berbew | 948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe
Size

428KB
MD5

bec8ce86618b514933b08d9295e711b1
SHA1

6b8d5f0ecc6e14efb1d44db364acbafeee505c1a
SHA256

948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e
SHA512

0eb1a5d6b2477edbf785efd1d89c419829b2b5d9dd33f0274e150765cb886b6ffa44997c4b9e7d00c8c0be1058cfe2babb1cae522204c7a3f0f31e8f0aaf111f
SSDEEP

6144:UCvgl5ZXZuKVp1fNrNF5ZXZ7SEJtKa4sFj5tPNki9HZd1sFj5tw:Zv25hjtFrNF5h0EJtws15tPWu5Ls15tw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfgmjqop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
960	Nfgmjqop.exe
2024	Nfjjppmm.exe
3216	Olcbmj32.exe
4012	Oponmilc.exe
4284	Ocnjidkf.exe
1468	Oflgep32.exe
4252	Oddmdf32.exe
5040	Ocgmpccl.exe
1652	Pjcbbmif.exe
3284	Pfjcgn32.exe
2868	Pdkcde32.exe
2732	Pgioqq32.exe
1788	Pflplnlg.exe
5004	Pqbdjfln.exe
2768	Pdmpje32.exe
1244	Pcppfaka.exe
800	Pgllfp32.exe
3236	Pjjhbl32.exe
4864	Pnfdcjkg.exe
1628	Pmidog32.exe
2720	Pdpmpdbd.exe
2584	Pcbmka32.exe
3208	Pgnilpah.exe
360	Pfaigm32.exe
3488	Qnhahj32.exe
3832	Qmkadgpo.exe
5044	Qdbiedpa.exe
4036	Qceiaa32.exe
1936	Qgqeappe.exe
1212	Qjoankoi.exe
4988	Qnjnnj32.exe
2712	Qmmnjfnl.exe
3028	Qddfkd32.exe
4344	Qcgffqei.exe
2420	Qffbbldm.exe
2404	Ajanck32.exe
3632	Ampkof32.exe
448	Adgbpc32.exe
4456	Acjclpcf.exe
2060	Afhohlbj.exe
4920	Ajckij32.exe
2252	Ambgef32.exe
2144	Aeiofcji.exe
4588	Aclpap32.exe
4636	Afjlnk32.exe
4140	Ajfhnjhq.exe
3252	Amddjegd.exe
3916	Aeklkchg.exe
3852	Agjhgngj.exe
4464	Ajhddjfn.exe
1088	Amgapeea.exe
2016	Aabmqd32.exe
5100	Acqimo32.exe
832	Afoeiklb.exe
4500	Anfmjhmd.exe
3696	Aminee32.exe
4912	Aepefb32.exe
1888	Agoabn32.exe
3680	Bfabnjjp.exe
1360	Bnhjohkb.exe
1708	Bagflcje.exe
4608	Bebblb32.exe
1780	Bganhm32.exe
4844	Bjokdipf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Hjgaigfg.dll	948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe

Program crash 1 IoCs

pid	pid_target	Process
4908	1952	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 960	3736	948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe	83
PID 3736 wrote to memory of 960	3736	948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe	83
PID 3736 wrote to memory of 960	3736	948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe	83
PID 960 wrote to memory of 2024	960	Nfgmjqop.exe	84
PID 960 wrote to memory of 2024	960	Nfgmjqop.exe	84
PID 960 wrote to memory of 2024	960	Nfgmjqop.exe	84
PID 2024 wrote to memory of 3216	2024	Nfjjppmm.exe	85
PID 2024 wrote to memory of 3216	2024	Nfjjppmm.exe	85
PID 2024 wrote to memory of 3216	2024	Nfjjppmm.exe	85
PID 3216 wrote to memory of 4012	3216	Olcbmj32.exe	86
PID 3216 wrote to memory of 4012	3216	Olcbmj32.exe	86
PID 3216 wrote to memory of 4012	3216	Olcbmj32.exe	86
PID 4012 wrote to memory of 4284	4012	Oponmilc.exe	87
PID 4012 wrote to memory of 4284	4012	Oponmilc.exe	87
PID 4012 wrote to memory of 4284	4012	Oponmilc.exe	87
PID 4284 wrote to memory of 1468	4284	Ocnjidkf.exe	88
PID 4284 wrote to memory of 1468	4284	Ocnjidkf.exe	88
PID 4284 wrote to memory of 1468	4284	Ocnjidkf.exe	88
PID 1468 wrote to memory of 4252	1468	Oflgep32.exe	89
PID 1468 wrote to memory of 4252	1468	Oflgep32.exe	89
PID 1468 wrote to memory of 4252	1468	Oflgep32.exe	89
PID 4252 wrote to memory of 5040	4252	Oddmdf32.exe	90
PID 4252 wrote to memory of 5040	4252	Oddmdf32.exe	90
PID 4252 wrote to memory of 5040	4252	Oddmdf32.exe	90
PID 5040 wrote to memory of 1652	5040	Ocgmpccl.exe	91
PID 5040 wrote to memory of 1652	5040	Ocgmpccl.exe	91
PID 5040 wrote to memory of 1652	5040	Ocgmpccl.exe	91
PID 1652 wrote to memory of 3284	1652	Pjcbbmif.exe	92
PID 1652 wrote to memory of 3284	1652	Pjcbbmif.exe	92
PID 1652 wrote to memory of 3284	1652	Pjcbbmif.exe	92
PID 3284 wrote to memory of 2868	3284	Pfjcgn32.exe	93
PID 3284 wrote to memory of 2868	3284	Pfjcgn32.exe	93
PID 3284 wrote to memory of 2868	3284	Pfjcgn32.exe	93
PID 2868 wrote to memory of 2732	2868	Pdkcde32.exe	94
PID 2868 wrote to memory of 2732	2868	Pdkcde32.exe	94
PID 2868 wrote to memory of 2732	2868	Pdkcde32.exe	94
PID 2732 wrote to memory of 1788	2732	Pgioqq32.exe	95
PID 2732 wrote to memory of 1788	2732	Pgioqq32.exe	95
PID 2732 wrote to memory of 1788	2732	Pgioqq32.exe	95
PID 1788 wrote to memory of 5004	1788	Pflplnlg.exe	96
PID 1788 wrote to memory of 5004	1788	Pflplnlg.exe	96
PID 1788 wrote to memory of 5004	1788	Pflplnlg.exe	96
PID 5004 wrote to memory of 2768	5004	Pqbdjfln.exe	97
PID 5004 wrote to memory of 2768	5004	Pqbdjfln.exe	97
PID 5004 wrote to memory of 2768	5004	Pqbdjfln.exe	97
PID 2768 wrote to memory of 1244	2768	Pdmpje32.exe	98
PID 2768 wrote to memory of 1244	2768	Pdmpje32.exe	98
PID 2768 wrote to memory of 1244	2768	Pdmpje32.exe	98
PID 1244 wrote to memory of 800	1244	Pcppfaka.exe	99
PID 1244 wrote to memory of 800	1244	Pcppfaka.exe	99
PID 1244 wrote to memory of 800	1244	Pcppfaka.exe	99
PID 800 wrote to memory of 3236	800	Pgllfp32.exe	100
PID 800 wrote to memory of 3236	800	Pgllfp32.exe	100
PID 800 wrote to memory of 3236	800	Pgllfp32.exe	100
PID 3236 wrote to memory of 4864	3236	Pjjhbl32.exe	101
PID 3236 wrote to memory of 4864	3236	Pjjhbl32.exe	101
PID 3236 wrote to memory of 4864	3236	Pjjhbl32.exe	101
PID 4864 wrote to memory of 1628	4864	Pnfdcjkg.exe	102
PID 4864 wrote to memory of 1628	4864	Pnfdcjkg.exe	102
PID 4864 wrote to memory of 1628	4864	Pnfdcjkg.exe	102
PID 1628 wrote to memory of 2720	1628	Pmidog32.exe	103
PID 1628 wrote to memory of 2720	1628	Pmidog32.exe	103
PID 1628 wrote to memory of 2720	1628	Pmidog32.exe	103
PID 2720 wrote to memory of 2584	2720	Pdpmpdbd.exe	104

C:\Users\Admin\AppData\Local\Temp\948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe
"C:\Users\Admin\AppData\Local\Temp\948050f8cd820c544b16ed708315d86f595af26e9755f6bbdc9db37f9ad2189e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SysWOW64\Nfgmjqop.exe
  C:\Windows\system32\Nfgmjqop.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\Nfjjppmm.exe
    C:\Windows\system32\Nfjjppmm.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\SysWOW64\Olcbmj32.exe
      C:\Windows\system32\Olcbmj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        25⤵
        Executes dropped EXE
        
        PID:360
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        29⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        36⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        37⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4636
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3852
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4912
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        66⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        67⤵
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4824
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        78⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        80⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        84⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        85⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        92⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        94⤵
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        95⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        97⤵
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        101⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5452
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        108⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        114⤵
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4956
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3424
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        123⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        125⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 396
        126⤵
        Program crash
        
        PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1952 -ip 1952
1⤵
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
428KB

MD5
63d410749c6fe431a7184880314254c7

SHA1
880b72f273ca5ee3878d63aa38e3e403e3481a1b

SHA256
d8b3fca8eecf2cf8049fff00b4bbd0c9cccdb5d0d1760d9bca84ba3ab303acf7

SHA512
9dd13b9bc58575d66870b42de0819415cf4736de36dd54cdbe7af98edfde1cb65c7a4bb159025a60377296f427e87a212279ec5b7f537afb46225336e0c38a85

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
428KB

MD5
78ba7d961ef76ff611026eb29e9159c1

SHA1
541e6985316f3ea9b4a74dea9e828952fcfe6c45

SHA256
9e4551b67b5689f29c4ac99e56ec98a930901b202ef8a3bb8392a01ca9ae3692

SHA512
1fce9a5ad036837cdeab5293681b1502ec05efda6203ca0ecba3a1ea087da070632803fcd561af7c471e30f73f4b8238c7661c1ff7e05104effe3cef5c40e65d

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
428KB

MD5
8c546bd3dc0fa6ce17cc5bdc5942d807

SHA1
3f31eb9eb35e9902402e310ba25f7b8fe33d67de

SHA256
29dab619928fa931b1676c311f654f932d768fca2a99b4d9a5b962a8a5cd32f1

SHA512
959146c4f506c2697b9f937f24a45dff415cf43085f6122396bdd4bad190128e362400dd7997c8a154af5274522650410f9e95d401dfc62a437891a9c38fdeb2

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
428KB

MD5
cc841960cd814cf741804e04af533e0b

SHA1
aa0f747eb6c5f1e76073897138f1f9062a418b4e

SHA256
6788b5c36b18247bb04044b699aff05203fa526237642561f9568215f789f38a

SHA512
75c12c379c0e3adcc9ce576c1dc090e13ae2eb0625031ba910f6f825e696f726475493b2c0ae7493b9b799722024e863ba7a7a1696e3e6b2c727008b8e57e19a

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
428KB

MD5
79e866a5da81b1b0d7c77e39de47345a

SHA1
2df1b2e71815337bd2d022c95dca07f1a562b883

SHA256
034d66556b14e18238119bb56a21d5e49b42918e0d85d886ccf22f88269517cb

SHA512
d7758f4fc1813eedd66a1466a9c524de6480abd3fd6fb1bc5b05e395861e6bf033774f26541250ca0e71898cc302b4123bbd5c961a1131f721244256a025734f

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
428KB

MD5
505b275e30a32cdf17045003be28503d

SHA1
8958188293142af09a2a3abf28c239badfeef82c

SHA256
3746252cee7a1fa59e7c2e54f7a536920e15dff002bebff4d1a2c48253d9e0c0

SHA512
48c58fd5a17eb0c254ad7fc7c29ce32403bf5f46e57e7cd9262aae506e17835f588dbac9eb5011a44da1b276fea7a9665885b040e1b90767417c553d7413ecda

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
428KB

MD5
e6c65221d82fe600e1fd974c862cabcd

SHA1
e7720da9bb8d171461ff6a17c1b20615fcaf99b0

SHA256
f5ba989f3a3560db49a324f96b6f5372ba4b1e4c5468dc51ea875bec34125290

SHA512
458da727506eecc848bf7f07e3e017fd8e37909ea2f48a9eed0364fd937b4b4d9f9099555f206dba51fb9638879bd2e6c089070de1a9a29837a52cc791955a76

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
428KB

MD5
ebbe8b74cabd44d68a15b5b434ef707f

SHA1
af1c894e86009fccf9818a1c9452d05d23330c11

SHA256
529ef3d13454ba093812e1a95e628277ef5b3a5ff9efa42c050d49634e69b055

SHA512
2f4a2e45da7e43c999f726191798cf7a45ea228412b96f0a3e9853b81a5958709ef416ef15e1c13a6a48814412a17013afacf3ad8969c81f702f80b57d100e57

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
428KB

MD5
070745de4129f2d0f6bba0e8a2aa1758

SHA1
948add54ca4e8b59201a4335fb266de6fc4adab2

SHA256
36bd6c27f0b8f8ba2f886a424d9a43c6e8be517c8a67459dd8acf926c6d1c1de

SHA512
c146241fdf48f286f0fcf8c533944b67dcb75a9ab982a0bcab77da51299390e5976aad090b83b907f8130407992995de6a2ec855bc4e433593abdc133520a16a

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
428KB

MD5
412fe3e7687f7769fbf1940013b93a32

SHA1
db689c3c5db94ab4fc819eb4f7e8fa00eb7dc03a

SHA256
dfec642b43f917d789f7aa9a7a72fe310bf4b7f0f77c4b42d2377c05ea2741c7

SHA512
762656ab8e626e4bbd1dd3cb414b15f0f80787f52d313ab4f6d4f605dedddeb9a057b435347e6a665ef03790f173f68ed98ce167e01c4ce783bfa3619de65d0a

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
428KB

MD5
53fdc7faa24cd52cf24594a6ed9a998f

SHA1
b6e2ecb9522ee5cb1495c9431722429121f67f5b

SHA256
a4a8296685e22dd6c6d04e4cd1e4bb5c4622a2d7b434a1ef4bb5feabcb282b7c

SHA512
78f8d1f9e58b455b8b15a2b851f0768f4311379d253f6d2d7fd10f4ff2de3dab080478dc7b9623c27de181913ccc84c6f56cf04cb426086ede9567ccf221b4b8

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
428KB

MD5
f483c910974eeb94aa959a0c131ca694

SHA1
252af29a2cd40999dc6d5c50482b4265b4873097

SHA256
93aeb80170d69321083d5ff499ba018107c86edf4980f1f2e6d0e315fc44165d

SHA512
36b3ea4173a005c769b71f0d16e084a1d017be0595109117bfeda19eaa29705676adb9aff9060660971a92549d7e3f67610e442fc2dcbd3590120a05f5800f4e

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
428KB

MD5
3bfcfb2e74c3f39dd1ae0404174475de

SHA1
b926ef393e41dd920a391420d01dd57d401de160

SHA256
ed6d9d016a46cdf1df29e1c36c70aa5ff5ffc02527ba2d0e8b3a507c76968742

SHA512
b26d4bea8bb9f63d82f33d3fb61ff123495c44144cb68242a1d198dea432ef48ca2d76b90545853d1a2f3f43f4d3ab8fd75926fa13cdfa23b8be1fa985beed8a

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
428KB

MD5
744532d7ecd11e9b96c90ca8528c3efd

SHA1
f71378d8d8221b679ea348e156840f8030cae7c1

SHA256
0b7147acb478ee365367cab32b1e68bac50252330dd5b6840914c218ec084f67

SHA512
6a63ad4cfe1f89ea189e928aeb55bcf9c235cb5bebe9039ce66cdbea614e7a93bcdc06833af29944ab84633da03c0526b09cf1924f6aa0cc22d330db309708f4

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
428KB

MD5
10d81c75b3646e9213ddaddb046e9006

SHA1
3fca94eafcef6b5c1dc78b2ced67c89798039b21

SHA256
0825b016e401eee06256b9de8485186ff158f313dbc64db6248639806fb6423d

SHA512
db3a5b193d9716d4317ef6fab16e3631c51289256db4e28ad80bd8cac6b43d411259eb346a956be2f224253f85b21ec418cc2fb74e2858e75ac8a02e1dfae05c

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
428KB

MD5
acae2bb8d2cdc2e2c5b2ea020b6c3510

SHA1
759b0555baa71217dc7e89b775e043e5498795f2

SHA256
9227e2315eca3a31f13666fdb8b4e5321f6aa0cd8af39e9e98c18e8cb8d9e836

SHA512
36bd776f07d6713e614309ec93e842667fcf14db6f96766cd4f4ee70083b9d7196b006e7619bcf4cb25d9aeb9d1ff48ee30d12206bf691e5fef750bff73c66d6

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
428KB

MD5
de05d942dc167bf7a9cface39cf779ed

SHA1
fe943cdfee830a96da8575d0a38dfac68c439e93

SHA256
feec0f5e1bad1d70c711853899cc4e99f2dc823797247c78c22a164286132b81

SHA512
a0c9194243bd0c36e366b9200ffc17a27d67d18f7ab73a0eb25bb8f9bfc732db5a471d987be7af62ecfc7af370bdedab9e56d9b6f41ab07ff6b07b87a1888c17

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
428KB

MD5
b9e22777b04450bfb1643f50e3407506

SHA1
51644374be57b08078e6a49bea1fb78d9541c77a

SHA256
bcccd6dd7906ba0bd92957978dbcddeaf6901dd4a9055019f6b08990a91cdc74

SHA512
7540508714699c38531d162a8fd8681c6ec32952b403b7ea8cc3c743c9643acd2f4012b6bbc9ca116608c0aaf7411890765b4bd51b0f1f5312ee6505115250bd

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
428KB

MD5
132513c7cd44c268958fa519604cb571

SHA1
26c984888cc2b1d1c0eda050505fe7a589e5c7f4

SHA256
b4cc5bfe58f5fec42de4c1ca209a922f804e0907fa50db2d0ca189c90b81009d

SHA512
f7ffed98aab4c55ec8414761f9f2e1695aca6ee083bf0b73b33f76aa8d3b15320e9cc6c2a358dad4eadb2fb01b1af3ba4fd7bb39588d3d61d1d7336e1390cf5a

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
428KB

MD5
16181c6f6de0cf1eaf9fae39e70a4ec9

SHA1
8c595d32572466cba328d8ac626fd36d56194d71

SHA256
d224e76eb86017f548e8689e28d1f3b936bb9767993221ceda691c2938fac556

SHA512
7a44043a7d8cce4495649ad19a8f2a5229c5d36ddef4e67b1ab56da63381e51806731c164b4f06569a495dfd82436a7c341b0dc346908f8cae615afbf52cd955

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
428KB

MD5
bc41953e0772514b4f90e180091302a7

SHA1
7c02c04ceffba492f7db309819fdb5ded0d9346b

SHA256
d03d25598bf5448dc9e0c292b64886fb837e9cc7e8840ee9d24de43f222ad901

SHA512
8f07517430eef434213b366c1d26c79f6778279bfa7748a6a675b44e13d2f4e01a817cafa82ac3efcce17b28934405568971292c54d63b16140060eb3a84a04f

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
428KB

MD5
0c6ea6b296af5c35250ab318577c0aae

SHA1
5e448f60acfdbb49212e0b78f165d6bece1be4cd

SHA256
526d1b283c1e2262ccd0b808b500803261ed9c8b4035a0d34e71dd31f6f79074

SHA512
fe02a1fc70d3ca0b0f5646b0baa19f05fe3b87de178cfb7ae627174b1d475a328dbbc2e58be1f534c9e2beb104c86144fb60af0ec696f99467ca38285f26c2f9

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
428KB

MD5
64e3ed740f74f0018a48b1ca9c74f684

SHA1
fe9e14611e254eb49138df459a3255be6b230c67

SHA256
570d2d1a175668412efa120b28d37ac3719c7a6596d88119a61c713e5ee3a239

SHA512
f0b562233c175768374bd6d108d433c15f83dcafeec3fbba25a480575f4704ca10bce2257b7806fc30aab281bd0d35fd347389c83320b2cff2072af42f2a278b

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
428KB

MD5
008991facc57ffabf825f9de0fb14c72

SHA1
95634a5bdef3bd3c9b0fcc3833466a73ad2c5b62

SHA256
0b8d7526369c86fbf30018b5262fbec55638cee3e5c4d21cfcbfd05461415b30

SHA512
005cecbb9cac75dab6ef6e195f8822780d01db6400e95817ba7bd478384c9a9aece10ce1195c0bc8dd5d4ce348983df126b94012b8166c37d36f4eab3b3ebdd3

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
428KB

MD5
ef4b684e02dbf271f6952080be7ce336

SHA1
4820c9efc40d8f34518445a8c3aae0072d2ecc40

SHA256
ec3c9b75b56c0604399873e4ec09f8ef601caed649bd3ab252adb41d408c652c

SHA512
5c08d60316e7f0f04c03dbf1269701bd283df8ada33bfbadc184a4ffbde27381bd08233fed216f4e0856f74c042254b1e1f03160efa50c39ef3b280c371c6ee8

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
428KB

MD5
488a28759c3385850603ecf3e0b7ab22

SHA1
1c06ceeb71bf5e0c23dde11148b1617858180e3a

SHA256
11bf58ad9bede78f66fa9c80fb1c63c14014e95d921b16f8237989d96d1315bd

SHA512
b60c9b9eefb65ae0b21b5ce8a84f137942bd87806415a9c182937d9f4eafe28d12738d23c1e118cb4d73943084a2d7efed2a0795594a406432c1fbc35f1a2648

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
428KB

MD5
890f14cd5187e1d700e373c4d36a478a

SHA1
dd7a203bf538c728db99c60c1ea9624d8f379882

SHA256
6172545afe0b64d0eb34e198ca173609cb298469f4acf344cecd70bcc9217230

SHA512
88098e4a553c39445a464b655bfa2fee24463d09fe9edacc94f5e1c7d9e9181b2a0dc84b493fbdba2797bfa216b1e6bebb457a16163e628228abce10e2e129e1

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
428KB

MD5
5043c3a2feb6e7eb82fc325364f395b3

SHA1
e2a404e65e8dd2250c8d2ec7963e1e0e426f86c4

SHA256
a87e7e848e735bb9b2c359a9fd5ec67c96b4fec97ec13b1a577414415b0759c0

SHA512
d81fad8d4c15d6f5dacf3001c8b674bb41f8dc6b5ad6f74dc83a7c61dc2a040cb976a88dc5de25d8b456da2c11ffa0db0154b0c4adbc384d9c98520d17733d19

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
428KB

MD5
24cd78bd3177b69d86a34fc753537a46

SHA1
09373320dd804e29cee9b596f70849a2131b2d0b

SHA256
807cc30dbfb7a5b5fe794c138f41fb533c1c230d67d70d8a5fdf5cb6ba1913ef

SHA512
2c1a570fb7596afe09696ac1d9db369696aaeec2cea5a357cbd52d8179349a834e49477ca6455b34fe52e692fecbc086f46a571069b0546e7a0126a377aa06f5

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
428KB

MD5
acbb2e45fd95fe834a1ec6d20a90ad78

SHA1
c3d7bc3eb358e033116914341ffb4dfdcfb014e7

SHA256
c6c45867e20e1be70e425e1d14a5a83e593b150b1777cb31d48017ea0c9d68df

SHA512
611d2f8afc3995e6c578d576d657b9d606fa2b61575b7e973d2d19ccc75ab08333846e7354417d85b39b427c317462327736034b492649880a2095b86380a6ec

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
428KB

MD5
e430581cbf0b6af70c75e1afce9166f7

SHA1
09d810b49e33251ae18d5ceee52508dc7ca167e2

SHA256
e7a047c157866997453aa05ce68ce4aa57e07306ced5b1ee0ca129520081c888

SHA512
41018dd1e882c8b46dc50801b6263ba01c1532d9ec282b4022fd4db7c45878a11b095948d868ee0b53fbe43f33c7d8b0fadb3d552ac64760bf0d98b7ed4af058

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
428KB

MD5
5553bfb49fcd6df87937ea8196830996

SHA1
2cee802bf19b1b7319eea09479e2f4a81b596045

SHA256
18d319a3d7c674ee423c795499c4e969f764be4bb29ed77e0b59374189da4106

SHA512
378d62444c650f1b53d4aad789ffc3e890385f6fc0092415ec81b292e2c64c1be04677a4cd2f49b7388f43bd37d0af223e0040c754b3f32f6beed8288c6201ac

Download Submit
memory/448-294-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/800-645-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/800-140-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/832-388-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/960-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/960-546-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1088-370-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1212-242-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1244-132-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1244-640-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1360-423-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1468-47-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1468-577-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1628-163-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1652-71-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1652-596-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1708-429-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1788-622-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1788-109-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1936-234-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2016-376-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2024-553-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2024-20-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2144-322-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2252-316-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2404-282-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2420-276-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2712-258-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2720-171-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2732-100-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2732-615-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2768-633-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2868-608-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2868-93-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3028-264-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3208-186-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3216-28-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3216-558-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3232-452-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3236-652-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3236-148-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3252-346-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3284-601-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3284-79-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3488-201-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3632-288-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3680-417-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3696-400-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3736-538-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3736-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3832-209-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3852-358-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3916-352-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4012-565-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4012-36-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4036-226-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4140-340-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4252-582-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4252-55-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4284-42-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4284-570-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4344-269-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4464-364-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4500-394-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4560-647-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4588-328-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4608-435-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4636-334-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4824-463-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4844-446-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4864-156-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4864-659-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-406-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4920-310-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4988-249-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5004-116-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5004-627-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5040-64-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5040-588-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5044-218-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5100-382-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5128-469-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5168-475-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5248-486-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5284-492-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5324-905-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5324-498-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5364-504-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5404-510-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5484-521-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5520-527-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5560-533-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5600-540-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5644-547-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5932-590-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/6012-603-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/6056-610-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads