berbew | 9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe
Size

337KB
MD5

e63c05506c575290992783b66b18c550
SHA1

e6b9ad63ec03ea906020f88cabf2b2145df40ef7
SHA256

9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5f
SHA512

e7d9355bfa1bdccf22b4e69fa0dffb80576509011cf9ba085b36ca4fc29f42df5a7f151bcf76f94e2399d9e23b2092286699b9433ce8c050311e51d3eee9fa81
SSDEEP

3072:MzAhHDEWgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:EKHYW1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnebeogl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njciko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpccdlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndfqbhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbknfed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2780	Mnebeogl.exe
2372	Ncbknfed.exe
1620	Nljofl32.exe
3968	Ngpccdlj.exe
1012	Nphhmj32.exe
1656	Ndcdmikd.exe
1708	Njqmepik.exe
1108	Ndfqbhia.exe
2312	Njciko32.exe
5096	Ndhmhh32.exe
2528	Nnqbanmo.exe
3752	Ocnjidkf.exe
1340	Olfobjbg.exe
1728	Ogkcpbam.exe
924	Olhlhjpd.exe
2224	Ognpebpj.exe
3984	Olkhmi32.exe
2100	Ogpmjb32.exe
4244	Olmeci32.exe
3696	Ogbipa32.exe
4112	Pmoahijl.exe
944	Pcijeb32.exe
4356	Pjcbbmif.exe
3012	Pqmjog32.exe
2872	Pjeoglgc.exe
4672	Pqpgdfnp.exe
5052	Pcppfaka.exe
1752	Pnfdcjkg.exe
3364	Pcbmka32.exe
4512	Qnhahj32.exe
4728	Qdbiedpa.exe
4132	Qnjnnj32.exe
3928	Qddfkd32.exe
4640	Qffbbldm.exe
4372	Ajanck32.exe
4824	Ampkof32.exe
636	Afhohlbj.exe
2248	Anogiicl.exe
1132	Aqncedbp.exe
3760	Aclpap32.exe
940	Acnlgp32.exe
4324	Agjhgngj.exe
2028	Aabmqd32.exe
3664	Acqimo32.exe
4964	Aglemn32.exe
3608	Aadifclh.exe
2104	Accfbokl.exe
2544	Bnhjohkb.exe
3152	Bebblb32.exe
4524	Bfdodjhm.exe
3412	Bmngqdpj.exe
4780	Beeoaapl.exe
876	Bgcknmop.exe
1644	Bnmcjg32.exe
5060	Beglgani.exe
736	Bgehcmmm.exe
4656	Bnpppgdj.exe
3192	Banllbdn.exe
3648	Bclhhnca.exe
4100	Bjfaeh32.exe
5020	Bapiabak.exe
2268	Bcoenmao.exe
568	Cfmajipb.exe
2644	Cmgjgcgo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lemphdgj.dll	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Pjcbbmif.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Qfbgbeai.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Fjegoh32.dll	Njciko32.exe
File created	C:\Windows\SysWOW64\Qgppolie.dll	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	Nphhmj32.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Mnebeogl.exe	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe
File opened for modification	C:\Windows\SysWOW64\Njqmepik.exe	Ndcdmikd.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Hiclgb32.dll	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ogbipa32.exe	Olmeci32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Nljofl32.exe	Ncbknfed.exe
File created	C:\Windows\SysWOW64\Qjkmdp32.dll	Nljofl32.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ncbknfed.exe	Mnebeogl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
956	888	WerFault.exe	171

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnebeogl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nljofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nphhmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncbknfed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nljofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocljjj32.dll"	Ndfqbhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nphhmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnebeogl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beapme32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 2780	4844	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe	82
PID 4844 wrote to memory of 2780	4844	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe	82
PID 4844 wrote to memory of 2780	4844	9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe	82
PID 2780 wrote to memory of 2372	2780	Mnebeogl.exe	83
PID 2780 wrote to memory of 2372	2780	Mnebeogl.exe	83
PID 2780 wrote to memory of 2372	2780	Mnebeogl.exe	83
PID 2372 wrote to memory of 1620	2372	Ncbknfed.exe	84
PID 2372 wrote to memory of 1620	2372	Ncbknfed.exe	84
PID 2372 wrote to memory of 1620	2372	Ncbknfed.exe	84
PID 1620 wrote to memory of 3968	1620	Nljofl32.exe	85
PID 1620 wrote to memory of 3968	1620	Nljofl32.exe	85
PID 1620 wrote to memory of 3968	1620	Nljofl32.exe	85
PID 3968 wrote to memory of 1012	3968	Ngpccdlj.exe	86
PID 3968 wrote to memory of 1012	3968	Ngpccdlj.exe	86
PID 3968 wrote to memory of 1012	3968	Ngpccdlj.exe	86
PID 1012 wrote to memory of 1656	1012	Nphhmj32.exe	87
PID 1012 wrote to memory of 1656	1012	Nphhmj32.exe	87
PID 1012 wrote to memory of 1656	1012	Nphhmj32.exe	87
PID 1656 wrote to memory of 1708	1656	Ndcdmikd.exe	88
PID 1656 wrote to memory of 1708	1656	Ndcdmikd.exe	88
PID 1656 wrote to memory of 1708	1656	Ndcdmikd.exe	88
PID 1708 wrote to memory of 1108	1708	Njqmepik.exe	89
PID 1708 wrote to memory of 1108	1708	Njqmepik.exe	89
PID 1708 wrote to memory of 1108	1708	Njqmepik.exe	89
PID 1108 wrote to memory of 2312	1108	Ndfqbhia.exe	90
PID 1108 wrote to memory of 2312	1108	Ndfqbhia.exe	90
PID 1108 wrote to memory of 2312	1108	Ndfqbhia.exe	90
PID 2312 wrote to memory of 5096	2312	Njciko32.exe	91
PID 2312 wrote to memory of 5096	2312	Njciko32.exe	91
PID 2312 wrote to memory of 5096	2312	Njciko32.exe	91
PID 5096 wrote to memory of 2528	5096	Ndhmhh32.exe	92
PID 5096 wrote to memory of 2528	5096	Ndhmhh32.exe	92
PID 5096 wrote to memory of 2528	5096	Ndhmhh32.exe	92
PID 2528 wrote to memory of 3752	2528	Nnqbanmo.exe	93
PID 2528 wrote to memory of 3752	2528	Nnqbanmo.exe	93
PID 2528 wrote to memory of 3752	2528	Nnqbanmo.exe	93
PID 3752 wrote to memory of 1340	3752	Ocnjidkf.exe	94
PID 3752 wrote to memory of 1340	3752	Ocnjidkf.exe	94
PID 3752 wrote to memory of 1340	3752	Ocnjidkf.exe	94
PID 1340 wrote to memory of 1728	1340	Olfobjbg.exe	95
PID 1340 wrote to memory of 1728	1340	Olfobjbg.exe	95
PID 1340 wrote to memory of 1728	1340	Olfobjbg.exe	95
PID 1728 wrote to memory of 924	1728	Ogkcpbam.exe	96
PID 1728 wrote to memory of 924	1728	Ogkcpbam.exe	96
PID 1728 wrote to memory of 924	1728	Ogkcpbam.exe	96
PID 924 wrote to memory of 2224	924	Olhlhjpd.exe	97
PID 924 wrote to memory of 2224	924	Olhlhjpd.exe	97
PID 924 wrote to memory of 2224	924	Olhlhjpd.exe	97
PID 2224 wrote to memory of 3984	2224	Ognpebpj.exe	98
PID 2224 wrote to memory of 3984	2224	Ognpebpj.exe	98
PID 2224 wrote to memory of 3984	2224	Ognpebpj.exe	98
PID 3984 wrote to memory of 2100	3984	Olkhmi32.exe	99
PID 3984 wrote to memory of 2100	3984	Olkhmi32.exe	99
PID 3984 wrote to memory of 2100	3984	Olkhmi32.exe	99
PID 2100 wrote to memory of 4244	2100	Ogpmjb32.exe	100
PID 2100 wrote to memory of 4244	2100	Ogpmjb32.exe	100
PID 2100 wrote to memory of 4244	2100	Ogpmjb32.exe	100
PID 4244 wrote to memory of 3696	4244	Olmeci32.exe	101
PID 4244 wrote to memory of 3696	4244	Olmeci32.exe	101
PID 4244 wrote to memory of 3696	4244	Olmeci32.exe	101
PID 3696 wrote to memory of 4112	3696	Ogbipa32.exe	102
PID 3696 wrote to memory of 4112	3696	Ogbipa32.exe	102
PID 3696 wrote to memory of 4112	3696	Ogbipa32.exe	102
PID 4112 wrote to memory of 944	4112	Pmoahijl.exe	103

C:\Users\Admin\AppData\Local\Temp\9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe
"C:\Users\Admin\AppData\Local\Temp\9cdc159d4f0905cdd5272f5c43c4e74ea09c64189145bdd382bc5429c6f76a5fN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\Mnebeogl.exe
  C:\Windows\system32\Mnebeogl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Ncbknfed.exe
    C:\Windows\system32\Ncbknfed.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\Nljofl32.exe
      C:\Windows\system32\Nljofl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\SysWOW64\Nphhmj32.exe
        
        C:\Windows\system32\Nphhmj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Njqmepik.exe
        
        C:\Windows\system32\Njqmepik.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Ndfqbhia.exe
        
        C:\Windows\system32\Ndfqbhia.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Njciko32.exe
        
        C:\Windows\system32\Njciko32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        27⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1752
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4656
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        66⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        68⤵
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3028
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        79⤵
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 400
        92⤵
        Program crash
        
        PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 888 -ip 888
1⤵
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
192KB

MD5
0c44c7753c290ea39df3840d41f58d62

SHA1
78b0540d56362ba771433acdfa1f1d08b45493e4

SHA256
35054087df64f8adf163286b45d6a31ebfbfd37a81e73028bb8a6a634be482a1

SHA512
792ffb1ea5fe53acbccf846826795c8039994835113d0f15a0aa72ec5594d89d045eac8e1f804e7aa07c076e7dc0b4d4379c82336b4708b00730bf77acbde1a3

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
337KB

MD5
1c1efcd5f517e7bf9565b73e07075a10

SHA1
836fbc784ac071889509f95fee191a469e8f2f3c

SHA256
f6ac7949fe70827317c807de8903ff0605c299de9f226e1220fbd9d1cb98a4d3

SHA512
75bd12071780e8c43e327c0fd94cbdedad34df9fcdcdb5b004539f251387bfd1fc72b27f0af55089dbd2ae4f906203af5c61bcd9811ab75763d5e281943547fe

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
337KB

MD5
3736a39bc656c918435321d35398ecee

SHA1
9c724d21cd6275a8ab132bc4921d3cb4b8808d2a

SHA256
f48f33a6439d45a2d5b0c8e04939238fbc3f221e1e7de6f6d08f2cfaa4f5d7ca

SHA512
9ae6f056a35614b1f541fa6d17a6dcda9567fc7aaeec780263ebdd482d8fed039728af57ffc6d9d71c0fc171bd5685140d7c67c5ecd1b5915e5a4212d714d2da

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
337KB

MD5
a90dcb0ec82afef95bd1dc1e217e5f5c

SHA1
3c1e923ba931fcbf5d84cc425fb093ad7f450d62

SHA256
979859adcd26a4a15697c2c04c82a0bd5be5d8efe8778eeea374ead1e53abbec

SHA512
7bdbabb51834ecc2c363cc7256019ecbd786ed3c4f5aee7ba5a88526a52f2db3f556742fb397093994621209918c37e762dd968b48c66028a6ae42c5468c5c74

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
337KB

MD5
8311e6caa4e5c97c7fed83368850fb46

SHA1
dcd6cfc591a064eb71a5280b51d9d31ab488b16d

SHA256
c60e19ea937f43268299883fe49a46d04ff27e7183fe2b90a994a1173cf35463

SHA512
ee10a76c1613527c88825b6b814da0476e73b174424cc239708d654584559f1f12ed95580b8fd88265d9d64658f4001f48bc60f0034ac77a49c224e6dd30a477

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
337KB

MD5
87f65b3e4fec111e96e2003b2de29802

SHA1
8d9e4f422631e94366c9cf79ab1185b2d23d97fe

SHA256
ba7ed9db0915fab35d330bc67b1774964fd68cd1542a39431e880bad4afd7eef

SHA512
f360829d570476cd65ebe27477c00afb18628027c6ffc34a8431875c05a66325c21a56ebcc38b074750771a59ef9745f70ae78425e8a89d545366355ce949239

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
337KB

MD5
9ff619b4cc26f28835457b92bdf17440

SHA1
afffcc0d455e62ad8628804c3662ebcf91fe2ac6

SHA256
ad02604be783e065b185cec02c6cb12227cb07c64b96644eb9551d3624606db2

SHA512
fd59d2a69fa0115e93820f625f2da2aa5b4bc9c65df0ad7e25c64ac7832ea70d81f1dbd0605e98f03edbccd68332fbf2ed5a70eb4670c8b2d4348963c07177c3

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
337KB

MD5
c0ba3e129a8f77e3a0273cf9dce4422e

SHA1
9faed024cf05bc11350d6a42dfa09c51716e877a

SHA256
672bcf038253078f8da86b5b72d80d9fa00c646d74b392757e389e73cc31ec31

SHA512
6ac84042c67e71d8994599afbbf0386f979c5fcdae9336ee99dd8b476331a2dda9c460ebf746ea5c2f2f8afd27ceab935fb2f752efb09b47b5087c3697370966

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
337KB

MD5
92aed63cfbcacb2bb6459bd0876d12eb

SHA1
116d58e49786eb60e5b05d999a4b713625385b38

SHA256
9f1b8e8d79096fc38ceebdb0cd840a6a4861032a8f690c1498f03b1b4d21eab7

SHA512
68c9aa78ea218c1b1818204398f2ebc59e4869fd4d58658a81500df27f4c5646408025c7dac068b62d7564f1843987af914bf27f162ac15c725374098e9c607e

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
337KB

MD5
ef8eaff33fd1bac99bcb5432d366e6cb

SHA1
ad21a1f92b7b442b871b6b734dcbea75afc22ca5

SHA256
103b8185cbff6b29dea699ceb363b9bc0e7ffe517b29bb8629d67ef18023697c

SHA512
1014c9d3e6e0268ecd91c093020586dd484d3f27e6f4584fc00245e44e1d7c12fbcae31dceb7b2f7b841eda9c737d21ab50f100b88eb376a057110f2854cb9a1

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
337KB

MD5
ac8904ee1f98dc20871827a07f9d2c4a

SHA1
ae62655028a32765f0c09b7cb49650ac6e89a459

SHA256
6fa910b664e9109a91e37c65e300bbc8f60fb8e45478f4efd4fb384d479cd3cf

SHA512
2e289ae2c1c14b6860df1f44939018afeb7c0623896a98ee6620a47af73f53cb75fdfd7e87ef4dde191ced468283206aded884224531ce77508c568ae6658d9e

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
337KB

MD5
daadac24e20e3191e5e3cbe8b3f757c2

SHA1
34be673610b630b6f301a60f7c2b7e411bd73a8a

SHA256
1f9284b75f7473294e8d9702ebce249fb698d1ee65defc3dd00869be0159e53d

SHA512
f1a0344f75cd2dadff6925b1579eecdfda3afae451c8fb5f88ca6f35c10899739dde8dc8290c8f7e98b641d47a488608ddbfb95fdffa94ad584df19d4ce79a4c

Download Submit
C:\Windows\SysWOW64\Mnebeogl.exe

Filesize
337KB

MD5
b0a4c11a967665f8b3cec10517ed2fe7

SHA1
622ceab21eb0ec564ae21a9775e1e577ce77e09e

SHA256
c476fdf5426e746e37e69a6f76945de2daaf23960c89812953d51161e30d13a6

SHA512
7a6627503116b3e7b2e82afdfabf71d83bbb673c778c48739debab4d77d75793334a5c96fb657261204c769a083e981abc62eec70e3f12d66d68541866d829b2

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
256KB

MD5
f5a1239b12a9aec587e64b32f6c84c2b

SHA1
f256151daf5def64611cd192d42a439e2dcd52bb

SHA256
ba7001d3b2d70a39962d6d53edb8254b6829c11fdb10dcede0735d43193428f9

SHA512
fb70e15d0adbff612052fe0092bf6e01edcdc61fff420248492ad8d224a711176a6494ed88cd797707f7583f6c2d3d2c246aed8bd9e32eef0f57d7b655637bbc

Download Submit
C:\Windows\SysWOW64\Ncbknfed.exe

Filesize
337KB

MD5
e264c065bc0a9a5f3dd8057ce3595867

SHA1
e3f196fb710bd39cedb0291944d1df09f5fe3ebb

SHA256
1ca617f066d55a2f29bc424af93cac12aee95e704ff07304f9914a5096dd0d0f

SHA512
cf9b7e7e8facc2e24f0e7e0f67fc9074c58411a8950a15eb669fa1240ad7ce6ac8fc9919415fd485d975994b53e5d8b6b70921d57f5c7aab7074d9cfa88a15c9

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
337KB

MD5
518e10b377d164384f060597d7b90f4d

SHA1
18dc780c2ee087cb1aa0117e9a70a38a4e77a3aa

SHA256
21e200ac2200c1320761984ba5b6a55b3fc0fd73bcf63b06c43436f5f2ac3dc7

SHA512
d89272937e8bc4e4528969da85114069f57bf69d68981acfcc4c4a209b1d349e47dac4e0d48f8ad3ac57045a0d46dde8905efbdabbe48ea74228e8d989500e3d

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
337KB

MD5
d00d0bb3bf2e2d30b1f425f3487f5ae7

SHA1
296a513816288e7937962fa76bd02963905f8fb7

SHA256
3f62214a2ed5f2c7f0c9c064218883709164f2a706ed3fee9143ab4a79a14942

SHA512
95d8a212f201efc75171b255110bd9d42cbc9f8fc6faa84bdf5c2c89e3cd60884fd84a331927c04d5dd3c01c7db1484120761ed7b23aa2dcacacecd97520294e

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
337KB

MD5
c2e80fa9d271a062a3962c60b7a1bd4c

SHA1
8277f015381792bc93a37843b21608e4fba63bdb

SHA256
50280df207ada877dfb19abb30b068ef2fa82fc5f1af1fe4b216d1f4b0a5ebaf

SHA512
0f0a1f0a586babad8e704dc44e9f9cad411e78ffb75b3ec45e3b6a94b71e21ee6a967f05962d63858afed79bd5338d0e145bf001807ad8a6d4c69254a14411a1

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
337KB

MD5
2dc029d186dfe2788143779fc86b9c74

SHA1
7a0d61e9b7dcd23d13781fee087b508d4e03bb2b

SHA256
1c29a422dc4ac452db56ebe2e99e350862429fed8b0b79631c7f52629777b039

SHA512
5fdb5b8b6985896faaa94d0482a79997c2f128dad4dbb7948f9418d41843e82c1928c7de0ca74a57aa73a41497d123e8d3c8e51fc6b13909f1e51bc93f2bd7a3

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
337KB

MD5
aeddfc73cfcf42edafbadeb124ec86b5

SHA1
ebe7b498e09ceaac07a625dfea1f6457c3a6b385

SHA256
469ab3d1ec1bc3a100b79e5b5549cfcd925a95eab7ec65fcbcd2a93bf23146ae

SHA512
378a786731996bb14102449c41fe3a6277110f2a8d8d3e633ba6b3d0c1dc1712265c117fd21e42e68bf49b4a49236fa8744de2b5ecbc4b8a9c82c9e02bce7616

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
337KB

MD5
05bb5704b366fb686e6c197a659ca4fa

SHA1
5b7040780a9ceb2ce630efef667c0fc8e40cd678

SHA256
330a9d24673cbf793cd3a60953ab805daac9b02ca49e54eaa1fb0539da280076

SHA512
d8660869e36bcb47aebb0ec6ff36eb7b8629ed1a6828aaea5b1a239b43ee2334b1f72fab590a8cc3ce6b49bd089cca51318a855d3843914d08b70fdacd1e6210

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
337KB

MD5
b188445f9879bdbdaa00bc4fbcfcfa9a

SHA1
f03a6a57915e3035d5394dbb7133510da2673c43

SHA256
bad11919b9263da2bbaee293cd115a1f30ae4fbcebf88436b7ed094877d8d010

SHA512
b115b2382a38e418fba77e52f1a6e465beb8e3fa8d8a8e3bfc7d09a681df0f78b238ba788338166f8502c0e8ed24b0c8c728f295027a7f7c5cfac0381b4bf3a8

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
337KB

MD5
b313a4d617fdc885b112469fef91572c

SHA1
0661dbfe1316ea7a9d90d41c07c75d7b1c6cde97

SHA256
b51798c5eb61b1f5376049ba8b7eb08be51107c694b5f1d6fdbf649b8a660a39

SHA512
441fbc24f53f764329f1a9e605885a902888a31ba5c1984f7a4cad4ff359bf016ba971bd51d47a667a17c8b321eec6104d41e95bc2fe68027b15989fd1a578f6

Download Submit
C:\Windows\SysWOW64\Nphhmj32.exe

Filesize
337KB

MD5
4e3eab7e4c2c95a57d37496c4ceabdaa

SHA1
5e4a8e370fa5ad2b26d893a880b626975cb060e3

SHA256
e523bd3c8e4da8ea440956096a593846078b5a9df75f70d629b47fdae4050f66

SHA512
56eeb81ab3cc9453f8d753c825cc6e14f2618ccb68fbeab39ea5a9e34e2f8ccca97e04a62ae02b2e7647466038f50164b5cf64c2d718b6df48ce157257d763f3

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
337KB

MD5
44ba797054e70308e7aa839cc9e7461f

SHA1
c439087d0d9990ace49519b9518dadc198c4da3b

SHA256
02fcb7917d74a548f8de09b6ff95b0dd2740a128253ccba733e59b1695f8896f

SHA512
7280a14fedb223dc8bd571fc90aa6b451a3cfaccd1fb029405c34f4bf6644c6d4a924f4508b5e5b84ff33dabb676235362dff452747284c505a7f320d7e5afe3

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
337KB

MD5
ce8a60870aa1f4a74e1763b880b0bfc4

SHA1
aee285d2a4a3908fa6830ea336498bba5d17faf9

SHA256
4b721d01db251976eccf50969f44bc8f5451b965603286b52b7fe895aa6284ad

SHA512
715bf4bdf5613982df0de06d3531034a6f6d10983a6666275cdbb537325401eb8eceeceea03270555876768fed00920a027cba6f5fa0e06571fe8dc79c69c450

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
337KB

MD5
fa0c3889e9e578cfe270afe0f42a208d

SHA1
39bd1c7606b6b6be62c6f236f182b958e2ed7bc9

SHA256
90be9ea6b655f7a76645d4af2f55305a0c46ca72fbd9d0fdd525a5199b4a3a5f

SHA512
9c637f393cdb6415a17c848cca49e1b35a71cc1ceecee4132a39ff04482fc71e3dd45080ae78b664d01acb54b72c2d70556f3fb8dac606024013beefc48b8e97

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
337KB

MD5
b9f88bf505421792357ab6fa3bfd5097

SHA1
dbf6005c6cbb70ac2fb7477d976865ddea4562e0

SHA256
75eb8cdb08dc64513c5c282f19c2764aa8ebd5acebeb1d2c19627dac93a4a3e5

SHA512
66d05a8176e1e888f7ed8746a3f7d5f41f97d14025fdfb454db1c71070861b0569c1fb4a13a7dd04a46d3af5236cf54882e19b3b40626983b9f0886cc45663c8

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
337KB

MD5
5a1826fe2283d500547bba61b3d58926

SHA1
3d14ba8a38893e79f524208210315fc6165f3b0b

SHA256
04714f71cab42b6f3d95878cffe97e1a66880b53d3142b552bcd2ea151a28b70

SHA512
584c28c8662d759573cf1f9fe5b074372798722d8f19c3f7b6cf400b8a39d5bc9217f3dc5c56eddca9457b754827eb6432bb5284a39b563588e033b70926b864

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
337KB

MD5
ed2d51e19e194d03071840c99bdd14e1

SHA1
8f9e2e9650dec7ab742b930e3c4fd7433f5c7876

SHA256
99a4ad935c708b87b5430f9934934d14f68c343c9f1b52f9127dcb60b75afa30

SHA512
9b5d046ede1a0bcccbb73f7af636bd1c446e51b2e3a15ffa502f21b9cc854788075043bf2d812dd9ce18f6213d46187c56ae0be76c201f0290959583b0af78d2

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
337KB

MD5
008fcc5c6b6a38ed9549c28b414f62d7

SHA1
9aa3c9636cb0dec6e9ab14d6534c5684aa9cf6e7

SHA256
fee21477b69125f80ce560fa888852ac2a30f15745921cc7375304a83e6785ff

SHA512
e059f7ebae91dd41ad46f038ee50f6fc546ccd25dda83d128bb9492359e3f753e76823a55e70a2494fdbd8ffa8dcb7ba5ca3bee79218c05540e79226c395890a

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
337KB

MD5
766ed741a27ce3c235e790d0da1f4961

SHA1
3958abcf95be9656afaa3e27c4e3db1075998cd1

SHA256
36917d95b001ba5523a89a8c16b9fbf82a57534f168a7d0240d6ac13270d9d2e

SHA512
0d31f9c27464e1ad39282ad56911f5bbb7d4233f278b2a575a5a8132256b7e53592487fc99d7b05a195bb172dd59d157604306ea9d11fc7aef58e3cc44312a12

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
337KB

MD5
1003a9cbfecbd0401a1f4c6233c725dd

SHA1
d4672590551457b108b8abdef13d0f8d2765fbfa

SHA256
62e26d2f05976e2d7d9599dd8b7c3385edf9a8cc4641424de4fe556bcdf93e73

SHA512
1f5e3ff74ce603951db7d743f3a7641d3c3c76b9baec8e4a163ca2e05b775a43c486271f9b99514e6df324e06a181ce53bf68e328fdd18ca61ebe5c934de07c5

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
337KB

MD5
887859ad1c129e6d8285ea0b2533bd49

SHA1
9b08b6060f549d590d69321e85fd7afa315f9a4c

SHA256
50f779e7d25fe29ce8468d1c8a3d4c0c014711c139747bbeb93f197be9d87f38

SHA512
bbef8217c6917179b682c0f07be8fb0881019a6cbe1746d83681cbcf005f31c0e3099b0c6f2e00a30ba80955d6dec9eecb09dfda9ec1e04996219170b0729c9c

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
337KB

MD5
313f87f67c61a58bc4782206fc256202

SHA1
b937b68f36f26ab2c5b08ae295960a9aba71e9ae

SHA256
cc47e9a5f5a063ea9b3e76b8d6de231159f00984c1771f0399ef2d48f12f5bdc

SHA512
54d1450fee5d8705de39843b6ca6db81616ba51431ddaeefeba00127b8e57da97100dcade0d7091a9c66d3f2a60f0ea4a780cf0ffba99ab530fe47fcb42bfe07

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
337KB

MD5
1fe8d5124f91ab4c6247447c4eb42826

SHA1
b2c79fa1a250e3fdfcd2321b839ab9e47066959d

SHA256
6852925aa2503cd5b75c6b56b794c11ab3ecffecfb250fd130e426b3a3cb36d0

SHA512
3436f5922be20924b2b8a1e3de448d9d270e606375829d4ba4cf370f072fe0dd5dcc4045ea887dd197b1554da8acd2566f85ccaa4c50ebf463877ee42719705f

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
337KB

MD5
9e4dd7f9e54547033a562c1fac51ef19

SHA1
09ca439ad311f0300e0a8db51ae116400b593982

SHA256
568ac15b35d1c96d3933947c66275d94da3f40c6f32ad64d5e60d597cb0b0951

SHA512
45442315318d8f55a0a074c47f7854fe4c49ee0e663f4cc5bbc2f98cd82b7b3fd427efebe805bfc1fdd715f556b542c0c010e88150c087944f693fca11da096a

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
337KB

MD5
c0737b3c56bb9864eb2a3ea3b637cba0

SHA1
c7e0adf720349e9e445d90a730ab51e24c652fc3

SHA256
129b2d31b2c9e4bf2d4a8700d29ffa6423a895d9f0aea3b31fbd9f6430217a21

SHA512
366f5b4a87323cdbf015e85e01d32a783d6049c81cbf1d8e68d796dc547ce9cf086880040e4d072707e04034aaa4b325caf3d8b556e035200fc9095f89b7de0b

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
337KB

MD5
8196bb1b985a1c42b518c5441d0640db

SHA1
7e3efa54d0898492448579205af2d64c54471ad5

SHA256
c79839f9d4fa0e73a3c59ecae4e93ddeb32d43e211815d6cec09ddafb030c337

SHA512
4df5b8bf606c080a7e5a17324d0299a92c9aa3c3b516fbd131d610f1d3337f483fabab518052cb4060ba608db7f71a2cf648f1ad4a79530a998b2aefda903be2

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
337KB

MD5
619194f3700dc3a82a595bf9b9209495

SHA1
b88ef03d666d3c43e1a8ac2aff1beaf2497689f3

SHA256
f311a1711ad6fe1c0a6626d972c778b16a11527a3dacd85d8d1bcc5405a46fff

SHA512
ab371c4a5318b06f0c830962cbbbc93fba98a5d93b38551858763435eb578f434a687ef73ec92707fbd54383d84ddad796730277730bdfe0357bc0d45a08f48e

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
337KB

MD5
30c43f8f90a214317b67c8affb15d7a4

SHA1
8962629336dcaa2002c2beef93715064f4cf1f60

SHA256
2a038a3c89a0e3a0c9fd77aabed652fa848790192958a04fa296ae168c75b4be

SHA512
dbc60e5c8fae6c3246555b4cc0e1445cb426eb390819a2061aac3c0d5c10a71f871fb4efa89a98b3c99a406a1d168c7dc9f8a3cfaa197f3d32e9a4e29a39c83b

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
337KB

MD5
8c01f6989cebf34c684fa2c9d6c549bf

SHA1
4c17badd1ca9dbeba38510b9ab0cfd9e69c2c2c4

SHA256
52484e352a127a306780bcc5c467efa7c64ea33cc4d8f292c1a07950993e8602

SHA512
cafe265db1a134977694babe0c02b76c615c5f68581d4c7a947dbf7913c229d68c8d85d5399d02a2b070400f0a1c588b4037aff2b184b499e97ed882ec12ad3c

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
337KB

MD5
f122d9a577fa69b8e6e9dc1daf0fda38

SHA1
15e013920a5db89e34ca6623c4840b463b10a9fd

SHA256
d17b013cf1dcf6a14964dfe7f1392488a5154729fe3805bcd954c6fd8cf8bf6d

SHA512
a25a1518a10ba7249dd069d909b6cd54431a2afb0cf0a41d2d8e68ffc73b3ab8a270d895e6936c5edb816950c354d7a1c35f5638d8dd2aff5053f4b3971fcbb4

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
337KB

MD5
62ad2a8c7e1be99ce623755892e20716

SHA1
cec4025b550c6fed3abe83cb18ae5092dcdd853e

SHA256
5bc76f88e3557f724794d1c5cd60c1a9df859246fce5b416c75acbfe6c34f7ef

SHA512
e33c13245b5044fbccf4f3623e82fdbd88223c8158b07b06bc0b05fa8ac23c7bde416c917a46e01084c297f802f333a1c86dc803ae66317b2167c34954397959

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
337KB

MD5
cf74ab976769c609c0c089f9b71c67d9

SHA1
ff3736bd94b98659d7a28c783db301cd624170b8

SHA256
a330a12adc2155a54239d6baf7ce4db7dfe5851ba9c09baf5becf249d5ecf08f

SHA512
18b066f2376818e9b87e67a47ba2e696ac46472b751cb00e6c2000ca5052b854ee7b4004d1ae8e7058f720f1d7595feb2d9502c78c3baf3c50fa442d28020eef

Download Submit
memory/568-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/736-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1752-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-671-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-666-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-679-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3412-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3696-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-726-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-680-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4844-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4844-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-738-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-684-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads