berbew | 7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6

Analysis

max time kernel
94s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe
Size

80KB
MD5

310024cb4260af31e97779319b3ef2b7
SHA1

c875e65fe7774ee60f4852c87454e97e46d1789f
SHA256

7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6
SHA512

75798f8f34eb77a599ce8e0c4fe389047b077930672ef4ead195abd9f2f5671b6e6486b0117c9b3f107ff7b472397ba39cf9d976beab3d2a3ee03853b46a9fa9
SSDEEP

1536:ROrJ8TiJwsaKoAELyrQehnnE52LyJ9VqDlzVxyh+CbxMa:ROrJMieKo4QeyyyJ9IDlRxyhTb7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
464	Opakbi32.exe
2496	Ocpgod32.exe
1452	Oneklm32.exe
4580	Opdghh32.exe
1596	Ocbddc32.exe
4808	Onhhamgg.exe
1396	Odapnf32.exe
1032	Ocdqjceo.exe
3620	Ojoign32.exe
2920	Oqhacgdh.exe
3328	Ocgmpccl.exe
1028	Ofeilobp.exe
2256	Pnlaml32.exe
4812	Pqknig32.exe
2264	Pdfjifjo.exe
4448	Pfhfan32.exe
1272	Pnonbk32.exe
4360	Pqmjog32.exe
3272	Pclgkb32.exe
1688	Pnakhkol.exe
2392	Pqpgdfnp.exe
4020	Pcncpbmd.exe
4552	Pflplnlg.exe
1592	Pncgmkmj.exe
632	Pqbdjfln.exe
724	Pcppfaka.exe
1056	Pfolbmje.exe
2936	Pmidog32.exe
668	Pdpmpdbd.exe
2620	Pgnilpah.exe
1488	Pjmehkqk.exe
3888	Qmkadgpo.exe
3564	Qdbiedpa.exe
980	Qceiaa32.exe
4192	Qjoankoi.exe
1076	Qnjnnj32.exe
2720	Qqijje32.exe
4440	Qcgffqei.exe
3588	Qffbbldm.exe
1564	Ajanck32.exe
3904	Ampkof32.exe
3796	Acjclpcf.exe
4156	Ageolo32.exe
2968	Ajckij32.exe
4952	Anogiicl.exe
844	Aqncedbp.exe
4396	Aclpap32.exe
3168	Afjlnk32.exe
2996	Anadoi32.exe
4740	Aqppkd32.exe
1632	Afmhck32.exe
1748	Andqdh32.exe
1548	Aabmqd32.exe
2552	Acqimo32.exe
1968	Afoeiklb.exe
3388	Anfmjhmd.exe
4392	Aepefb32.exe
1844	Agoabn32.exe
2352	Bjmnoi32.exe
4276	Bnhjohkb.exe
3480	Bagflcje.exe
4860	Bcebhoii.exe
3136	Bfdodjhm.exe
624	Bnkgeg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pcppfaka.exe	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5252	5776	WerFault.exe	207

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 464	4764	7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe	84
PID 4764 wrote to memory of 464	4764	7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe	84
PID 4764 wrote to memory of 464	4764	7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe	84
PID 464 wrote to memory of 2496	464	Opakbi32.exe	85
PID 464 wrote to memory of 2496	464	Opakbi32.exe	85
PID 464 wrote to memory of 2496	464	Opakbi32.exe	85
PID 2496 wrote to memory of 1452	2496	Ocpgod32.exe	86
PID 2496 wrote to memory of 1452	2496	Ocpgod32.exe	86
PID 2496 wrote to memory of 1452	2496	Ocpgod32.exe	86
PID 1452 wrote to memory of 4580	1452	Oneklm32.exe	87
PID 1452 wrote to memory of 4580	1452	Oneklm32.exe	87
PID 1452 wrote to memory of 4580	1452	Oneklm32.exe	87
PID 4580 wrote to memory of 1596	4580	Opdghh32.exe	88
PID 4580 wrote to memory of 1596	4580	Opdghh32.exe	88
PID 4580 wrote to memory of 1596	4580	Opdghh32.exe	88
PID 1596 wrote to memory of 4808	1596	Ocbddc32.exe	89
PID 1596 wrote to memory of 4808	1596	Ocbddc32.exe	89
PID 1596 wrote to memory of 4808	1596	Ocbddc32.exe	89
PID 4808 wrote to memory of 1396	4808	Onhhamgg.exe	90
PID 4808 wrote to memory of 1396	4808	Onhhamgg.exe	90
PID 4808 wrote to memory of 1396	4808	Onhhamgg.exe	90
PID 1396 wrote to memory of 1032	1396	Odapnf32.exe	91
PID 1396 wrote to memory of 1032	1396	Odapnf32.exe	91
PID 1396 wrote to memory of 1032	1396	Odapnf32.exe	91
PID 1032 wrote to memory of 3620	1032	Ocdqjceo.exe	93
PID 1032 wrote to memory of 3620	1032	Ocdqjceo.exe	93
PID 1032 wrote to memory of 3620	1032	Ocdqjceo.exe	93
PID 3620 wrote to memory of 2920	3620	Ojoign32.exe	94
PID 3620 wrote to memory of 2920	3620	Ojoign32.exe	94
PID 3620 wrote to memory of 2920	3620	Ojoign32.exe	94
PID 2920 wrote to memory of 3328	2920	Oqhacgdh.exe	95
PID 2920 wrote to memory of 3328	2920	Oqhacgdh.exe	95
PID 2920 wrote to memory of 3328	2920	Oqhacgdh.exe	95
PID 3328 wrote to memory of 1028	3328	Ocgmpccl.exe	96
PID 3328 wrote to memory of 1028	3328	Ocgmpccl.exe	96
PID 3328 wrote to memory of 1028	3328	Ocgmpccl.exe	96
PID 1028 wrote to memory of 2256	1028	Ofeilobp.exe	97
PID 1028 wrote to memory of 2256	1028	Ofeilobp.exe	97
PID 1028 wrote to memory of 2256	1028	Ofeilobp.exe	97
PID 2256 wrote to memory of 4812	2256	Pnlaml32.exe	98
PID 2256 wrote to memory of 4812	2256	Pnlaml32.exe	98
PID 2256 wrote to memory of 4812	2256	Pnlaml32.exe	98
PID 4812 wrote to memory of 2264	4812	Pqknig32.exe	100
PID 4812 wrote to memory of 2264	4812	Pqknig32.exe	100
PID 4812 wrote to memory of 2264	4812	Pqknig32.exe	100
PID 2264 wrote to memory of 4448	2264	Pdfjifjo.exe	101
PID 2264 wrote to memory of 4448	2264	Pdfjifjo.exe	101
PID 2264 wrote to memory of 4448	2264	Pdfjifjo.exe	101
PID 4448 wrote to memory of 1272	4448	Pfhfan32.exe	102
PID 4448 wrote to memory of 1272	4448	Pfhfan32.exe	102
PID 4448 wrote to memory of 1272	4448	Pfhfan32.exe	102
PID 1272 wrote to memory of 4360	1272	Pnonbk32.exe	103
PID 1272 wrote to memory of 4360	1272	Pnonbk32.exe	103
PID 1272 wrote to memory of 4360	1272	Pnonbk32.exe	103
PID 4360 wrote to memory of 3272	4360	Pqmjog32.exe	104
PID 4360 wrote to memory of 3272	4360	Pqmjog32.exe	104
PID 4360 wrote to memory of 3272	4360	Pqmjog32.exe	104
PID 3272 wrote to memory of 1688	3272	Pclgkb32.exe	106
PID 3272 wrote to memory of 1688	3272	Pclgkb32.exe	106
PID 3272 wrote to memory of 1688	3272	Pclgkb32.exe	106
PID 1688 wrote to memory of 2392	1688	Pnakhkol.exe	107
PID 1688 wrote to memory of 2392	1688	Pnakhkol.exe	107
PID 1688 wrote to memory of 2392	1688	Pnakhkol.exe	107
PID 2392 wrote to memory of 4020	2392	Pqpgdfnp.exe	108

C:\Users\Admin\AppData\Local\Temp\7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe
"C:\Users\Admin\AppData\Local\Temp\7c191078ec21fca385520bde07ef7f5b569e2ed09a42e04c0e2fb1df81b1d5a6.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\Opakbi32.exe
  C:\Windows\system32\Opakbi32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\SysWOW64\Ocpgod32.exe
    C:\Windows\system32\Ocpgod32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\Oneklm32.exe
      C:\Windows\system32\Oneklm32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4580
      - C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        30⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        31⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        36⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3796
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        44⤵
        Executes dropped EXE
        
        PID:4156
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        45⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        48⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2996
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        53⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        60⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        66⤵
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        68⤵
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        70⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        72⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        77⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        78⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5460
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        88⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        90⤵
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        93⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        98⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        100⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        106⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5488
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        108⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5708
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:5824
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        113⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 404
        121⤵
        Program crash
        
        PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5776 -ip 5776
1⤵
PID:5988

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
80KB

MD5
cffb5d934f53628f97c2c2d2ded1e18e

SHA1
8c87fa4ab39c46061bfbee7a1e4fb29c4b3f2164

SHA256
f303efd6fa8e1da516a96def6d97eb6aba44b53e48fa202c757e3c85f501f8f5

SHA512
c2c0f58e3722febd33b45a89da6c60a16d6513c6713fc3c5631db8242b3a490797434e07de1c54379e4f2abff86c7206ec245a8862575aa50d06e97c03043771

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
80KB

MD5
17ca8a9ca0d30ca64bd1268161293341

SHA1
1b8ccd8411f2e736a8115c41b2bc1db1737a8281

SHA256
ba4841f2882d38db2d62512465694a359f39837e54f9beba7314788faf9db18a

SHA512
fee0d54e327de816907e48e0d9ea30667c2ea332a52724657b034dce0d4c742e2378630e7b4e81ccc2a1562d1f1cf6c6978ee10aa55d8a07ca2100fa831adaa8

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
80KB

MD5
938af2f4fed0e79e75bc743198a72817

SHA1
70b98c2302ebfa939e81908e260b1ad5352c6beb

SHA256
3bafe7f6e3eddfe34b09309b9f9937a68edd8003d6f211d6a4464d509b817c9d

SHA512
7a0cf9715470d0850046544ae29cea92127d992421d3d8a131cdb4c0eff413a7c416da65f29ce532d2a3208ff491a2d2aaa27e2e7d70b409c3f8147d33810f20

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
80KB

MD5
a3cfde67994f1dbc2cfe20c62eff27d9

SHA1
8bdb7c6291679eb62e743b1898e3df1b08694ec4

SHA256
668ec15b4009e9230226b128bddf1a0d91c6f587c6fb9e122fa686572756e9e6

SHA512
a92ecf5cbd6c3109916505530ff73fc49a6d24418711d37f63a1d1728d2fa0e282869af1f4a253e874b4860a49aa64731bcb5cab1a42085776005230fa039183

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
80KB

MD5
d3d703d467f0c6281e4cbd0536cf47ec

SHA1
3263ffc87edde2fd3d46d6853444dc2b8d188e27

SHA256
a73ebb74bcf11c95bb1ad14ad3d16e336bcc3980bb9f41af6049f9cf7c4e8cd2

SHA512
5f3dd8773b7a3def0461ab9d2bda93b49589971688e0ee1c615a8948067ee27ee7f2c079fd2505a9bca536ed7d97360992fee138ad503190a7437f659afcf8b4

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
80KB

MD5
ecb986f3a13fe61f9ed174e84952d62d

SHA1
3e9ce14360eadc5ee52b79dca9f4bdc85894bde0

SHA256
829c2f0d4d2b987043f5ec9aa9d408f665df7ff9795ebfa1dada5f7e45ac3fc0

SHA512
152382a6ff47e2d7d32d2edfa3d5f7e5f8a69c0b641f2f9aaad084767a57238f84653b1d5c02be7ec898f7bada84a80a0e6165eaaf71edc5a018c9ffb5aa2f4d

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
80KB

MD5
a7c8fcd19af6788f32e96689ee52bfa3

SHA1
a04572a3166c79532d75516b3228235e05cdae36

SHA256
119f17a674fa561db6b3dc3dac9f6f83bc7bd6cbb0cbcf912b0c9a3d878d7dbd

SHA512
679a05ffa9b21476d166e73d579cab86befcdfaef071bb9cb663a12f43801ef0a3fa819e5a5a330bcf1bc79239dee92b97569015476c624dfbd0d6742d5fe64d

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
80KB

MD5
a01184bff99e366211aa21ffb784850c

SHA1
3b739397b4cc0af03781cab16554f8a3200c3542

SHA256
ce011d3764847df059c5097ab3efdeb325536acf395624bad1c733fb0d4b35af

SHA512
a53eedb65ecd694f48fe7e71e98292164fa4edd3772ff4a388a21da1a9eb120b251e0199979c719abd58cd9239239ac27961eb838f39dae92a0720899b2a1f08

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
80KB

MD5
5f30cd492596cfa0349164d9c510458e

SHA1
f57d00f3c140516355cfb180559c5e86939b9f69

SHA256
4f7b9e0a329a4c5ed9f28aa3faf029e693ec73dcdd3a51132ea487930ec1132e

SHA512
01b1427d3dc538e9e59c7f44844629706da7fe103c36cfc6bcb998fa2812b27456ed19865e1473f1d5e0f984b1f866cc9056f2d77765a008d2181638fc973209

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
80KB

MD5
bd23c32cf46e8322b1b212167305eb61

SHA1
e1e5bebab979eb636274c216f10cbc07971fc37a

SHA256
973526f7c5a4e622c476649809fd442b723c6d020d8f1fae5d1e2d03baf7c99e

SHA512
d099a72cba67331f1dca547aaaf78583a36396752e08acd8a258759d9d1dfb421f97e44e2bc374952eaa59a6226ff6f42182f4e6b47c9cf7735d60b061cc6648

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
80KB

MD5
1ebf8f7e4bd502e3500607b559f92151

SHA1
c190ffa51927789269ad8eb114a8876431f981c4

SHA256
7ee16fc8771dee6746eae6cd6071b66fe6169eb5f221a6cfa6969569f2d7fd4d

SHA512
2bc2fbb57e8ae9c1955bcfd850e62f3253a2e10c8ef813ec085ad6179d410d65f806b10cb29040cd2117131333ea6c62cc35eb0df3275a335f8d7f9264e40602

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
80KB

MD5
f337ba4b66f7d6387d30927b2c8885ca

SHA1
323064d39c3c6480c7ad008e716164be9789d330

SHA256
513ae26333e075d3a0b3dafdbda37490d0c24c82052248f2e9baec8b66ae785a

SHA512
97c60e47990d4ce3cfe9223f591aae86415d6e43cc770ed51983dffd3505bec9fdf8d018a829dc1bff3fb3a3dc8f8d747ae11606d4e87def7a3a8a7a423b45f6

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
80KB

MD5
8e8f51cc218c90fb4ea87165f8fce55d

SHA1
823526c7f956464871fe18385a6474e886b72e3a

SHA256
d53c327121732a145f684f193dd3b505e13c54c2d822203961de1f1036ed9990

SHA512
3656f75a2dc2439ded582c79bebc7fdf2148ed3adea19b800f6219c37defb22ee647ae6e5233d769e5fcb3464c237a919fd5d45b86ecc7957eec5fd60e43d1d8

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
80KB

MD5
81fcff65849f121f32fa2b011e2bb8a7

SHA1
28f161326b742667723d1f54e796e8ebf763dab3

SHA256
4b952a04dae50475f1b25be2713d0c05e4841ca061c6f7c03adac439b71f90f0

SHA512
232944ef094f549f26c2434373d1df7045f96b05837652dce8d39d94ae8bef38f7b0f8c16f36eacbb9f3cc8d593d0b6d13fd6cbe38d54d75be3addd72f288b03

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
80KB

MD5
663df760667ed673c3c8d8bfde613b8d

SHA1
b6a65bdbdb76c16f346a7133f74a759208d9505c

SHA256
bc9b68ed3e37bc50f613f7a9aaea2ce5a1bbca24cd247e04da934dceeea27c57

SHA512
a54d6bfcbae1b88cf743a3ec12d8bd93bdc619ecd16a4f01d8d28e2d91758c5d34e2e42139e9f9c03eb7791676782db2e82870c752437801fbade43921f29ef2

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
80KB

MD5
1aee4e2484bbc7b2879fcee119dc5cc6

SHA1
e1fce9e5ee36788890acb68430e7d4a6003c5a82

SHA256
8822c45ecc649152684130499ca7069d004bc728f1e5f9e9fb616d4ead5d9fa1

SHA512
c470c17b5b1d6563a6e1795ac49dc736c8dd75b0b2edebfe1feacad57e4467e75212d610fde4023cac30cec2bf0a29493fd5e2ca2cbacab65a29dbcde2e2eb99

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
80KB

MD5
9cfc6346de499e84fd8f2307947f8aee

SHA1
48a250d952bde75b858f620af97ddff28e45b2d9

SHA256
3efb1948ef00c1beabefddb23e1152837da51b5b56f69d1d70a5e6e1c4e96048

SHA512
35c4212f83f33cab3ac804003c2fa07431a240e1207f57f32f6a7f6a79fd12554b3f64d7b01b31a441ed9ecffd855ed8b241ca8d3e40e590f55310472826e7cb

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
80KB

MD5
131eadf63ddbe4195e2a2d51e82ef238

SHA1
4d522d639ed285bf0ca4069eb9870fe33faa9029

SHA256
191f1b354caf57799329c938d16624817a2c8f9589d8f8359405b5f3c5d90343

SHA512
1a9c63832204a683d91b9c97050cdb5dc403eec73bb0276135f5d0ffdc4e632aa8898a26e947c5c56132a206d7e29cc276ab786c0e18b49bf628ef13f3528c7b

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
80KB

MD5
9a1a8180017cd9d922bea3c3f3509946

SHA1
6bbd7787c3dddb0aad3e463a7ca62d3563717328

SHA256
d4ba02f50094e5380bedcc1a4f620dbffa3ab37357e1b03a2f8e87133a96c610

SHA512
5584f3365cf7f219c37d7f15a7dbe5d19409c2fafa2f1b999a43a1a995a208f78b5620f3c025f2d3944770686ab970270aabea65b854798bb5fbcff8002066ea

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
80KB

MD5
bc0ff78a3fb88e8be170e8e036a7674d

SHA1
e49b0c2eb3f367f67eeff8a0d2124a3c97df216e

SHA256
f98bb9631fe0c1fbef1dd2e3048d6898eb3408a90e61d4a86f67cb39fbcfb4d6

SHA512
9125a156d0d55abd775c6c6c10e1760302b0efd65bd2ec24487a015c49ad5b64c180e6389397e5f042a92abeda150271e3364e12e7c2b464bbab43d1ae41eecf

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
80KB

MD5
0763d3259175e2958c572b1f93e2232a

SHA1
f5274362a1ab2fe2af84ededcd8f2c2835eb173a

SHA256
953c3e2d0adc10239988df6ceecf59c658e9531a41071cdbbb1c71ac6a21fbbe

SHA512
057e66954f098a811e0c4262d1d365cf2379da848705ca6312dfc458ec55ce2e500d57aca001b85141a0821f0901aefc434386a8f3806583bea5fa93d9e38cf3

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
80KB

MD5
8b4fd6ad69bf7909cd1b31f84d63f53b

SHA1
a936d488c9665ade6a28ca0370ed641fcad65d9e

SHA256
e45c03ebbbd6d55a81c6cd0f3d79e03c40cd7e2a850d9ea2da30f6441c4e699a

SHA512
0ca008e4cfe191f2d0f7f03c2b0debf1ef557ea8e70337e8998dff391062d47942ca22d5846b245df4e3871212f6fa6d0da9f5115438311fa112bd39a2fcc932

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
80KB

MD5
906420fc1f9b1f942e3af3cccd15229f

SHA1
2dda4e24828325544680ec29c2ef825405f3f4c9

SHA256
e20c50640471cf95c09cd47fdde64e42995daa0fad0bf0346a4462e3e501dd66

SHA512
325292927e6f01ce130dd33e2e5b8ef18d368d924313f514f23ee07f7edbab92f77361bac82a554596ad731587fc33859d990617e566ef7894fcedeb186b096e

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
80KB

MD5
880f41c1e5b07ce5956d67c29c3833a5

SHA1
3d60d47e4eb437fe3fb32082264f3155de913aaf

SHA256
31f1836f688eb25498d887f2174db7de016d3dfe2df5a079ca3e6d78134ece8a

SHA512
ec838b9e38d185e9c24cf4daa1054356c54ce0430d8741520415980ac5b334e8bafd888c76a131391559fd2b53d1e3abbdffc8dfbfd2c3defa0b732b6038fb79

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
80KB

MD5
92faa1e75e9565222d5255274ee34f98

SHA1
8709fe8978234cc0af6dcff34f01f276055bd676

SHA256
851cbcdc8be45bd310a56b687553c5c633e16ddd01d3b72f3ce9c817d108fd95

SHA512
b10dae6d3e65d602f3dccc9c0df2532d23c950ac533fea9bfcea09c5308acdf6a82bb28d6babe8921d8fe0a9b05a08b41851a7d213107dc473d8f217b3f9326a

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
80KB

MD5
dc72e6ed2f87687afa0f502cb6adb4bd

SHA1
a8dcede6f29ac36d941a244eecd6487613f30a3d

SHA256
c7b2165155dd7287ce7f1205d51b25c373b120ac107432f808171016deeb616d

SHA512
197b6e4e1991b08767130b0d223691553c1bad08dbe23879364664a2a68c6dc197e0ca5336280dcd9582444943463d0412496c67a4f0a70312ca44025a87b2b3

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
80KB

MD5
146fbe4fdc0918b49d267f2586d2aea9

SHA1
d7d96c267935f14a19b90a3f5d00b8cbfbee0c2b

SHA256
07e0018c29d986de20fc686743f84d9a27e138903676c0a16f4d49a67188e106

SHA512
4666d033bdb59082f6d1e99267652c00bd567ff5cc5ba7b2f7543e20aae3ca1953aa870d8fc8f56f4df5e5eff0bc801b3eb0e8cc0001b3809a2b7e36fbdab5fa

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
80KB

MD5
a4cb514a28aa41af4b6078acdbaa4d96

SHA1
cd91b430a5582e292705d7e26f1198a54cb9fc1b

SHA256
d8c6a33d13abb7037742e5481d3b45d7c10924d636b751e09b208c0ca8633f14

SHA512
fc1332e3fff90ac6503126a8ce4aca53c9da5ca9d0712281959caa12d9c3051bd3f2e1d060c7eb2bac54eaffdcd65f567877a060ca2cef50cf1b6b0694f6fe81

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
80KB

MD5
e8d24ebaf179d8570cbe4a7a1a072d9e

SHA1
97dd42472e9d9976f062e0e846993ced690232dc

SHA256
3bdffcaace1f9c3ff5d14ac96583ef1dbb5b5d971340fc6b2e6f154fceef0af9

SHA512
ac7c2686133795fb219b75d3368857f1849c230d6725e69ab5cfe4aea5622589c2c2442fe07e5f552226cd52216b0d62827731ccdfcf8f14df3f248553b691b6

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
80KB

MD5
acc262ed12edb88ca55c1614ff4a4b30

SHA1
f1500d09442f3647a2c4ec8d1454c0629092fe25

SHA256
62fadcbb421350e689cd473baa51cced402644eded92bb534ef7783d5cf80b9c

SHA512
493441b5863daf562f24f8cf6145110b6aa9bd7384c723bad6383ffba4ca29662329a3b40f244145ac263c4d193054a3fbdcf80e6f0dea2c3b2fd9ec9e9f1b82

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
80KB

MD5
34543340d87a7bb6272f042cee0ed310

SHA1
3d3e51d09788766696f5c5cc12b862c5f4253378

SHA256
8328152cde25afe027cbc2978de48e2779d98b758baa24aed23a63dc5e734ea9

SHA512
312ceca42f84c306b021ceb40d6e8959101ee5157c86119d244e74aa3a1c33464d9682a672fd49b8287d2c28e0a49eb0dc37c5da9ff22cbebfc4946ca2335f78

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
80KB

MD5
e51ba7be880fe42f7688247414c22874

SHA1
9c1a272de3aeabbbf356f8de8050ba52e282455c

SHA256
c77fa48772e45d0f17117e05a36bbfc01dcbdb527ac846dad002792736c8f213

SHA512
9cc6aa2c15ab1222439ee2ec3bed205827acccf9d618d3317e192c1cf678d86b3b6a362de93e993c4a1efd79d99560016c10d4aefb63a235a70a777cd7d765a2

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
80KB

MD5
691c1122648154c8815335ca8d9b7490

SHA1
7e7b06925369f707684f989208c135301b951296

SHA256
447751452abc1deef5217405212647af62a14e15eb9ddddc88d6066604891e29

SHA512
7c6af5cac63b8a0e1bc74ccc14a92b395861d6fde0ffca1ec594c1fd6e911860a81c698afe52545c8829a0190a48d66c63b69c7cd408d0cda56386903bac8815

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
80KB

MD5
e156cbabb845aa1ee8bcab35f934c3c4

SHA1
29970ef94c1a18df8f4275fbe5bf038b43e9ef9f

SHA256
eefe9636caa2b9dbe396b4491e5b15bf6b9899fbfaebf5c377ce34674a7cc0fe

SHA512
4bce2852dee160e6b43a0749af2c03dec7ed872d556d1ff98c150a69768b3fa2e08365e05d5d531e0c6e9c4bde958c0c2969928d4ab826565db26c97f5998a44

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
80KB

MD5
719c2c9f7c99321043ba3bab00b76351

SHA1
921d8724a249a5aa587c510dd17f6c1e25d6393c

SHA256
59eeefce1fb46a64124c31eda2523d12892d251fd68d8fcf9317d687aa3da61c

SHA512
56720a72fd5791cbad22353d6007c56bc97e902c10552ed806a74754ec56cebcfc38599d044f1c9ecba2fc088d38cc88e4e823ad81e8ccf48c6f0ef1ef4ed0f9

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
80KB

MD5
c02e2f473d4901c28d744642f358b2e0

SHA1
0e9984da9eef6833563c5c93f4540aa6375df0ba

SHA256
fe28281e20b750d64fcafea7ff91a9d503b724c429b6f5193543cd37a0f2a7bd

SHA512
a0dd58597dc7cd9329c9d892a5af6b53cba0a9157c690a9dcde0198582970ab239c7d609d4cc62a68053106404ad65834c676aa15c4b7c704ca3b5f28e7f828f

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
80KB

MD5
1a4922ddd9d20439cce7a449f8ba6f39

SHA1
7a00711648ff9679f96fb927e1f153798e045b55

SHA256
7314dca5ea05c7f28da71c9ccece166e862761724a9a57e9a32946a2c174eaee

SHA512
656b9f9c21e8b8a56a60489c5f409c5ab4f57862a8b1c068c5a961867fd1187a173c8f887fcb758f536239ca73782b2170c1f09dccadfa12cd8a2deea90c25d9

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
80KB

MD5
7d6dcce124ede6effed66b7f51528623

SHA1
31e8d2ccdc04f02c3d16472ec11c66abd3b7f3c6

SHA256
851c44cea33541494c9bf73c92de5396b62522d4900d7aaa0ae2f590b19062da

SHA512
2fcdd5f19fb258b2d8f6dcc87fd1cf53ae429f181e2241d2cee72537ff73c02afcb6399f3a6448b3f6350f8c921a0a58aadbe352a47a8b63eccb3914550ee658

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
80KB

MD5
85707489d3bbb60e245fffd416a999ca

SHA1
d0471405f64900e918fa60973fba838ab96cdc1d

SHA256
09cf96216f9c0caa8defa9e87612fd3f99f2333e652d7689bffd3d0eb5e82362

SHA512
625475568f7b2fee845c7034599aea45fc8108efc3aee1a16e80706022625e99c07b8891da4532579118042d4e9f8715d1686569eec2aaba35403f0f5f9f4192

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
80KB

MD5
ceb6a044631faac5c6f34ff1778a6db8

SHA1
7718e072843934ec5f8a087e49ead89ebfc6747a

SHA256
e10988b62d52f8b05bd0938ac5165a1c5d2636c7ff5b34e65dd3d28e013eef45

SHA512
69e84ee1c4d3e339c905926fbc88da26db538a8a80689c6b28175fed34df6acbe98c55e4073d986d46aba0c072de07e367d39aeacd9de686eeece77dc28bc6d1

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
80KB

MD5
eb13b63b5fb7baac94196f6a4f45ebee

SHA1
77f764e94ee5eac0f024d0893c805c59a03a8b86

SHA256
2d2763f1bcbcb44e88cae31e47d30137e039df5d6db5a6e1109a5d126768c7a4

SHA512
11defb9cb8d93855ca541549961af4194570bdf5dd4f52cb8c769546f48d0495d43cbf078f117c3e21728ab88bb00665645dcabb2db623052bf99db33f299daa

Download Submit
memory/464-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/624-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/724-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/844-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/980-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/984-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1032-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1056-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1272-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-594-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-566-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1452-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1564-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-580-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2392-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2496-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3272-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3328-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3556-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3564-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3796-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3888-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3904-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4160-526-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4392-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-573-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4740-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4808-587-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4812-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5124-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5172-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5212-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5256-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5300-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5344-560-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5404-567-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5460-578-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5520-581-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5564-588-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads