berbew | 4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6N.exe
Size

318KB
MD5

5505a7dca527d0f584925eb8547f1830
SHA1

75d76c7eef98eb37088d4f6494c0683cc67dda25
SHA256

4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6
SHA512

146838f8058ca4507f070a3a3fd10e50242536d1f17288691a44016b8bd03c87cb8ba1d2db984fed792946f1467d0a48a2378c82274ad4b0ce6af484af4ebbb5
SSDEEP

6144:Ye2RVEQHdMcm4FmowdHoS7c5cm4FmowdHoSrNF9xRVEQHd4:YbO4wFHoS04wFHoSrZx8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
464	Nfgmjqop.exe
1540	Njefqo32.exe
3216	Olcbmj32.exe
2356	Odkjng32.exe
444	Ocnjidkf.exe
4572	Oflgep32.exe
4836	Olfobjbg.exe
4920	Odmgcgbi.exe
1872	Ogkcpbam.exe
1652	Ofnckp32.exe
3284	Oneklm32.exe
2220	Olhlhjpd.exe
2596	Odocigqg.exe
992	Ocbddc32.exe
1488	Ofqpqo32.exe
2972	Onhhamgg.exe
4804	Oqfdnhfk.exe
4304	Ocdqjceo.exe
3300	Ofcmfodb.exe
4968	Onjegled.exe
2548	Oddmdf32.exe
1628	Ogbipa32.exe
4676	Ofeilobp.exe
5068	Pnlaml32.exe
2452	Pmoahijl.exe
4760	Pqknig32.exe
4824	Pdfjifjo.exe
4020	Pgefeajb.exe
5100	Pfhfan32.exe
2472	Pjcbbmif.exe
4700	Pnonbk32.exe
684	Pmannhhj.exe
3092	Pdifoehl.exe
3700	Pclgkb32.exe
1664	Pfjcgn32.exe
3696	Pjeoglgc.exe
3668	Pmdkch32.exe
4496	Pdkcde32.exe
2420	Pcncpbmd.exe
736	Pgioqq32.exe
1996	Pflplnlg.exe
2564	Pncgmkmj.exe
1360	Pmfhig32.exe
5040	Pdmpje32.exe
3192	Pcppfaka.exe
2532	Pgllfp32.exe
2912	Pfolbmje.exe
4992	Pnfdcjkg.exe
2608	Pmidog32.exe
4780	Pqdqof32.exe
3540	Pdpmpdbd.exe
4864	Pgnilpah.exe
1344	Pfaigm32.exe
2584	Pjmehkqk.exe
3508	Qnhahj32.exe
2600	Qmkadgpo.exe
4612	Qqfmde32.exe
3472	Qceiaa32.exe
1260	Qgqeappe.exe
2528	Qfcfml32.exe
1312	Qjoankoi.exe
2708	Qnjnnj32.exe
1608	Qqijje32.exe
3708	Qddfkd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Gpaekf32.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Panfqmhb.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ohbkfake.dll	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pflplnlg.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pgllfp32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Nfgmjqop.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nfgmjqop.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3100	4400	WerFault.exe	182

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoahijl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfgmjqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbbkg32.dll"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgmkm32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbkfake.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdmai32.dll"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 464	2808	4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6N.exe	83
PID 2808 wrote to memory of 464	2808	4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6N.exe	83
PID 2808 wrote to memory of 464	2808	4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6N.exe	83
PID 464 wrote to memory of 1540	464	Nfgmjqop.exe	84
PID 464 wrote to memory of 1540	464	Nfgmjqop.exe	84
PID 464 wrote to memory of 1540	464	Nfgmjqop.exe	84
PID 1540 wrote to memory of 3216	1540	Njefqo32.exe	85
PID 1540 wrote to memory of 3216	1540	Njefqo32.exe	85
PID 1540 wrote to memory of 3216	1540	Njefqo32.exe	85
PID 3216 wrote to memory of 2356	3216	Olcbmj32.exe	86
PID 3216 wrote to memory of 2356	3216	Olcbmj32.exe	86
PID 3216 wrote to memory of 2356	3216	Olcbmj32.exe	86
PID 2356 wrote to memory of 444	2356	Odkjng32.exe	87
PID 2356 wrote to memory of 444	2356	Odkjng32.exe	87
PID 2356 wrote to memory of 444	2356	Odkjng32.exe	87
PID 444 wrote to memory of 4572	444	Ocnjidkf.exe	88
PID 444 wrote to memory of 4572	444	Ocnjidkf.exe	88
PID 444 wrote to memory of 4572	444	Ocnjidkf.exe	88
PID 4572 wrote to memory of 4836	4572	Oflgep32.exe	89
PID 4572 wrote to memory of 4836	4572	Oflgep32.exe	89
PID 4572 wrote to memory of 4836	4572	Oflgep32.exe	89
PID 4836 wrote to memory of 4920	4836	Olfobjbg.exe	90
PID 4836 wrote to memory of 4920	4836	Olfobjbg.exe	90
PID 4836 wrote to memory of 4920	4836	Olfobjbg.exe	90
PID 4920 wrote to memory of 1872	4920	Odmgcgbi.exe	91
PID 4920 wrote to memory of 1872	4920	Odmgcgbi.exe	91
PID 4920 wrote to memory of 1872	4920	Odmgcgbi.exe	91
PID 1872 wrote to memory of 1652	1872	Ogkcpbam.exe	92
PID 1872 wrote to memory of 1652	1872	Ogkcpbam.exe	92
PID 1872 wrote to memory of 1652	1872	Ogkcpbam.exe	92
PID 1652 wrote to memory of 3284	1652	Ofnckp32.exe	93
PID 1652 wrote to memory of 3284	1652	Ofnckp32.exe	93
PID 1652 wrote to memory of 3284	1652	Ofnckp32.exe	93
PID 3284 wrote to memory of 2220	3284	Oneklm32.exe	94
PID 3284 wrote to memory of 2220	3284	Oneklm32.exe	94
PID 3284 wrote to memory of 2220	3284	Oneklm32.exe	94
PID 2220 wrote to memory of 2596	2220	Olhlhjpd.exe	95
PID 2220 wrote to memory of 2596	2220	Olhlhjpd.exe	95
PID 2220 wrote to memory of 2596	2220	Olhlhjpd.exe	95
PID 2596 wrote to memory of 992	2596	Odocigqg.exe	96
PID 2596 wrote to memory of 992	2596	Odocigqg.exe	96
PID 2596 wrote to memory of 992	2596	Odocigqg.exe	96
PID 992 wrote to memory of 1488	992	Ocbddc32.exe	97
PID 992 wrote to memory of 1488	992	Ocbddc32.exe	97
PID 992 wrote to memory of 1488	992	Ocbddc32.exe	97
PID 1488 wrote to memory of 2972	1488	Ofqpqo32.exe	98
PID 1488 wrote to memory of 2972	1488	Ofqpqo32.exe	98
PID 1488 wrote to memory of 2972	1488	Ofqpqo32.exe	98
PID 2972 wrote to memory of 4804	2972	Onhhamgg.exe	99
PID 2972 wrote to memory of 4804	2972	Onhhamgg.exe	99
PID 2972 wrote to memory of 4804	2972	Onhhamgg.exe	99
PID 4804 wrote to memory of 4304	4804	Oqfdnhfk.exe	100
PID 4804 wrote to memory of 4304	4804	Oqfdnhfk.exe	100
PID 4804 wrote to memory of 4304	4804	Oqfdnhfk.exe	100
PID 4304 wrote to memory of 3300	4304	Ocdqjceo.exe	101
PID 4304 wrote to memory of 3300	4304	Ocdqjceo.exe	101
PID 4304 wrote to memory of 3300	4304	Ocdqjceo.exe	101
PID 3300 wrote to memory of 4968	3300	Ofcmfodb.exe	102
PID 3300 wrote to memory of 4968	3300	Ofcmfodb.exe	102
PID 3300 wrote to memory of 4968	3300	Ofcmfodb.exe	102
PID 4968 wrote to memory of 2548	4968	Onjegled.exe	103
PID 4968 wrote to memory of 2548	4968	Onjegled.exe	103
PID 4968 wrote to memory of 2548	4968	Onjegled.exe	103
PID 2548 wrote to memory of 1628	2548	Oddmdf32.exe	104

C:\Users\Admin\AppData\Local\Temp\4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6N.exe
"C:\Users\Admin\AppData\Local\Temp\4549f5932a8f39f28aaf565265a5dab2d92bb3426383b5ed176df95ebe9dc3a6N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Nfgmjqop.exe
  C:\Windows\system32\Nfgmjqop.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\Njefqo32.exe
    C:\Windows\system32\Njefqo32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\Olcbmj32.exe
      C:\Windows\system32\Olcbmj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2472
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3700
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:736
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        45⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        50⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        51⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        67⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4172
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        70⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        73⤵
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        74⤵
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        78⤵
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2076
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3372
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        91⤵
        
        PID:996
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        92⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 404
        102⤵
        Program crash
        
        PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4400 -ip 4400
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
318KB

MD5
83ad3ab45150e114956436be2a4e34b4

SHA1
e80de67dd63531f2df604d0bed96dc1a5ac8ee14

SHA256
430312b592c28873eacfa0173c727edb8eb19e6cedda4912a1dc1cb36bbff08a

SHA512
47bd32d4913f906e05d8770f3d5e21516ade9bf6ca92b31cb71b9eebef861f189f61d309f82755d7b43db568c7529de03267b5c616f812ddf5726d47c2db90f8

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
318KB

MD5
7c4bc03f7fd0d902ac33581f7efb51ca

SHA1
f4e4e5ad51a08cde46fa5ac1b27fe422181687ac

SHA256
78bdc07bcd08378e292c10fc4c9efd0d52f0666a52304b4c743a39c71aec8fa6

SHA512
2ce1870b250e8e81c45bac3767c3ac178f52710b0c99ae0ec1f182077b55840c85c0496813007267cfa57e726a35904bba162db7cd47f35f30420a6c2175d142

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
318KB

MD5
b31c1f645878d6a1fb52e4f0ee369513

SHA1
192054bebc0a1e6ad347efba719e2d6f5f0b0b90

SHA256
1ddd99c0c7fb4b286ffbd092b39959d83b695ca772dad1833f43624e9a29431b

SHA512
57fc433bf6b853c510a0e3401b7d181d2c8247805b0f5aee5a794d85d1b52e9146a65efe88d69341cb9c9c83563b6ac5614241076432f07bb98a0432f06a826e

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
318KB

MD5
bf75692ec433418ec5bc765b53d8aa27

SHA1
c8c4aa49b286895ec17523f210e61a279f1b20e2

SHA256
d09f062560e65d0014152cd2077a0fdda05ee928362821c7a3ae20ff8c326b34

SHA512
02e0fb2f01ea3565e3660b357b7dbaba556b45767db321bd7463adf50ca362c152406f807355b21216ff1027dfe05c749fc905da045ecf10cf6fd051b82f64d8

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
318KB

MD5
59b41cdbef716cebd3ac6e5f3810e3a9

SHA1
19d4ff528c51fe70dfbe22166ed8a9205c5da2c9

SHA256
f561548c12b662de61c2e66b0bfdb7f0f6174b1b974379d2aba47b74bbc16257

SHA512
a457384da1ebc93de9d105949112cfb41c028c908aa79ca8ad17bca58eb598f757de084d1506f34f53280238fc32dd02821447cb127b13417a02a9496366a358

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
318KB

MD5
6f3ca19900cdbf9068f383db49d93a8b

SHA1
05dc84a53de533d353fd8aaadc666e0362c22215

SHA256
10fd821888d10a91c5ef067f0f3e503760590e8460e94c78d2b442566b2f2f62

SHA512
069e97b78a853402db37ddbba888c14280d3146b5fabad0df3be22293b52c995a4e0822bbb3747fd906aa670195a07828e6a3d15c050a81ddc0e319d5f8d08b5

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
318KB

MD5
7dd0c20b64fb3dafa19ab7d69ed1f96f

SHA1
1e9aa4a87e358d23e44c69e9f57beeddd52abfc1

SHA256
8e04b1cc464e747bf8dc925d292d91a7d7fc40e8395d6e07b14b49111a498e9c

SHA512
75e97b6ec8af2b4a04f0b9b399d8fd3c9e2656b6ba5c289480948991f9fcda8c01507617b865a217340aa434cf6a7e4f49af87c329d3057907b7aeb3c8b24535

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
318KB

MD5
a2935f82b079851a3efe7de4cf8fc6f6

SHA1
a27bb2f04346a2b13a6a0f077cee7e2662fbb4d4

SHA256
5e0501768f5806ed84645b930dbf39dc0b3492c8d2df4cfb2e8c3961186f2cc3

SHA512
6ea435b0329ec77c46f033ef7740c3b1dc5e86b737a94f1f3cd8d7ea29adae7453342ecb808637ce8d1674c359a0fece0fed947dd6572c1aace3392550072abe

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
318KB

MD5
38495953aea07b90a146430c621ced4f

SHA1
3a50418d2ecd8a9a95056f4c53e08e2ea4c2a274

SHA256
a321291e79ae2a3f046f75803d4cfe276cedf17359f71536cdeee0e8133ae927

SHA512
18320d98bd9c1743e43498d05fe77deb6210bbbf01d1bbfa5c5932b360244f98662a000d7655e77a9ab24675c40b02e6090bf703fdc33b702c1c49ff4ba08b42

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
318KB

MD5
33e23c75e26a4b25fe500e12010ce5e8

SHA1
60ba866840b9a3b462bbc9ee2f5242e8a642a207

SHA256
bb53c989b2c5a6ffd2ad8b4a205861db3136290f4cdcea62ae777335de9dac7c

SHA512
29261428a29dbc1dc57e2bea96ff084ec279f7490eb5a615a447470b20e2f39b6f38d8acf41099aaf55a0b0f93799a33ba979b8ed81d6360ca88831baf61858c

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
318KB

MD5
b14058671a67892318f3ce834ce46965

SHA1
cf3e2bee04e13f49be3e86dd34027bc0af2a3d79

SHA256
ea323a04704bd4bf9b050794635275cdb06e96f73eaedc1893c3048e21f3b2ba

SHA512
f8667395e024905ed36912d33bbbfbfa3d4065f84e8d43e945533b834318aff151a0347b2daa5164fd9ee9dfae8690fad5613bd2d61cea1092d6f63aa66ef842

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
318KB

MD5
4e28458890a1e22ae2e0b7b5de48068e

SHA1
4f53f18fffffdfad22ac9eb98638279276cac5be

SHA256
4583f088e109699a0dc6446c1da90a6c716d227bbb9db96418c60461c277124f

SHA512
b192ae3c777d8a3a1e4abe2c490cbe06ad6513b971d9cd2e73b9c6ef6c7cf0cdec96c151be7d5273f80a0989ec5acd5651578b5a3f8abe11537695537d4252d3

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
318KB

MD5
a37a926dd8fbcef119f2c87d170f2076

SHA1
97a655e4804d6dfaf1435e6fad18cd4c88ad7bd5

SHA256
549133908a90b06d2bb7858e6ddc4b13bf62358a6d547acf9fa453daeef3bfac

SHA512
86add429a8b3d0c70378f3da3737451d36072221f9b9f0c360c92f2624e09fb6bee6d5dcf19f4ef96ed7d403b31cb4f50139fb71d475badf31ee53482dcfdd44

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
318KB

MD5
7e5ce522475a79f13297f249b8d1fcc4

SHA1
8771a834faf4ded14c0f68a9e10e213cb6b0387c

SHA256
83ac639c5f934d948fb51419dcfe38f6d2990b9c848a8584554f0c705a4e7b0d

SHA512
d5a15c0f4013a5ba8cb56403b13c5cbd894b5453d02e261f400305362eb268ea7f7c88d5d60daadebd2e38983100f83e0c71e76ba49c94cb0ddbc1a640453b87

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
318KB

MD5
f5cd1c5eae21125d30e55a3035312802

SHA1
ec935a94d470fac9f6fb075fc2f246787d7e02a2

SHA256
1e1275ea76b5520f57c72e8ac0abde8384893d584fbfc6a34ce649f687b4f016

SHA512
a9e68040cc011885d00c5f06dbf74aea5375ea8905092934043512a797b3bc6ed1d5a7fb62a67104b0429f775c343b9d2e84d039e09bcf60f03951a2d901e720

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
318KB

MD5
9915abdeba59b5b01e9d6c95f0297be5

SHA1
ba0751f80d3f6ddc377850063160a2a6c8003cce

SHA256
8a8590e25796c2f24a1c2a8cfa2afaea60474394cda345dcc5476ce060ef98f2

SHA512
ab140705bd6a82d1965b4cd4f2e4698f5c8a2948f9a1debb9631f313c5226aface0111eb42bea3a8f20d4ccf54f2c031554cd8a8f562ede9e12e2626ea695d65

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
318KB

MD5
35bc14dd70ad2a9cb55468f7cbcee83b

SHA1
e58308e1af9d78169ffbd65b345a3e131ce1609e

SHA256
09a38166fd68e3ba98708b8f722bf649cccfcd1cf0e3b1885981e4f81c7fe171

SHA512
7ae6bf63dc9d4b4e0a7449ba50afda42f882c8ea78a04e42ca4fa76db2464c47ccb5cca3ade7086e83668207477e0a5a94da78206b262b113f8e9ce5f96621d1

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
318KB

MD5
aab549d8a78037b71181eec0f980e07e

SHA1
3b57b2348a21c61de3cf3588d1f9f28436fa0fca

SHA256
566c76f060f39a0f01058a1c6be0c83989f4ebf143af48663807e263bf498d6b

SHA512
10139ea17839c0d1ed84611e2c2c94f3f9a41bcc93fbd4ac50401bbfd9f0dd8b2d7c2d9b0ba571b9eb2990a403f149cc19ab832d2c036eb6a9fc1f4bcb0e8a35

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
318KB

MD5
2663bf272a4a721026e1dc186cbd6ba7

SHA1
8a789f7d8b6fc8fca9f249e5ce78005e47f4fb84

SHA256
10802286f78f7cf17dc35c7ea045d87393eb36a54670659f1a27a28f4ccc5412

SHA512
4b391ac1b3261342d0f6a236ee891de2eafec7cbc3bc4cba607f8e00241aee01575aca3321c6127d6a7e0b1c0d41a9612b6a6c201de714bbf08831fa5f412e3d

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
318KB

MD5
df4113ec25979ae28043c930ae60c88a

SHA1
808fde22c37c5df99fcd75a8e20a422496c6b8fd

SHA256
d5e0e577f71ae2aa6e7de3a10bd9995e7aa2345b1c15b80c1f1c7a9dac85e929

SHA512
3ce8ec07be6b41424ab8eb4d26f39aa8dab20bed1eb6e7207fc5545cee10ca41c898a7a19fdf09f85e7b34c24f241cd56b8fb43e551e240b476569b738115c24

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
318KB

MD5
456be3fb6a6f14590e7600f14869654d

SHA1
c15eb74b25285682666370555013429a03bc52f8

SHA256
566e84f1bbc0271073ad1037404f6c0768267e5991baf21541b5bf9641472915

SHA512
457b6f40f8b685d951fbb67ec076dc80d34f595d6404895d85a096f03ad7448ded7366fe31110403189475d1d668a415b742e05a296f545f37c6a8ff0333c2a3

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
318KB

MD5
7c954344d58b8a10fc23520332696008

SHA1
c52937f2ecdfc1c1fd2bfc3ede648fa7018fc526

SHA256
5ba75c76d767e50ec98660104721eb1c57fdecaa2b253d7f7cc0919f5308b042

SHA512
43496b4933a70eef1dca5b898742c7302a7c93615b227c21164d911cb0f3b0b0e5ab105d18d61e697e6c459cab7a8aa35b3cdcd7c6c657e9c6bfe50c3525c513

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
318KB

MD5
c29cbcd686cff9136135626d08d1b678

SHA1
8cbc044785fd1781af0820be719c6da63168dbcb

SHA256
5d8ddbdcbc29cd4a5c4d444cfff5f80fd7738b1673f487b5b17fa7aaeb082d9a

SHA512
f51f588ad12169f81ba78dc77a0f72fa05a6dc76e9c9bbc84f1dad4f01d18b4e5a6c7b5dae2c9d35c686a7372664e0e43fa5500939b9911bce7d0dec451884f7

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
318KB

MD5
9e3a8c088ed8ac2f7b74958748d88164

SHA1
9e01866b8719360074c162167c9e8a2282168145

SHA256
b09c920cf50572baa66842512131f0d074cdc02390a4427149cdd73d93e982ca

SHA512
eb1f2cb0d426ec303722182f925b86f57c40a3ddd1b3046e97daa8eb0abeb3f4cc4a12bbd1056809d47e331c5faa0cdb06618cb9aaecf20241d055b1d7d93487

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
318KB

MD5
c9ebe633b24d24df4d39e42f5d783fb2

SHA1
ac44f281bae42f57607fa26c7c1db2e8ade7383e

SHA256
75f04812cf84c92f80990e34b751b6e292bff96f8087742df118215641fc5391

SHA512
e15287db8ad8487cfa7b7fcdc835f10a4a4e4f99542d90feb4d9e94d02fe65954addea57ec7af51719ddc7ba85937a2ab09b7c57922ec353967b3de46650a868

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
318KB

MD5
596ac594d21ae01cdef6eb365fc4f260

SHA1
05f6ad00d55a2d3a87696c067fb7d1a67f026bb5

SHA256
9775a089f80a86a269728d4f5feee8c8ace425ac1b1baae045da22b8bffde4a8

SHA512
b08aa64ae18cf8104dbf660c2b75e5bda432c84f996846fa65e0079befd90c2eac72c04f8d8563d6aed4f784f10f993454e3049e109633e9adb47c8eee06577d

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
318KB

MD5
e37ee41c423cf9d3463660b38256dc77

SHA1
5e2cde80cd81add88ab41605c38667bd02bf9e77

SHA256
6ecbeda1009cf2f463c3d33fc7d2a7c8929c089086cc351f2490413875ccb259

SHA512
ace73f5bdc91ca95e87694530fd26fdce32f826fce6c04129b5283fe3d83097624ff86af7c9ac3fae0a54803893fb7c83fb3d18110780e554036670b80217745

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
318KB

MD5
f3ac4126319ba73f7152104fd4623dc1

SHA1
6a7567256437eda74b943ffde838d6d885b4eef0

SHA256
e0a389b9328dc22328d9747707c8e4328230d4f68f5efb92bd8c1d11b8c75633

SHA512
0549ccafdd655a8164069599bab10b49819148630523de3218ac99507b62b19c8f1f942ea721a6b063c81d597f05e4b9cd37f0bb4eb29d4926437c2d475cdc56

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
318KB

MD5
b0cb714c65014da798d0d12a191ec37d

SHA1
2ddf7498af141c1321499ce8f5e72c160bac98b3

SHA256
a857aabc7dfd0344ba1c7ad723ff111011f68692b6972999ce0ddfb654ad400d

SHA512
3c71a696e711432670190e7d3ff6cdacd880d465fd64ada0fd85c2db8711d922a2f3b2eb117bafc6eddbbb8d65b0cd8be08524b4a814fdef8b632a2d7fb54bbd

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
318KB

MD5
0fb308bbf137b793ec8b3c9cd50ff8d5

SHA1
2e4c010927397c36aae613cb6119cd55b536abc3

SHA256
377c9e35a9b8726402d906d63c0fb7f9beae1448c1521d90ffde75d9f894c8cd

SHA512
ccc288f36b102234e59532c5136e37ca636697674f34f4afd9c734bd6d277c879ca309b0e0bfde968cd1a041b669f342070019067628645f98577865ac1ffc95

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
318KB

MD5
c335c385350bbe6e8d5f8e17fd742f7f

SHA1
f88fca7c2dee8235ffe53412b6ac086ef62bbb34

SHA256
3db6dca2abad574b3c8bf7f0bcb9fa8e087223107ca96e51b1d04132cf9ecb5a

SHA512
8e782059fa45adb64e50321d5297fc8873c3fc546041b0fc7f15c4f7ec7de107f9d8da3795d628c723728ccb63ace116f02dc611307e7f32d0422864c7fca1f5

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
318KB

MD5
65fe8fca413b0c390516e49a469781d1

SHA1
24e28d9f63d0cd901b10614a61a73f5f07d1dd8d

SHA256
ebb983437b6b51916410cafb3c890f3dd581d2de0a0ebc1453c3b30b1341eaa7

SHA512
f625b13ef87a42ee803f7fa61893e9ebfe39a25d6d2b4caef380872293bff27a59229a2f2bf3d90f097cbae444c58761722d854d001c370a3c736f1df9174804

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
318KB

MD5
0cd85979ff408e879580feb5b7015a79

SHA1
048f484475c0306495bc30db5ccabc3291a01412

SHA256
da5b2355144a2cfeff1dfd6932494b99dbc16d3f856e459bf5a8ac013298bfb2

SHA512
e4263d2076af1f8cc750f715157bcf84c2235a90dedeef96825565e1eaef5e5a688a2b12f229b5890b5c4ce02b98f1e51d3e0aa20465b5dbf49ea46b35cbbe0e

Download Submit
memory/444-465-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/464-7-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/684-510-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/740-657-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/992-477-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/996-645-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/996-567-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1052-631-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1052-613-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1152-583-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1152-639-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1216-589-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1252-691-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1252-539-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1312-531-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1488-478-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1540-15-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1544-636-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1544-595-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1608-537-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1628-490-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1652-468-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1664-516-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1864-544-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1864-677-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1872-467-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2000-553-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2000-653-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2076-665-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2092-651-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2220-475-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2252-693-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2320-629-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2324-679-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2324-543-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2356-46-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2380-541-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2380-683-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2432-663-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2472-508-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2512-669-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2512-550-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2548-489-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2596-476-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2608-527-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2708-536-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2808-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2912-525-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-681-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-542-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2972-479-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3092-511-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3216-24-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3252-540-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3252-685-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3284-474-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3300-486-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3320-632-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3320-612-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3372-661-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3508-530-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3516-601-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3516-634-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3540-529-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3584-687-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3696-517-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3700-515-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3712-643-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3772-673-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4012-695-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4172-689-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4304-482-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4376-647-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4376-560-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4400-627-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4400-624-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4452-671-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4452-545-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4496-518-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4548-655-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4572-47-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4584-554-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4584-649-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4676-491-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4700-509-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4780-528-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4804-480-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4860-582-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4860-641-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4868-659-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4920-466-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4968-487-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4996-551-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4996-667-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5028-675-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5100-507-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads