berbew | 2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe
Size

64KB
MD5

a15874ebea83cbdee4c10a30c220f87d
SHA1

d82c55be24d472ab73d6aad856eecaef663a0526
SHA256

2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20
SHA512

4fe199c7b702834c5360a27a8326c84a3d8000a8181721fcda1a79a6e5b94cf49671914fbb82ff997527fc406909e0d983b0f47bbce3d8ff63459ea4cfb8dbda
SSDEEP

1536:uAJR4V0SMZC+ny9RdiOpXh3OWy6YrPFW2iwTbWv:GSS6Ct9HiwXNOX7FW2VTbWv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3368	Ogkcpbam.exe
2700	Ojjolnaq.exe
2960	Opdghh32.exe
1408	Ocbddc32.exe
2360	Ofqpqo32.exe
4400	Onhhamgg.exe
3216	Odapnf32.exe
4664	Ocdqjceo.exe
2328	Ojoign32.exe
776	Oqhacgdh.exe
2344	Ofeilobp.exe
4320	Pmoahijl.exe
2196	Pqknig32.exe
1492	Pfhfan32.exe
4648	Pnakhkol.exe
2628	Pdkcde32.exe
548	Pncgmkmj.exe
440	Pdmpje32.exe
4596	Pjjhbl32.exe
4324	Pgnilpah.exe
2680	Qmkadgpo.exe
5000	Qgqeappe.exe
2560	Qqijje32.exe
2412	Qffbbldm.exe
1456	Aqkgpedc.exe
4172	Afhohlbj.exe
3104	Ambgef32.exe
4252	Afjlnk32.exe
2112	Aqppkd32.exe
2020	Afmhck32.exe
2240	Amgapeea.exe
4604	Aglemn32.exe
1628	Aminee32.exe
4904	Accfbokl.exe
4704	Bnhjohkb.exe
3688	Bebblb32.exe
1700	Bfdodjhm.exe
3672	Bmngqdpj.exe
940	Bgcknmop.exe
4228	Bmpcfdmg.exe
3836	Bcjlcn32.exe
4660	Bjddphlq.exe
3904	Beihma32.exe
3676	Bfkedibe.exe
4620	Bmemac32.exe
5072	Bapiabak.exe
4260	Chjaol32.exe
1580	Cenahpha.exe
1420	Cnffqf32.exe
2716	Ceqnmpfo.exe
4872	Cjmgfgdf.exe
2648	Cmlcbbcj.exe
3608	Cfdhkhjj.exe
792	Cnkplejl.exe
4472	Cajlhqjp.exe
4256	Chcddk32.exe
1232	Calhnpgn.exe
2524	Ddjejl32.exe
4140	Dfiafg32.exe
3292	Dopigd32.exe
1880	Danecp32.exe
4736	Dhhnpjmh.exe
3732	Djgjlelk.exe
2100	Dobfld32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Dmgabj32.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	1472	WerFault.exe	156

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 3368	4740	2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe	82
PID 4740 wrote to memory of 3368	4740	2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe	82
PID 4740 wrote to memory of 3368	4740	2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe	82
PID 3368 wrote to memory of 2700	3368	Ogkcpbam.exe	83
PID 3368 wrote to memory of 2700	3368	Ogkcpbam.exe	83
PID 3368 wrote to memory of 2700	3368	Ogkcpbam.exe	83
PID 2700 wrote to memory of 2960	2700	Ojjolnaq.exe	84
PID 2700 wrote to memory of 2960	2700	Ojjolnaq.exe	84
PID 2700 wrote to memory of 2960	2700	Ojjolnaq.exe	84
PID 2960 wrote to memory of 1408	2960	Opdghh32.exe	85
PID 2960 wrote to memory of 1408	2960	Opdghh32.exe	85
PID 2960 wrote to memory of 1408	2960	Opdghh32.exe	85
PID 1408 wrote to memory of 2360	1408	Ocbddc32.exe	86
PID 1408 wrote to memory of 2360	1408	Ocbddc32.exe	86
PID 1408 wrote to memory of 2360	1408	Ocbddc32.exe	86
PID 2360 wrote to memory of 4400	2360	Ofqpqo32.exe	87
PID 2360 wrote to memory of 4400	2360	Ofqpqo32.exe	87
PID 2360 wrote to memory of 4400	2360	Ofqpqo32.exe	87
PID 4400 wrote to memory of 3216	4400	Onhhamgg.exe	88
PID 4400 wrote to memory of 3216	4400	Onhhamgg.exe	88
PID 4400 wrote to memory of 3216	4400	Onhhamgg.exe	88
PID 3216 wrote to memory of 4664	3216	Odapnf32.exe	89
PID 3216 wrote to memory of 4664	3216	Odapnf32.exe	89
PID 3216 wrote to memory of 4664	3216	Odapnf32.exe	89
PID 4664 wrote to memory of 2328	4664	Ocdqjceo.exe	90
PID 4664 wrote to memory of 2328	4664	Ocdqjceo.exe	90
PID 4664 wrote to memory of 2328	4664	Ocdqjceo.exe	90
PID 2328 wrote to memory of 776	2328	Ojoign32.exe	91
PID 2328 wrote to memory of 776	2328	Ojoign32.exe	91
PID 2328 wrote to memory of 776	2328	Ojoign32.exe	91
PID 776 wrote to memory of 2344	776	Oqhacgdh.exe	92
PID 776 wrote to memory of 2344	776	Oqhacgdh.exe	92
PID 776 wrote to memory of 2344	776	Oqhacgdh.exe	92
PID 2344 wrote to memory of 4320	2344	Ofeilobp.exe	93
PID 2344 wrote to memory of 4320	2344	Ofeilobp.exe	93
PID 2344 wrote to memory of 4320	2344	Ofeilobp.exe	93
PID 4320 wrote to memory of 2196	4320	Pmoahijl.exe	94
PID 4320 wrote to memory of 2196	4320	Pmoahijl.exe	94
PID 4320 wrote to memory of 2196	4320	Pmoahijl.exe	94
PID 2196 wrote to memory of 1492	2196	Pqknig32.exe	95
PID 2196 wrote to memory of 1492	2196	Pqknig32.exe	95
PID 2196 wrote to memory of 1492	2196	Pqknig32.exe	95
PID 1492 wrote to memory of 4648	1492	Pfhfan32.exe	96
PID 1492 wrote to memory of 4648	1492	Pfhfan32.exe	96
PID 1492 wrote to memory of 4648	1492	Pfhfan32.exe	96
PID 4648 wrote to memory of 2628	4648	Pnakhkol.exe	97
PID 4648 wrote to memory of 2628	4648	Pnakhkol.exe	97
PID 4648 wrote to memory of 2628	4648	Pnakhkol.exe	97
PID 2628 wrote to memory of 548	2628	Pdkcde32.exe	98
PID 2628 wrote to memory of 548	2628	Pdkcde32.exe	98
PID 2628 wrote to memory of 548	2628	Pdkcde32.exe	98
PID 548 wrote to memory of 440	548	Pncgmkmj.exe	99
PID 548 wrote to memory of 440	548	Pncgmkmj.exe	99
PID 548 wrote to memory of 440	548	Pncgmkmj.exe	99
PID 440 wrote to memory of 4596	440	Pdmpje32.exe	100
PID 440 wrote to memory of 4596	440	Pdmpje32.exe	100
PID 440 wrote to memory of 4596	440	Pdmpje32.exe	100
PID 4596 wrote to memory of 4324	4596	Pjjhbl32.exe	101
PID 4596 wrote to memory of 4324	4596	Pjjhbl32.exe	101
PID 4596 wrote to memory of 4324	4596	Pjjhbl32.exe	101
PID 4324 wrote to memory of 2680	4324	Pgnilpah.exe	102
PID 4324 wrote to memory of 2680	4324	Pgnilpah.exe	102
PID 4324 wrote to memory of 2680	4324	Pgnilpah.exe	102
PID 2680 wrote to memory of 5000	2680	Qmkadgpo.exe	103

C:\Users\Admin\AppData\Local\Temp\2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe
"C:\Users\Admin\AppData\Local\Temp\2eb45c9e011937b5d47ba9de3283dda9c520edf21a8bd7978e209b3b7e2bfe20.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\Ogkcpbam.exe
  C:\Windows\system32\Ogkcpbam.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\SysWOW64\Ojjolnaq.exe
    C:\Windows\system32\Ojjolnaq.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\Opdghh32.exe
      C:\Windows\system32\Opdghh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        38⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        52⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4256
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 220
        77⤵
        Program crash
        
        PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1472 -ip 1472
1⤵
PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
64KB

MD5
a252653892e4055dfae41dae3a367f91

SHA1
f8f896029c713f2e8cdf5eb8de67d2f6210903b3

SHA256
89a07e3d1cb3f72dfbf6504d7cd125d3d511ed50431c51a3303ef9f90e7bf01c

SHA512
7fe036f96775ed3b8739491b696c2f625e0e9aa789ebac65d54d3a2f5b599ddee08019484e7de52c3ddc7e1048e584fd7f5fb48d54e8207d1c865667965e87ab

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
64KB

MD5
5af3c22394bfc713ff74ae2c9851c47d

SHA1
de8179e63d2d239445c3f0239722a45454c88682

SHA256
c329b6c5899ff4d9b32dff6a638664d546d6c4c92c16058db01767bc4a2d9b33

SHA512
b9ccb45f4e5110916db8827541a356e4c4e97191e089b50d046777671b3b3da6634ebc04aa6733884e7c35b98020ef45312d396659e461f923d33ecaf1dd2855

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
64KB

MD5
a54356f21ebbefc05a48417feb3a231f

SHA1
ee25f49e1cdaeed4fc94f09d12a2223bfed9d2b1

SHA256
1664a8732831968b65ac5ba92033a006732f292d2b36bff79285ecb4c7342ad1

SHA512
13f1ff36699cee8ef32a678a3a75eac15ef92995828d964680d12b4c9e4fe898164a82c77c17fefb11f36783291915ac9eaae89f387147428892c97781d1c35d

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
64KB

MD5
9383be9a966d64f23af8df346d524f86

SHA1
957aac9fe173b2c5c900a7b0305ba99cc37ef1a8

SHA256
2cd74097b7a6f82781454a8eb8e5e2748a86caa9efcad306e455e61ffbac3370

SHA512
a0daab1ccc13ac167054a1e1882d4844cc44659ef3318cbcce07bd81721a2df72ad930fd696d78ae54d1a7e532a92c3df5c3ddb0556fdb4d66681b86f2aeb9db

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
64KB

MD5
8910e835370acc166dc15072852876ca

SHA1
49d21724e2b2a8d9775c50d4716fa6d70c48f864

SHA256
45a6932237aec9df07676d903c72a13334633ecbc163dadc5ca7eccf16b39148

SHA512
fec0402706ff9ba6f2c161cde42a7b8cce19500ec4c770e27160670b26a581fbaec0a5bd137f297efe8b1dcb0ab80195285ea0b9ca2655dd862db1b414f7f919

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
64KB

MD5
0d15a2bda33babed125dbc2299041ae5

SHA1
8f77d75fb2860eb4542454f4db8efcbe76161f73

SHA256
2105d1d05ef5abf920b75d62b962efddcc7d7aa655f46905546acdfac30cb064

SHA512
7cbdd72a6e06898d4a63f8c753ba9608190a5300810bc5bb17fe69d2e5300cca829106ab7fc7e3d9ffc3b28848331a09d7d5481c5059cb02f339f4fba563cf3e

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
64KB

MD5
20e5035dbc2044a826572317ef37450d

SHA1
9eadff4103d280d23beb6aa82bcd6dbecbbc5d85

SHA256
09a76348849cb88e1d1e8843e34d8c398688d4052af08ddf14a1097a52c3e80f

SHA512
5f95424915a7eb05eda312c3da92124c6f07ae57331d7318494df55a85dc0b5611461d470b3946085bbe9df75a6f0ea39eea679880f26c1ac7e48a47147fdf55

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
64KB

MD5
e1d296b3d51e621acab03f6b18170d09

SHA1
6aa6b3916a99980ae9106f3c57a078cbc5709506

SHA256
caa9468b7d7d55bf466dadd31f5f9e630d0a2aba305279c75ba7e6c72e66a2ae

SHA512
8fecc3cb0bd5bd0b8936ed5fef31a6fe0747db62e65fa2ac74f76ac7fe948ee18a7c4e185e422b8652b266b018deee377cde167ab614e02fae03adab5da72dc7

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
64KB

MD5
6a55228aeb32e8ea67a1ed68b6ae6f53

SHA1
f058d6743df7b5d3b51a675a0c3df5e9ce904ed9

SHA256
a8e3c676c538a9b20300af7679c460335567253ebd1d48c12c1cc1d16c646eeb

SHA512
3dc9b97089ad0234334d7b60603d2f60b2c7e2804a35b5d1212a646d37569c95e9648f5c15ca34f6fb47f24e06689cc199a887c2f345101482e54399d51f60fd

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
64KB

MD5
bb8c20cd2cd06b27a30dc4f6364da167

SHA1
60549b5b9a2f4cc792b4420ae11e2172320954f0

SHA256
922183e061eee4919f0c55532954fb472d6e3d2f5aea5a83e8e7c1ce469a18c2

SHA512
49050d65f6a3a5b51a0d68fb7ed466805dbfc0d3b0933fd5c5e26762438a0743af2a00b5a6d3b47c64416eb5afc6a7c753239559709ab9aee69fcaadf2ad1be1

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
64KB

MD5
a8cdf8255d58f76b6c4f43fe0a101842

SHA1
0b192a74104c7f770a724410b2e7a01bac93c261

SHA256
151b5a0224c47c827bf4c765b5e21cf9cb46f5dac52d4fe6c8bc60e833a37733

SHA512
e21b054414d360c78077788b7cc22a903006601116bc1ef67936c006e086b78f66a5296c8f3e3d091d165fcd5c1aa533487c922aed078d36bd744333ba264546

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
ac3968278fb41a31efb4fb305ca5b710

SHA1
70fe16c6617466c3b3a672ead33a95142c6e47e2

SHA256
26446219b37d35b4071a75bad05297de3e041202893fc9f3840975363f18c1ba

SHA512
7c9a8f1a606dcdd246b422d095115cc3a05f7529149d23017ac44be5acb277a5faec6fb97a2457a0adbb6f2b2e96b93158a3e9ad179617d35480c507c3e5a2ff

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
64KB

MD5
395ea1d67847e8ca8a81c7e52caab90b

SHA1
eec5faea01cf341b01c0bbf888238cc743783fbf

SHA256
e6a2be17a50d096be7ec78715514a416b6f1f7e06b7187053e0af4197c386a1e

SHA512
b08c56dd767c89254c2bb6ac52142341315cd7ea38cb1b477ea9d9ccac4f045e8f8ee1cb9ccb453cf130f668285bd8b5c28d996bc6a56c7d20a48f44e6f531f5

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
64KB

MD5
8f227b582d7201f95aa2f52525c6cff5

SHA1
42eb80455da29430a1008659818b352985b42c77

SHA256
b67b0f78a8f866e36067896b49ac1c6b4ae81f15c31d2f173eeddcdcd3445acf

SHA512
f200709ecf085d14e650976f396acccab0e405b9064925d41aec883b5622640b038396b07baf3585b504e734c7bf2f532e672aea70cc7d2089372e2c82c23580

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
64KB

MD5
0d61a54d71cdf5dd0aa0a8d8d377b615

SHA1
357c57be3b6e8e578505fc7c9d93393ed44e4777

SHA256
b2ec7a3f0e09760f531bd108619cee99b72ba5d85ffe788ae9b6c96e1f9ac8d3

SHA512
7c61b18be4871d8f1cc960301a94d158b7e562d0b0440e19742b25e9b52f9186838f4573b5fccaaa26cc3e6161da56e572788aea73835d3a8119c94d8461f974

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
5494c0c8da80339d9071c2f1dadab1e1

SHA1
184365da93acafcf4a4ccfb9d9e2f5e6d1d73eb5

SHA256
c1511b296dbf2f50f866af1de4c389dcc1aa07802485aa6288a0acf2d12ac73b

SHA512
73cd2fdaa6131b96a381f9eedf9113fba9afaf1d4a93fa895dd89fa8a2bdd91389ac8cf4a08c254c7acc45406bc65287eab08961dd528117087fd6d0134d4073

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
64KB

MD5
507464c5d93039ad142fc1f8d812574a

SHA1
38ddec1f9214b21a4d529eb41860f3280cedd11d

SHA256
8e531fee105699226ad32e115765a70de3524b703653a9c89b5fa4bb0cb74def

SHA512
09de9fac34fbacc25bb30cd8d09e17b539d75203ffd5fe549a02786e2e6f616a60714d6b8e2c42aab0357d0a2021a1531a5ab07722d5e40c0ff2fead1fda3ce8

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
64KB

MD5
8cc92640faa9755f8103bbf6bccfaf6d

SHA1
d63251d16f385fddd01caa4406e3e3aa403f6895

SHA256
82eaff181f857d1d98195ccfad4719ae42bca7b66f9c0f04003e70c464ea9d13

SHA512
1b2088c0fe1892999c1742520b85105d093c2810f018bd0a09244396100ac4c50cd3c2607107b93b366ea264a5eae46e1befc6d2249665eb7e98bbc00cc5e3f8

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
64KB

MD5
b77cee4e6b5ff543d9150c0c45c95079

SHA1
bfa2c5a86ab9cfe94e90223173ffc782448f5db5

SHA256
01b5d6c3fb97cdb966e34ce6d68b00b54f60416c45627d4c2713b2a08b3277b5

SHA512
17c6007651645591bf1704ec6e4a483330ffb94f086a4faf13ca70eba88f62ee572df1686fdb07a1e7ab0cf9cc27a2c10678d2802768364d185250a1e48e61ed

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
64KB

MD5
1db6c45f50099e0a213001c37da0341c

SHA1
83f97604f52c99eff0d2ba2d4017c0efd81220f0

SHA256
14fda1db486f19eb53cba2bd925dd88c5d0fee11fcb985299a44de32a4a2a53c

SHA512
fa1ef92c68a2de22ab3dfef8c43c0e387a047eede364fe8f15d573bfc252ac639df3d4c7df1b45726971046f4a9562af8c9c4467077353f18da8ae3bb7f8fe79

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
64KB

MD5
a86687cf0736e15c458d346bb91ff44e

SHA1
9b3322004a84e1fb5af2f3257b0353a8fa94e046

SHA256
31e8af2a2d0de3cb25ab103d56c3e3f6b13cadab02743861f70342003e5c5248

SHA512
9742d48362862adfa54702938e7f17b4354f5800978524fa9889b0e1ff2fafee6b26909ea9d79aaebb4c270a78c31b9500c82871de5bca3ae43ce2f74d93e032

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
64KB

MD5
cd4aa940b17b8a99e4ad414c67b7a6d4

SHA1
4637222d1b17570743e2e7dafadfedfa1a7b949f

SHA256
2ac99a7ed16cb99aaa1f97f6a68235e44ac19d77642787c0de8f758e8b911e79

SHA512
0c62fe020b833622ac8e67b4a87daf48f4b386a0d591286d562e1338c8e90539ae1218f5c3f967245329970c9615d1a556ffd4838876b8e19c4c480091705d39

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
64KB

MD5
959095d9b00ecb06036d081e1cfddbca

SHA1
b41fd909eb442c2cc446c3e535cb5f83d1edc0e0

SHA256
55f4549ff47cbee40bca7989661fca4b707509ec2809fed35d53f6513de5046d

SHA512
164c456dbb4994b996d8cdeb8181b5a2299d836c58af0fac433c05897c1fa984e85f82dca9aeaba081976478c4993055cfbbd1eaa0fb04394282dd5e3e180944

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
64KB

MD5
815ad4652925122f56eb57e08d1f04bd

SHA1
84bf38cf5060ca896d2ab4e7c1cc10793441f035

SHA256
4422bdf45c8d61f9ecdabf1f6430bfa84f4ba9df638f2c7ea03287c8ba551203

SHA512
758ef189c15f2ce0f1e1ad4dd525256aa170f0641ffbba98fcd85235c09fa2aad273c199d47bca40831e24ce403d7fbe33face17bfcf7ed3374d2907d1cca977

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
64KB

MD5
18453ff446011a826de43d83d3bb4cc2

SHA1
6942586bbe97eaf449f22e389ee8672b60f7f0de

SHA256
3862c23729dca55703fb84f1e1cc81274aacb2c47feb74e46de0031964ac681a

SHA512
e234d2e1aa26a803d5713f44b06e133392313a09b77b5cce043983425838830a1f57dcc4bf3d4679d6fc786501bafd963d651a755209f478a1edb99597e44f16

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
64KB

MD5
22433cfdb527e9ef229b766820bded6f

SHA1
64bf679c4d395575316b1367cc704235ddacf7a9

SHA256
bc6477414989e661204ef147486f5d6eb24d48a0ec29a8307e01b2ad545fd3be

SHA512
9f94d80f72e9a1079e3ebd52ddcb43837bdd506d443709424e04b2e71b611cd5ce47821adda7c9f09bd36f6718c8a7cd627e1adb69c992c6e534c127285d37cd

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
64KB

MD5
e6e7082dc0efc70ba217a93b85f30a81

SHA1
77e67472bfcc771bcac6f12b39489c2be1780794

SHA256
80e99ae6c9ece3fbb5684c8ced72e055fc38f9a23f42f9e6dcac492ca9845043

SHA512
2a8a3303a30ae9407b2c9e4a01b3528f6193a818179fa172e1f2d9ee477ea9a20800d6bda751e6ede00cadc88cfc8573ae3ebc537312e7975bb4a44ba7b7f875

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
64KB

MD5
b9621485b06941e05a5d0c68d2d0dc0f

SHA1
8b6ad31a4494e21a4a07f16bae196ce76b577efb

SHA256
20d6712fee764a1733d4ab2b9bf47439a1028fd20ac69676d927af24969de16b

SHA512
f3bd1aa9247f44a8be39c14891c404c7cbabb4f8c4b4d2cb83015157fd45968011fc274f511b5af0b34ef1ecd387847bd2a67cb4dd15769bb57a389e1e839a5d

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
64KB

MD5
3972acbec8b372770bcb4d34ab63cfaa

SHA1
7debf83cf51eaa85ce1d19511bd5e39ef9a79a99

SHA256
3df95322ae235c83874183bdc9213029dc7e65c528863947c085bcdbdab290d1

SHA512
33c49e2c1cf84f7828c090b6561fd2494dce6a129050ed3d152afce420eee43d91853e68f2c2d7d322246a7fac5126d65a8af4679b8824395ca698e195c2ab4b

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
64KB

MD5
2c5874f503a1266c9e2d48fc7de263cf

SHA1
0890216c0d462b71484260b0f06bfae50c70dc8b

SHA256
072614a829b334d570b1b7f53004cf2d2e9f70ab530b0a267293a7805e79f471

SHA512
d52e3630b0d6b420b52228099423755a520e9006578c7c1485b63152c5d8165a74df8f187e376c163cfb39ceafe0cbc362c12cce1ef03ebfec3edb9079ab6c72

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
64KB

MD5
06387ed48ca639225e414b73a4d661e9

SHA1
c63c765bb13885864b944acdc7238f84dffc2ba5

SHA256
3c2284c7364fe9e433203a30ec40f1f1a747b57c1f40485b4ccf063e56af394f

SHA512
1263225757d18ff72245d579eb9685ea59248091ee0614c03a126cbd26557ca5ec401e3dd5bb8ff87261ffbadf096380ec454e81634026b2d2ab75510668c5a2

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
64KB

MD5
7f18e12b90c110de9dcb767e1be5ef10

SHA1
8f8fd5d1a791dab57f977ac80e87fc3d87346788

SHA256
ed45df87aa793d3813bf9b3c1fd450599d1b930f1a978bfcb01be6aadb02bf9b

SHA512
49433841a6cb2d700ced319f85fe4f03b8fae28ea19aad58477836eaf609cb4c86022bef800e284322b5ae4ac607cbe2e26d47f4b56d344ff9a8f09f0e45c2af

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
64KB

MD5
e8fc4be29a2d8c315f3d6c54943f269a

SHA1
ee4b1f30959037161ce13765f006f6bce9b7a564

SHA256
06bd452e891daec54754a8bd2cccb6e54f660320d19d24012e3ee1892d5ebcc0

SHA512
0ef63a0560dfe5cfcb574afe70eb45e6835dcd575dc0298da2cbd05ca75509bb00a7b81d960e8dc0716d8ea39607b07ea54f0b81beec1bed496c32bb2cf0a1d6

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
64KB

MD5
5341ff899e4650f4ade109ef0a72c813

SHA1
e2dfc7d4d70a91c35da9675def5928a4a54c8b6d

SHA256
8b7f19b22575706e79265abe279899a0c8d4131453e40f58c1bcae997e6d6f61

SHA512
23d08d6fc03b99b2696c28f92a3eaa2c4db6e2d3ff90663bbd8f2c553b2f8f87168b2e47fb103fdac44f588014f0fb759558db21756971f7f348a6e3d59fc357

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
64KB

MD5
eac1862f2921a8eb766360809984b9bc

SHA1
e1a8bffe4f6dfc4e1acf47e9a4479499daa20a42

SHA256
9f025013253e44d1754e99d13dff45ad63672b184214d182d8fbc746f7452950

SHA512
88a3eb65940d866348586971fdd638ef918d2fbe17920665d5f62e7da9d538b4a91669955c1804a9cbfbc0dfe283a5e2a35be4c993ad94b9ca3d5a662261b5c3

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
64KB

MD5
285b201b6c82ddbb6ba3a649969460b0

SHA1
eddf0f6537598517aa3e98ed303636a7f25a2979

SHA256
961ec98ee8676782706f1056e86de2c3859f5ec25ebc72f898d930a2e4fa351b

SHA512
9a8d174d65178c0b777a3e860a7fed0c7de53f1ad621deabf7acd00849950f4b50ecf1b05c0dd9c40951cae27d7c57d217a5add77a383f4249a55c1abdec6cf7

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
64KB

MD5
77e4f72a52436f633864f6bbea1cf85e

SHA1
34d493946abc691b0c78043d37185696af9853b6

SHA256
b405db875b9222cfa09c71a2dc28eef8945b9d4eb63417e4952a2c5e9cfacc6f

SHA512
04100304b63ef6e3de702ea35a1dc2a554cf3d6f0e974aa5d528b0c9531a33007c9dc66de9c99d2d3d0cbcf520b19237bc6f300bf19cf58158bd9c40699f9a84

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
64KB

MD5
d75a7ac4fe2c99ac76f428f35b5d8342

SHA1
805e42467e1cb5bcdf0f71d809299787ecca42b6

SHA256
e9930f9c6ef18d5e26c9f1d8013d894e74a4588d937d1dd76233ac96103d8c41

SHA512
98e30c97a4fb39f03125c47f8575b915233acaf6bd29ad8fc60b670b0007b3f3d5d27e11418c7df353d342437df0875fe1315aa2da817db0baaa94d8ff6c6ee6

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
64KB

MD5
d93bb5345cb8de7c627b790ffbfab1a8

SHA1
3dd7e227c4621637ffcd0e4be838cb7be46a7b4f

SHA256
db299bcb480e8d080f14675b7e027108526be03b31e2599908436cdcb2c872f0

SHA512
2cf10ab418f0cecd64b15e1cf808a3252e9a87a3bbae08ca806e8898f8fcc4c2b7d1d8bd8d6b664294d557e870c32a94a56d8121e39a822b9abac8033bbeda2b

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
64KB

MD5
55f627624ce3a37dacb25e3a0247b642

SHA1
bd64a205a754d336e5c191d143bab44f90530eff

SHA256
8fcbe374f7fc9e8c107431e996c47566af4398e0bbc105c95b1666fecf6c2178

SHA512
1545fb1644fbe1099a9dd8231c604299ec45a1a2700b434cb40348c921822fce35fb4afc4891b188236157004811be3acfe0e341df64d3e3383c2e6b3311cd74

Download Submit
memory/440-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/440-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/548-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/548-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/776-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/776-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/940-397-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/940-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1408-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1408-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1420-398-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1456-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1456-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1492-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1492-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1580-391-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1700-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1700-383-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2020-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2020-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2112-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2112-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2196-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2196-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2240-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2240-269-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2328-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2328-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2344-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2344-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2360-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2360-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2412-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2412-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2560-285-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2560-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2648-419-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2680-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2680-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2716-405-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2960-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2960-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3104-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3104-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3216-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3216-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3368-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3368-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3672-390-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3672-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3676-363-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3688-376-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3688-307-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3836-342-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3836-411-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3904-356-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4172-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4172-225-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4228-335-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4228-404-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4252-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4252-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4260-384-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4320-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4320-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4324-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4324-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4400-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4400-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4596-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4596-250-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4604-278-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4604-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4620-370-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4648-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4648-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4660-349-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4660-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4664-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4664-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4704-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4704-300-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4740-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4740-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4872-412-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4904-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4904-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5000-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5000-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5072-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads