berbew | fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe
Size

89KB
MD5

e42a451935333391e31cb687fd6523cb
SHA1

dccfe665c31ef2f6ae6d56ebb83b8cdd27675532
SHA256

fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba
SHA512

2a66bb665cc32c85b54095642e30fb164181688917b4932a7f1d14d79d91f3fd2291f386a131d80ddb4f7f3b822d0354c59c8cbaeb5dce93ccf056369fead3e1
SSDEEP

1536:GiIMtNSDvm/7NX51/gdIej+H1j3LOQEDHy47WiNLiOWhpc3lExkg8Fk:G5Movm/ZTYJqRq1+QW/c3lakgwk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3244	Nfgmjqop.exe
1732	Npmagine.exe
4840	Nfjjppmm.exe
2356	Oponmilc.exe
4680	Ojgbfocc.exe
4260	Opakbi32.exe
1876	Ofnckp32.exe
3728	Oneklm32.exe
3744	Odocigqg.exe
2144	Ognpebpj.exe
3124	Onhhamgg.exe
1472	Ogpmjb32.exe
1788	Olmeci32.exe
3168	Oddmdf32.exe
5048	Ogbipa32.exe
4780	Pnlaml32.exe
3916	Pcijeb32.exe
4856	Pjcbbmif.exe
2388	Pclgkb32.exe
1600	Pnakhkol.exe
2508	Pdkcde32.exe
4932	Pgioqq32.exe
3068	Pjhlml32.exe
1616	Pmfhig32.exe
5104	Pdmpje32.exe
1688	Pfolbmje.exe
3472	Pmidog32.exe
832	Pqdqof32.exe
1016	Pcbmka32.exe
2128	Pjmehkqk.exe
4564	Qqfmde32.exe
3028	Qfcfml32.exe
4496	Qddfkd32.exe
3556	Ajanck32.exe
2908	Aqkgpedc.exe
2424	Adgbpc32.exe
444	Ageolo32.exe
4388	Anogiicl.exe
4280	Aeiofcji.exe
2200	Amddjegd.exe
4416	Aeklkchg.exe
1780	Ajhddjfn.exe
2112	Amgapeea.exe
1484	Afoeiklb.exe
2412	Aminee32.exe
2820	Bnhjohkb.exe
4468	Bcebhoii.exe
4864	Bmngqdpj.exe
2340	Bgcknmop.exe
3316	Bjagjhnc.exe
1088	Balpgb32.exe
4212	Bgehcmmm.exe
1668	Bnpppgdj.exe
5024	Beihma32.exe
772	Bjfaeh32.exe
3092	Bnbmefbg.exe
4112	Bcoenmao.exe
1772	Cfmajipb.exe
3148	Cmgjgcgo.exe
464	Cdabcm32.exe
4012	Chmndlge.exe
2688	Cmiflbel.exe
1516	Chokikeb.exe
2184	Cfbkeh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Odocigqg.exe	Oneklm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Oddmdf32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Pcijeb32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
880	4528	WerFault.exe	162

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojgbfocc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Ojgbfocc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oponmilc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcbnbmg.dll"	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaqqh32.dll"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 3244	3736	fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe	83
PID 3736 wrote to memory of 3244	3736	fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe	83
PID 3736 wrote to memory of 3244	3736	fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe	83
PID 3244 wrote to memory of 1732	3244	Nfgmjqop.exe	84
PID 3244 wrote to memory of 1732	3244	Nfgmjqop.exe	84
PID 3244 wrote to memory of 1732	3244	Nfgmjqop.exe	84
PID 1732 wrote to memory of 4840	1732	Npmagine.exe	85
PID 1732 wrote to memory of 4840	1732	Npmagine.exe	85
PID 1732 wrote to memory of 4840	1732	Npmagine.exe	85
PID 4840 wrote to memory of 2356	4840	Nfjjppmm.exe	86
PID 4840 wrote to memory of 2356	4840	Nfjjppmm.exe	86
PID 4840 wrote to memory of 2356	4840	Nfjjppmm.exe	86
PID 2356 wrote to memory of 4680	2356	Oponmilc.exe	87
PID 2356 wrote to memory of 4680	2356	Oponmilc.exe	87
PID 2356 wrote to memory of 4680	2356	Oponmilc.exe	87
PID 4680 wrote to memory of 4260	4680	Ojgbfocc.exe	88
PID 4680 wrote to memory of 4260	4680	Ojgbfocc.exe	88
PID 4680 wrote to memory of 4260	4680	Ojgbfocc.exe	88
PID 4260 wrote to memory of 1876	4260	Opakbi32.exe	89
PID 4260 wrote to memory of 1876	4260	Opakbi32.exe	89
PID 4260 wrote to memory of 1876	4260	Opakbi32.exe	89
PID 1876 wrote to memory of 3728	1876	Ofnckp32.exe	90
PID 1876 wrote to memory of 3728	1876	Ofnckp32.exe	90
PID 1876 wrote to memory of 3728	1876	Ofnckp32.exe	90
PID 3728 wrote to memory of 3744	3728	Oneklm32.exe	91
PID 3728 wrote to memory of 3744	3728	Oneklm32.exe	91
PID 3728 wrote to memory of 3744	3728	Oneklm32.exe	91
PID 3744 wrote to memory of 2144	3744	Odocigqg.exe	92
PID 3744 wrote to memory of 2144	3744	Odocigqg.exe	92
PID 3744 wrote to memory of 2144	3744	Odocigqg.exe	92
PID 2144 wrote to memory of 3124	2144	Ognpebpj.exe	93
PID 2144 wrote to memory of 3124	2144	Ognpebpj.exe	93
PID 2144 wrote to memory of 3124	2144	Ognpebpj.exe	93
PID 3124 wrote to memory of 1472	3124	Onhhamgg.exe	94
PID 3124 wrote to memory of 1472	3124	Onhhamgg.exe	94
PID 3124 wrote to memory of 1472	3124	Onhhamgg.exe	94
PID 1472 wrote to memory of 1788	1472	Ogpmjb32.exe	95
PID 1472 wrote to memory of 1788	1472	Ogpmjb32.exe	95
PID 1472 wrote to memory of 1788	1472	Ogpmjb32.exe	95
PID 1788 wrote to memory of 3168	1788	Olmeci32.exe	96
PID 1788 wrote to memory of 3168	1788	Olmeci32.exe	96
PID 1788 wrote to memory of 3168	1788	Olmeci32.exe	96
PID 3168 wrote to memory of 5048	3168	Oddmdf32.exe	97
PID 3168 wrote to memory of 5048	3168	Oddmdf32.exe	97
PID 3168 wrote to memory of 5048	3168	Oddmdf32.exe	97
PID 5048 wrote to memory of 4780	5048	Ogbipa32.exe	98
PID 5048 wrote to memory of 4780	5048	Ogbipa32.exe	98
PID 5048 wrote to memory of 4780	5048	Ogbipa32.exe	98
PID 4780 wrote to memory of 3916	4780	Pnlaml32.exe	99
PID 4780 wrote to memory of 3916	4780	Pnlaml32.exe	99
PID 4780 wrote to memory of 3916	4780	Pnlaml32.exe	99
PID 3916 wrote to memory of 4856	3916	Pcijeb32.exe	100
PID 3916 wrote to memory of 4856	3916	Pcijeb32.exe	100
PID 3916 wrote to memory of 4856	3916	Pcijeb32.exe	100
PID 4856 wrote to memory of 2388	4856	Pjcbbmif.exe	101
PID 4856 wrote to memory of 2388	4856	Pjcbbmif.exe	101
PID 4856 wrote to memory of 2388	4856	Pjcbbmif.exe	101
PID 2388 wrote to memory of 1600	2388	Pclgkb32.exe	102
PID 2388 wrote to memory of 1600	2388	Pclgkb32.exe	102
PID 2388 wrote to memory of 1600	2388	Pclgkb32.exe	102
PID 1600 wrote to memory of 2508	1600	Pnakhkol.exe	103
PID 1600 wrote to memory of 2508	1600	Pnakhkol.exe	103
PID 1600 wrote to memory of 2508	1600	Pnakhkol.exe	103
PID 2508 wrote to memory of 4932	2508	Pdkcde32.exe	104

C:\Users\Admin\AppData\Local\Temp\fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe
"C:\Users\Admin\AppData\Local\Temp\fb764126886392792ce5444170b9b67404a8db1f58db54cacfccab00e3e921ba.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SysWOW64\Nfgmjqop.exe
  C:\Windows\system32\Nfgmjqop.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\SysWOW64\Npmagine.exe
    C:\Windows\system32\Npmagine.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\Nfjjppmm.exe
      C:\Windows\system32\Nfjjppmm.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3316
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        52⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1188
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:436
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 416
        81⤵
        Program crash
        
        PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4528 -ip 4528
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
89KB

MD5
4706b4d1ec97202e5afdb8606ca835d7

SHA1
9c47fa4b7b510e57c24c7828d01f3348a03a73bb

SHA256
08739a5d6fe6dc688a822426bb5fce140af078472752a3e61815c0cc4fbb72dc

SHA512
f449fcec9d4eeaba452f3fc60b40811cb1b2764e5a8e19728e0957ea01a0697baaec5b81bfa5bfb053d94b7c1133610a8637a4611e6fe2fb5f7d71eb74381edb

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
89KB

MD5
9187eeb6bc073213a43cadac2b1fc135

SHA1
59501ec5e4dc64e3c211443c3ef86cf2d73c9b40

SHA256
52f47d7da66937f5f955f3d8c903ccfaed470c63c08bc824debc7f54608f181e

SHA512
8a541975bad361e84a9516d2097c1c3ed1bf8a9cea722449670d6444200d23bbda2fd4961d99c14e545618537d1c2f00b73ffab7d27865cb057f67d74a35d68c

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
89KB

MD5
6fdd68958b315eb209c543a29463c9df

SHA1
769cbb1705bc9b28490e7f36313abd42d1dfcf76

SHA256
40a43010758ee5fe674fd48b5ed0b04f77c84be8efbae90685482bfdb30aeb26

SHA512
9e78e4ca33b8f0b41299c484444a0191e0c37ff993e60f81d0f24849564d0e02a92602eb33cceb118a7e4ca3db8418593981c6d5c3f5820f51ba931ac78ba281

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
89KB

MD5
a5ae8d8216c96f7577d1ce891edd4812

SHA1
64a183d2b57af8c11eb9573db8a987a1ed665bec

SHA256
57c73663420e7199230651dd5a141dcb9977d2ae2deaefe40f9aef6beb913fe5

SHA512
eb8394bc553a4f2cff70946d2daa2e930b401dd5dd17332ced04ad4920f3ef3f34d2b49b830a2670d476a660ddf8bd7fda7ae2715104cdb4bd6e4debb73dd8eb

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
89KB

MD5
6647b756c77f5cf753c6856494849251

SHA1
f6ebf89866bee5b029ea983849cb9aa1e931c8ca

SHA256
47967aa5168d719b95f228d19150511ce1bc5f439cd484dc1fabe1f7f96d2137

SHA512
b5f85596d4c3078889d5309cfc3af7256da4b06befed7f97dff02f4c9e3a6b1b2d6ade26656a3b8ae7271b5d39e21f775a71992a1496909d0fed6cda1766d904

Download Submit
C:\Windows\SysWOW64\Mnodjf32.dll

Filesize
7KB

MD5
b842b53d4772df04e20dc3d904391857

SHA1
ed3762a526acd9ee45a46f24352da4036b88d63e

SHA256
ee98d7d38b46383b5dd4ff972b626ce63b0ab29d0e082bf0e62ac39ea7faaee0

SHA512
5cab54ba90d1d46eccd0086dab175dfae954f0e022aa2ef45ef9bce89edbb9d8faebfe0a31ea527a68686f1cc47da87b9591efc346672b95e1d3e6f110f2159c

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
89KB

MD5
5be5b6fe3eba1bbf9f33b33ce87c4f4f

SHA1
da1a0a8e5c279c85279df6b5d1b44040d1c06767

SHA256
5db04868ce52b2c4fab43dd96a7085f990ff845fa249615e6e98cc92bd2020ac

SHA512
b956c6dad1bf196e37abd2d58bcfe464bbc72c1f5baeca8da9d81ad473c5f147946979a9333162fe2c76a1bfd22796cab7e21b198554d26535d92645da8dc580

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
89KB

MD5
74ed171d6c0d4902648e1eefc3b5b3db

SHA1
bd1e811e50c8251f37bcee58c2fe91d55ea704b1

SHA256
aecda3ee0ebf4eb9c3067feda0fe40d56ea21bf04038cc2cebaf1f201b862e63

SHA512
0834c4154c14a3e5fdf2281d9b8733646c2de69d7f12d9345d4aecea4499583113284f9c9da1ba5088c5d9464339cff309a1e552c5966a6ae4347b00d89d45ce

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
89KB

MD5
16436eb8fdad2eaf084bebac3fa8f8f0

SHA1
5a2967c046698f611e7dea41ce9a467593ba9bb0

SHA256
6b54a0e3e1f17f03c622e5304de00877743b571f060a255e1b09bb84a0952ff8

SHA512
f5db0ac1ad4aa3187a484e662375c7de7d24296c7c2de2e8cd8814fdecd04f2dcc7f0ad78f0134784f5c806235783b18349ae67f3c9b6c39f06040bf416c914a

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
89KB

MD5
387213f6afcf91e86efaf0b52836d2f0

SHA1
5b9f08a0d89470e05f94c0bc8cba717515c5dfd4

SHA256
62da3a374761a1bd0d24396cb2579c2adfea0870a5d5ca92068d33b8235bf2b4

SHA512
0beca2dee811c25c7aa27564df5cd2af2ebd535f9c51723767629a3f3bf940ae6fe10d49a942b55fbe2111cb29a844cf4896d1281e5ba48a0215f4cd41a7aef9

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
89KB

MD5
47c61052734d233874080a75a4a7414d

SHA1
fece79286458466b33b29a7ef4007b404e1554a2

SHA256
5b012afb3b178e3ac5b6890dc92be5b0d14c8fd86f0714286d038fa90133820a

SHA512
24e0d5b31841223c4d6718fd530332635c94c4250aa0c65b9f92251c6596211643c2e8c125a92190386e3a5e7fb3e71dfab0528f1ede1fdbf79a4843efc87d9e

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
89KB

MD5
b24da58954a14ef7fa7ba4e67b008893

SHA1
e1cd24dfbd0cb1d96b55d2728f7065903e89e65e

SHA256
c8887eff520ef18c6e9ac401b12f64c1e6e666d7f032b5e2b644b3956ce9e4d4

SHA512
83499715c000f61e0bb725866c37d60272b0298a21f1e09ede07611f3a4d79aec76ddf9d26c3a4283ae405b83fe96f69f286d647f2abf2a8dc66bb20a61710a5

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
89KB

MD5
3f2d66a46b15658cd71f3cddbe7e8ef0

SHA1
14918bbaef75c61bc5c7c91ce62dffcdc1aa4ae0

SHA256
d204b7a1457eb3d7609e6d0bb35cbe14c1549fdbb0578931a8491a2bb4be9f01

SHA512
46ee32984e248511cc5041573411b2994ae84372fdc3622ff133eaf7864538ed4cc09d42231d7757ff7313b43ba4907f61bbd337a0dcd5b64db8c8ddf0fc7889

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
89KB

MD5
96fac59775e6de4569c408132bb00669

SHA1
9bb02f695d2871a6ef7f835e266cea5a7afffde0

SHA256
36627cf824389f98ffdd665a86ddeeafbee19986148cb7c9a232bd042f207e35

SHA512
db21b85b0a6b34a2815c373686bd938d5859262c88dada1fe907ba5e7b6b8b5700458e30d6b21196008085cb8d105c6a013920fe755cd4150d3e8da120c8347c

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
89KB

MD5
b307c74a5ea507925003dab247856dc6

SHA1
429289ad419c3f94a00b50a52768b418de967828

SHA256
735f5e82d4116393d6fd99b584bf6f73c00d625011f88193b8f40f7b55b897e0

SHA512
08f0c0d7b9be6878d90e62af80c64848e24bba99ab59e03fabca403f77b022a26e9dad8feeff2b6792d1aaf3c7bdfb991c42ffb7af2a99c8567204f3765e8539

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
89KB

MD5
d890fc6544dd0d27c0a98c742e088808

SHA1
a070121214deda15d6e0a0ac334d7f11a97bccc0

SHA256
8d1599c7d04d8cb5797f6f06ac530c0e4fda07cd67cba2c00f298328c4c8d84e

SHA512
3e55be51f7b236d2de87669c68d0f79230ea10e3930ac0b26921da391e108059562d528b211060cc7e0ee8895656f6b96eb3017f51418b4c1e3290965125bcef

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
89KB

MD5
f399e8caca50431249e1948bbf74b2b1

SHA1
9169e8b2043f417a38f3647cce264a0e5ed6b202

SHA256
c44d1b56204d3c8c182491ca5b026737179a5424bbce13f809cbbd952bbe1814

SHA512
a9a80675b0b64dc322c697231a3a672f69b365b226b4a0a3eb7368d2b79d0557de88ee774e3263699ebd82b0d4944558da39f36d8e0d9bc8e08a60c4c8eda9b9

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
89KB

MD5
52146fb08bac469e47d9dccebdc3181f

SHA1
5b50735f3231e515e574f1a80ed5ca2fccb9ef83

SHA256
067b7f8c12b4f0868cad87e4c284a5b4e485eedf2b0abd6e3ec638855260dd20

SHA512
f5ecc6981c0b094ec0c0729ff8e51a3cc9cc3e885a6c8d4f9404efa0589a634ea66db618763801b3fca5eb30b1f0a0f131867bf0a6c310e7bcd20c1e32ea5f6f

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
89KB

MD5
0294d0dbcc224424bdb03d9f54ea52de

SHA1
2486e24c8daf5d928ecce3cf326cadcbec761354

SHA256
7f04f7684721c25482e5a4d1b3431d5f8674fb63edfbc0b0c95102bd1bcb7dfc

SHA512
5d3a483ca0348db1ecf7928102c303cb7a1fd8411d9bd1c78c76c502cd0c3f8f9a266c37a371db1b4b5e8729cb4a3e1874798e9350ccd794f7d4fb7895bd5439

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
89KB

MD5
f917a3e20fe0864e033a56e7ae1e2975

SHA1
0a3b4ba51920361b49d77e7b5e64f420adc2726c

SHA256
42bbed108447867afeb1aecec8ca410ea7a9797ea3ac031e88ad0f45958796eb

SHA512
48f889193f1a590418471c17ecfc3dd0f12fd357a17e9ae73bfdb7934cae4f7e1347156e5401b780219e9bf06accaafc8ff85df4b4edf283084d0f5fbef6875a

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
89KB

MD5
d40e97b8284d04b1510ed20d86e37966

SHA1
06438d72a36a31f0eb604bcbad63a25a388e1c02

SHA256
e161931de0506bdfa86807165641262065bc6f55c7120800f29e1d1c7e6dc830

SHA512
2b2936910590a665dcb6e46911c36b7820e51cc9a2d7f6f8deda7c164828b9d9599eaaf0a39f33ed0c75084026afae0b82f98405b3f41c112f75c2b0292177d4

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
89KB

MD5
2a37ae5f4c47f3de5f140462df7d8e98

SHA1
2f40581bbda7ce2f2cef6e41ece75089e66d2248

SHA256
b22808be82c32c564da6fc8337751d6210a6fd8c32467fdbbb2d6c272e4eae02

SHA512
e177ee22bffd5db8b866724ae779bff146b4ac50240ad1ddf55f80b6244b5ad328492a1bab9b915befdf15a1f2538354fc5b32eb81981c14e32bcece43cb8823

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
89KB

MD5
f1373b6ad54cfa43df766375e76ee481

SHA1
5fbe882b99c275b8a86f9ff0a0dfd5f7ee30d274

SHA256
d870d744994970ea34ab9907c9669fccdffbc4db7072e151da923ff9753a6155

SHA512
2bbfbd48837817cdf7c423c9bff86d83dbad3b453aae8e40fe7e6648590626c0d21cdd372beff490c41776ee3977b35f3ab3dbef0f353a4a10b580ea4dc40652

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
89KB

MD5
6e43a30b818ed011dc221db307e32154

SHA1
f33ef2a1fe4f3dc06e3bb81846c023a93f224a1a

SHA256
fa013a42e53f25a796ef7c2fb799b016604bf0ee9e277edbbf69119dc3c54bf6

SHA512
87dd876e5034c332d506251781b24fc9b6592ca34eb6fc6415e5e96606dd04f43d7fde849d7ae4197db129830f138a70b48a5aa261b3f77f27fa764062fc5603

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
89KB

MD5
ffdc9ffd3f3e6ff5e5468e1da4bde0c7

SHA1
40b5ffefd46d176c7c989b956039df97ec744dcc

SHA256
9376763b418b422c538944c0517bfe39fe5e406c766a7c8a4d9d3c844428c0aa

SHA512
b2bde2252d2b322c256ef1f22e7a500363e582336fb784816f242dd02a200ff703c76d0a83f7f76ea9eace139d57ee03a75640131d2c3fb8b975a22dbb7f12d9

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
89KB

MD5
6027502d64aa67c5c404c4cdeda48a7b

SHA1
c3ab26af137bba03309e23010387ee2cb272fa70

SHA256
979b3a293003ceffc77447b9793d27621139352ce7810110d871a156c8501868

SHA512
7cd06875cba92e1f4a9d3926b80d450bac6c0390c2278cf256ccc9360105e11a13c1686c8123277029b1bae42e34b498ad857908d7e5a257e2f5c569f3e3480e

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
89KB

MD5
c9a3894a7e4d74b61af9d95a6e141182

SHA1
5204c4f1ebc18ea73eb4ddf173ccd7226a782e13

SHA256
a6f2cbf35a7eb1268101aa55ac27ee05a0c3d563f15a353767397e02d3f807cf

SHA512
2a3149344620991b45d18b39f80da1537fa1924cf70f381be4f817b008b8ff77481ff0e9f46c6382e58c1c08517b6eec46e90c5a0a926a11d60e345f0b944912

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
89KB

MD5
372ba32e5e73c2f527ea1d6181dcc441

SHA1
be04ffe06a3fe9df85f658507727627db8baad22

SHA256
8e3ba31016660c9ab02e46d7a27b841d7af6a1227860abbfc97d38bc1cdb1f13

SHA512
eb550323ed7407efc77564dd21dfd70130dba675823a52371ab5ac615032173c069f43f22ccaf2456b7767b7ada9fe91a7cefdfa8c4195d91d4fc3474d8b02fb

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
89KB

MD5
72fbc0b7c600fdafd71e2646348fca34

SHA1
6a5a262d8f96a1f659e8b9f92bbb2843c1776d74

SHA256
5ec4c0068a274be61b3fac7020ff4b5184c6831a890228ff5cf7a2fab99a1480

SHA512
5213d7733b1e1271d79b1af3e66885c6d57cbbd8509ff6531fdf07ac4d3776374fd75ba7bf331146f73b1de07f5adde64fdf53082a56f7f894ed4b5ece1e17fa

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
89KB

MD5
6296f0e6ea8f4700196718cfc4fa2511

SHA1
2900c6e91b4db4f1485e82c76709b6f035553e58

SHA256
d99f9d57dfb586af31a99ff129324a4a40485933543ee2a1ce2233c1e6f975fe

SHA512
c3b6f36616efe34b7392b4c063cec9242031ab272f0ed867e4d8670c4165eecb17b781b85cf83f8fe419e2058cf1171b2cd2fcd89459bc1da484d8ff8cef046e

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
89KB

MD5
68c286dd025b3252ed3e4fe10d20bda6

SHA1
d2301ca7dbd4ce15671122fc58e7cfae9d2b7669

SHA256
b874b170b5bc5b349cc3bbec27bf6a5daa9bab835432f5bc7be499f389fb8179

SHA512
34b940f95251bd7df0b0ce9977a13ea85500d16e077ca071c4602099ba3bb69dde24668b93991e9e2b58afade879c6aa31fdca40059297042cd4e409abd15588

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
89KB

MD5
885d608ad5894a8cd04542c35e2b70f2

SHA1
5a0f04c59f961db8225313cdcfc3b37c4fe799c2

SHA256
b870b67af6aabce49b1f067a4bf2ce120eac7594edf3bc3d12685f684e0d3d44

SHA512
22e1f540d4eedc27278a8ebfd2cbe429e4ee99aaa1a74e91d4d49b0118ea79a138fad8033e0f48a3c2cc27a360975cdf4b2b95945ebd37342a4a4005be272269

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
89KB

MD5
4bba7ff9eba8456c7b89f99e0eb602b8

SHA1
a5694db2523aa8e231c571833f4a5ba046c56a1f

SHA256
4d3162918e597edb0a110439199c92d7b1e0ec37ace0ad078e39a0b020d94292

SHA512
98fcb25f6085b978d00738bde5124b0f236c6aa20efa49ea04f8e4a931f088939a29a8619bf01bf0df4dc47c9257842ebba1433fa0ebff5347b3d2e62edd0839

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
89KB

MD5
90b5c8de6476c72daf4dfeb097f39176

SHA1
c55ae10c59c2f8f312745a7ad3e0189747bd798c

SHA256
8620cd85ab08720f46bf57e33525fb570c90f19e1fb955ca36620cad206a3ab1

SHA512
71eb7bd86d0f97ddf7c44c50bc09da801e8189e4cf9a835d1df9e3449d1cbd133f62cc16c05a801438abb1c997b13c12adc9cf48be25e66a32b7f830a2d6b0fd

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
89KB

MD5
3526ba50e8255c707e2cfd988ed20b46

SHA1
05a6064fc2e293740d92d6f290b9cec1723ba4b1

SHA256
8039f701d13f24c824da26926b06dba38efb0cc13e451438a9a11ab1e9d399b9

SHA512
b55bd36d5d8ee5bf9f60977885497a66c387c89152803e88bc5fa09588381bbd00efb25eea6ed3c4bfb14faeb57a6ee6fd59abe06b0c3026665a4479dd62b3b5

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
89KB

MD5
1bbdff0fcc04ff73eb674e527f46971c

SHA1
9f2d6bee2e1267ba992bb20c74f818d17b34e43a

SHA256
dd3876057d224ff2d3c85dc0decb50c2b163fd63737975ea714be7ace1042f91

SHA512
c6a933ef2924c26d9d342d38e2b0134b407aec754f7fb6644bc010697616a16c3c0e599c0096e4947f3fd6d07738cfa6c9e465b3252101b68e1a75d3c1b14fae

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
89KB

MD5
2ea6e8db1d798549793f03e721285e7e

SHA1
a97d5bf6fbf4e88444dad7c2c584c97c5a6c08f3

SHA256
528a2575adf4f8e371228a2953403ffff81a887e16be6c62f04bd965ca3d9471

SHA512
2f6f9e5a82f151078df26252a5e90ba923f5997280bafaff58f7ad3f6a42d3beda995cee958a9825d01bc7ac6aa55d5f0f8e45c3a5f8a65e906a910a68ae3d6e

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
89KB

MD5
958b055e99fb465657af8bd79b35d6bc

SHA1
1f64d103841c82599dd6a9cccceaa3a9c0f731bb

SHA256
8c37ca77dee8bb2e599f8b0edf4a5e4b5906121c39aedd732188c375887ae2bb

SHA512
01fad7687817cfa3585295bb8b2f0a9528f2564b83f6bb4bf717abf5712fe0bfd07b00021ad6d4d475783111a3cfb36f6905ad2e4bff4d66b29d06afbce243c2

Download Submit
memory/116-551-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/392-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-541-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-532-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/444-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/772-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/832-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/996-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/996-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1016-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-520-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1168-543-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1188-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1188-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1472-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1516-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1616-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1876-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-544-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2340-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2388-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2596-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3124-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3316-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-550-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-478-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3472-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3556-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-545-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3736-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3744-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-542-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-526-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4260-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4416-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4528-538-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-549-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads