f2b4dd5502933d74135fa7e8a702cd

SHA256
8132e1ad786ffd53268bccee38fa259ec9c2d2d70b7bd0ce2c560d5fbeb1ad6a

SHA512
841e47df03e51a26a7f64c36b436e19b0405d85b7d40b63bb510393057890e3198ac31b6b29169d00693fa6c7899fa0773c31e81b95198ddfe8f2495cd31f5df

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
91KB

MD5
b40e0c60706c4b90e43c1b20dbfb8bd7

SHA1
e8153696ba06d9c2de4f2506b34df7eeed1e864b

SHA256
c538f94b9cbba400e53f5243525f3cf8d6f7e0b9e70af7f100d0bd1804a5548c

SHA512
95a773822e69afbebcf2e69730c9244e0d09a359a56a6708356299081796633fe806ac04bc13f3b6b6d3a060eae5b08df5fa070ecf42be64f5472cbddb0fa024

Download Submit
memory/60-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/316-505-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/440-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/440-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/632-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/724-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/800-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/800-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1520-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-231-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1720-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1776-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-481-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-442-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-460-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1968-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2060-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-454-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2332-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2712-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3088-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-513-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3524-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3548-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3576-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3576-469-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3616-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3620-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3700-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3728-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3764-467-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3772-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4136-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4284-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4384-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4476-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4600-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4768-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4904-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5048-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads