berbew | 4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950.exe
Size

465KB
MD5

35a3f4fd794faef9dbeac6d97355a7c4
SHA1

10148b3c94decc852edd2aa74ee50789ea0c6132
SHA256

4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950
SHA512

e9e3b43ba3dbb7aae715727e785a60a13d3c92af56cd680e25719db7cb3bdb406b3e7fd3c3f45e78e973426cdeae87fc36bfe696b2c1aae08daafd4ece5867b0
SSDEEP

6144:cXGmSlKu/NR5frdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fafhz:cXZ2/Nmr/Ng1/NSf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odmgcgbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3556	Nckndeni.exe
4360	Ocnjidkf.exe
1396	Ojgbfocc.exe
2680	Olfobjbg.exe
2564	Odmgcgbi.exe
1080	Ogkcpbam.exe
2060	Ojjolnaq.exe
5072	Olhlhjpd.exe
3744	Odocigqg.exe
4416	Ognpebpj.exe
2868	Ojllan32.exe
2064	Olkhmi32.exe
4052	Odapnf32.exe
3168	Ogpmjb32.exe
2444	Ofcmfodb.exe
4780	Onjegled.exe
3300	Oqhacgdh.exe
1056	Ocgmpccl.exe
1908	Ofeilobp.exe
5076	Pnlaml32.exe
3384	Pqknig32.exe
1952	Pdfjifjo.exe
1668	Pgefeajb.exe
1616	Pnonbk32.exe
2028	Pqmjog32.exe
1688	Pclgkb32.exe
3472	Pggbkagp.exe
832	Pjeoglgc.exe
3712	Pmdkch32.exe
4500	Pdkcde32.exe
3700	Pgioqq32.exe
3464	Pflplnlg.exe
3668	Pncgmkmj.exe
1920	Pqbdjfln.exe
2808	Pcppfaka.exe
2204	Pfolbmje.exe
3632	Pnfdcjkg.exe
944	Pqdqof32.exe
4684	Pcbmka32.exe
1872	Pfaigm32.exe
2184	Qnhahj32.exe
4224	Qmkadgpo.exe
1124	Qceiaa32.exe
1244	Qjoankoi.exe
4968	Qmmnjfnl.exe
1628	Qddfkd32.exe
4572	Qgcbgo32.exe
4760	Ajanck32.exe
4756	Aqkgpedc.exe
5028	Acjclpcf.exe
5088	Afhohlbj.exe
3624	Ambgef32.exe
3692	Aeiofcji.exe
4332	Agglboim.exe
4904	Ajfhnjhq.exe
448	Amddjegd.exe
3768	Aeklkchg.exe
3256	Afmhck32.exe
1980	Andqdh32.exe
1188	Aabmqd32.exe
5148	Acqimo32.exe
5180	Afoeiklb.exe
5228	Anfmjhmd.exe
5260	Aadifclh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Odmgcgbi.exe
File created	C:\Windows\SysWOW64\Oncmnnje.dll	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Ocnjidkf.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Mfilim32.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe

Program crash 1 IoCs

pid	pid_target	Process
7036	6948	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocnjidkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbnapki.dll"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3556	4912	4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950.exe	83
PID 4912 wrote to memory of 3556	4912	4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950.exe	83
PID 4912 wrote to memory of 3556	4912	4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950.exe	83
PID 3556 wrote to memory of 4360	3556	Nckndeni.exe	84
PID 3556 wrote to memory of 4360	3556	Nckndeni.exe	84
PID 3556 wrote to memory of 4360	3556	Nckndeni.exe	84
PID 4360 wrote to memory of 1396	4360	Ocnjidkf.exe	85
PID 4360 wrote to memory of 1396	4360	Ocnjidkf.exe	85
PID 4360 wrote to memory of 1396	4360	Ocnjidkf.exe	85
PID 1396 wrote to memory of 2680	1396	Ojgbfocc.exe	86
PID 1396 wrote to memory of 2680	1396	Ojgbfocc.exe	86
PID 1396 wrote to memory of 2680	1396	Ojgbfocc.exe	86
PID 2680 wrote to memory of 2564	2680	Olfobjbg.exe	87
PID 2680 wrote to memory of 2564	2680	Olfobjbg.exe	87
PID 2680 wrote to memory of 2564	2680	Olfobjbg.exe	87
PID 2564 wrote to memory of 1080	2564	Odmgcgbi.exe	88
PID 2564 wrote to memory of 1080	2564	Odmgcgbi.exe	88
PID 2564 wrote to memory of 1080	2564	Odmgcgbi.exe	88
PID 1080 wrote to memory of 2060	1080	Ogkcpbam.exe	89
PID 1080 wrote to memory of 2060	1080	Ogkcpbam.exe	89
PID 1080 wrote to memory of 2060	1080	Ogkcpbam.exe	89
PID 2060 wrote to memory of 5072	2060	Ojjolnaq.exe	90
PID 2060 wrote to memory of 5072	2060	Ojjolnaq.exe	90
PID 2060 wrote to memory of 5072	2060	Ojjolnaq.exe	90
PID 5072 wrote to memory of 3744	5072	Olhlhjpd.exe	91
PID 5072 wrote to memory of 3744	5072	Olhlhjpd.exe	91
PID 5072 wrote to memory of 3744	5072	Olhlhjpd.exe	91
PID 3744 wrote to memory of 4416	3744	Odocigqg.exe	92
PID 3744 wrote to memory of 4416	3744	Odocigqg.exe	92
PID 3744 wrote to memory of 4416	3744	Odocigqg.exe	92
PID 4416 wrote to memory of 2868	4416	Ognpebpj.exe	93
PID 4416 wrote to memory of 2868	4416	Ognpebpj.exe	93
PID 4416 wrote to memory of 2868	4416	Ognpebpj.exe	93
PID 2868 wrote to memory of 2064	2868	Ojllan32.exe	94
PID 2868 wrote to memory of 2064	2868	Ojllan32.exe	94
PID 2868 wrote to memory of 2064	2868	Ojllan32.exe	94
PID 2064 wrote to memory of 4052	2064	Olkhmi32.exe	95
PID 2064 wrote to memory of 4052	2064	Olkhmi32.exe	95
PID 2064 wrote to memory of 4052	2064	Olkhmi32.exe	95
PID 4052 wrote to memory of 3168	4052	Odapnf32.exe	96
PID 4052 wrote to memory of 3168	4052	Odapnf32.exe	96
PID 4052 wrote to memory of 3168	4052	Odapnf32.exe	96
PID 3168 wrote to memory of 2444	3168	Ogpmjb32.exe	97
PID 3168 wrote to memory of 2444	3168	Ogpmjb32.exe	97
PID 3168 wrote to memory of 2444	3168	Ogpmjb32.exe	97
PID 2444 wrote to memory of 4780	2444	Ofcmfodb.exe	98
PID 2444 wrote to memory of 4780	2444	Ofcmfodb.exe	98
PID 2444 wrote to memory of 4780	2444	Ofcmfodb.exe	98
PID 4780 wrote to memory of 3300	4780	Onjegled.exe	99
PID 4780 wrote to memory of 3300	4780	Onjegled.exe	99
PID 4780 wrote to memory of 3300	4780	Onjegled.exe	99
PID 3300 wrote to memory of 1056	3300	Oqhacgdh.exe	100
PID 3300 wrote to memory of 1056	3300	Oqhacgdh.exe	100
PID 3300 wrote to memory of 1056	3300	Oqhacgdh.exe	100
PID 1056 wrote to memory of 1908	1056	Ocgmpccl.exe	101
PID 1056 wrote to memory of 1908	1056	Ocgmpccl.exe	101
PID 1056 wrote to memory of 1908	1056	Ocgmpccl.exe	101
PID 1908 wrote to memory of 5076	1908	Ofeilobp.exe	102
PID 1908 wrote to memory of 5076	1908	Ofeilobp.exe	102
PID 1908 wrote to memory of 5076	1908	Ofeilobp.exe	102
PID 5076 wrote to memory of 3384	5076	Pnlaml32.exe	103
PID 5076 wrote to memory of 3384	5076	Pnlaml32.exe	103
PID 5076 wrote to memory of 3384	5076	Pnlaml32.exe	103
PID 3384 wrote to memory of 1952	3384	Pqknig32.exe	104

C:\Users\Admin\AppData\Local\Temp\4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950.exe
"C:\Users\Admin\AppData\Local\Temp\4434a92d0871b93df7c7dfdaabdb55201964ec2a214621361c5300c36b6d5950.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\Nckndeni.exe
  C:\Windows\system32\Nckndeni.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\Ocnjidkf.exe
    C:\Windows\system32\Ocnjidkf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\SysWOW64\Ojgbfocc.exe
      C:\Windows\system32\Ojgbfocc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\Odmgcgbi.exe
        
        C:\Windows\system32\Odmgcgbi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        28⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        31⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4224
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4756
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3692
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        56⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        67⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        68⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        70⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        74⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        75⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:5740
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        78⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        81⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        86⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5048
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        95⤵
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        102⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5552
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        103⤵
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        105⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        107⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2920
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        111⤵
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        115⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6196
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6228
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6268
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        122⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        123⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6588
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:6632
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        127⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6708
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        129⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        130⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:6828
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6868
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        133⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6948 -s 396
        135⤵
        Program crash
        
        PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6948 -ip 6948
1⤵
PID:7012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nckndeni.exe

Filesize
465KB

MD5
3122ae5ccbb6f32990577495836e1acc

SHA1
ea6885f3711a67a33e40dc8e5f107707ecaafa6c

SHA256
d75d6ecc6508bf8975b08dd9d26c009ed5dc28e4db8c4249a4bcfec9fdcce94c

SHA512
82adb70ac01c6a573429c2579ca5d5cdda5a5849a1eeb78f6971063b1605496995870c01f29bbd2cbea502509ab91352decfb732854581896ec7082ffba3e2c4

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
465KB

MD5
a7d959df13f917508c715f96ef2a4f48

SHA1
5a230b3691a4397d65a4d68a0a9022fce4f03f2b

SHA256
ee970a6f9ce58134c8db22823c50364594ca48501c81095b324aa6b97289c615

SHA512
25ff06e26ce66cc61405082f372f69a7e233d643f997a129e718fa8c7b3cc743c43b51b7b9d95886fe3376742d94f6664241aa03fb9ca8b0e1664e673224948b

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
465KB

MD5
58927368b82dae9b7fdab5fc80fc15f1

SHA1
e54ef4b515484076cf51ffdc1f05d5419ec9c57e

SHA256
f379ef93f1b644cb34b25c1f7ecd81745fead66b53e0dd64e5258bc4c5e80dde

SHA512
065661be53323b5f2737618e57d80b641db3b97e4222d448d4ef80c4a7569f9cc9e39a1971774dffc6526c110fa7a377e3af28835e10e983d03619df14a8bb74

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
465KB

MD5
6dd1d9d85e694f499894f0b36048d5b8

SHA1
3c3d3e03f6c7ff32583b07dac127aeddfbdcdef3

SHA256
0b49988c3a39010588098bcc8d04d4f4e722be70a0381ff61913037a12a644a6

SHA512
163e7ca0c94fd6d97a6da91919e25dbce6bf2da53f2e936285b3262b5131aa37b5d9fab17050cd244135aea7cf5adc241a2284e4dee900ecbadaeac7aaf8b46f

Download Submit
C:\Windows\SysWOW64\Odmgcgbi.exe

Filesize
465KB

MD5
013494dd37373b7d100424350004f89f

SHA1
24f0e2a6addc22b9ae745f7c2914979b9d2b6965

SHA256
fb8d271e1d5bf2bd04561701ea33c5c911fc68d2f492208bec9e9c8edc2b6f84

SHA512
0a06ae1bca44490e6ff64204e9fb600519f312e5a2e63736628f2cc1372e9c6e5b947ead1c582d6d981a578682e9433c8c96c59bcb148f7198d4a5388f9320ff

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
465KB

MD5
85ba9886118ea9572b6651c34b024301

SHA1
ba28a6effa95728f1cf150c88605810ef0104389

SHA256
59de98f780cc359eb54407ebc495c2df587f8bbca313d7469850f6ffc81c4bf3

SHA512
773a683f5902681efd231272c7729ab30c764e489e9bcd471d348b9705c6dee98dd8c35a887b3ffc4db42064910a56b0c846a260486c60d09a381f06bdc681e1

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
465KB

MD5
4ae01ce64e90766595d744c3b9502992

SHA1
ded9352239d575ea838c6f9e27f4ae517addb016

SHA256
95a8bf2851f44e38b7c78ed6c48ef70f340eb53303fa7372cfa9c08b8b196d6e

SHA512
b9cb84110a405128cdaf02f1d4983054fd9999f3a14693d0f1a943fb501e08722fe0dc65eb873348d8473e38433d8ce4190e68ed38e2a1c4e92e254d7671f50c

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
465KB

MD5
712bb6420685c3e0eb33e718d35b8f99

SHA1
99296f3664ab93716a3907519fbbcc2d349e1a37

SHA256
9ff65bc282eaf3563f3e1d4eeaaf720b165c2104d6ed51f2358c433f1d347ed8

SHA512
52c8a2b85a9a7b9ab698c2c8421e38124c59bbd38c61408a76ff5dbdc4bc6897d2373e07d05c625d00debc5a74d702b54429d4594a08bc0f6190ca50d72c3569

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
465KB

MD5
9eced5c6df40e1ab1eaa271ec53ed856

SHA1
9caf00375e05a7f2931ac98dbec93ba560c9dad2

SHA256
56ab54e5a7439e8b1dd06f7b18e062147f52657578b737a0911202bfe109564e

SHA512
de2549ac7173854e3b80f43644fbbf3f83530881c8eb641c0adf1fa77272e738ac6ef3f8154707732037910863b651c5f28f376df30f6ffc05f20ce031f08546

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
465KB

MD5
2e978fbff2d68ebeea1c400ae286e05c

SHA1
c82ae7ee5800cd192e43a7af95b98e4aa9b617a3

SHA256
bd2aede89f24f826dcc0496e42d2c6fdf0f55bb5b9f066602015af182eb8b79d

SHA512
b8f71423468f0f1f2e510688a5fb3141d2abd65650877284a410038d7e9a7a98f739ffce17b76b8a17c49f9512c97437432f0c9255d0e57a54240e873872c85a

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
465KB

MD5
25f1e0e102ff562750d3191aedbfde43

SHA1
e4e9b87e5509eeb7be031b04b834315a1ba6688f

SHA256
049d522adb15243b7d1ce0a03eca5a0d3aa6c129959ebf5486a9aa2b6849e811

SHA512
fc8a46cd4716ab6980cb2c4766b2e8df5d4da0629d5d0ba140be36fec0e81b6400032eb5223700447ec6453b240084263e8b99c30d9c7d6117c6b13a1ff4ff3b

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
465KB

MD5
f8682f7d91e7f74dafb4cf1577384e34

SHA1
7862d79449ba4ed7d6fb61ea1d0f5a3928ffca84

SHA256
3e6e41817bd84112cf4c26301db501b1278c9982d4e739109e7c1325a64fd320

SHA512
52a321b6a64581fd8aaa45607db99d52f4fbbe847dea913a5b667694b8b39adeedb08a7878ea4bed70da6cf737a56e5741e342e38e52c982316d6da59430314e

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
465KB

MD5
28a429ea8fcc0fd44574802445d6699b

SHA1
4c6eea08dfba3f3787d9b0c67c8fb48604d8a49c

SHA256
1948cf43e2cf076b9732ecad71b89baca56ee15894986489b54fefb0a42aa018

SHA512
8c8f4027c64d320f5a672cb3ccc8d6dba1b0286be4fcff76c18067a2a680d355899434a618b09579063ead3f52a17b27207e584dd51eb9df38c7af3c20768447

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
465KB

MD5
d80a3c8b4cbad000767f99fd95ff7bbc

SHA1
441a6ed1bfb704c83dc7157bab881511f45712de

SHA256
1ab3a37f1b26e9242d876436c060250400619822202c42187f340427eaf4e6a1

SHA512
88ef2dfd207f6f4bde628c4d9b542da1f8e51adb5456b3d3cf16b44973aeb150de62689b7de9b4d79177ef0a854684ed4f4b3faa9e348b965410f308a7151dc2

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
465KB

MD5
10fb80c6a7d77bde396a9bd0288fa4e4

SHA1
c7995ff5bd7b88be2c549a8fb5dbc36b00a90db5

SHA256
d17c96768c441a48e55c84d00f8e082d7dc016cd573a045f7f6ca4665aec798a

SHA512
b879f53c110929118dddb19f2345f27728b627c043085bc352683dce1de2f92ec5e8475f5f094ea9a19444cd0f741cd15f69dc90cd1cdaf4ec7593335545ad53

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
465KB

MD5
bc87a8bf7a1460a70553a7bc9b21c02f

SHA1
afece0fe83b4f9daa6785558d44b75e5f285f541

SHA256
83b3cf25ab36361ad3e968415e9d00f912668a034954ab6af9047adfd9f867a9

SHA512
05c39ed16c34f4e96f0135362196223fa6c686b1def5a49af35c0b95ee7a770041aa66c9deec60bf4b8ac28e5108cb1ba2cd0a18b1a437427af12378d4908f2f

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
465KB

MD5
53995aad2892f1735c22d146e9c8ad6a

SHA1
92ffec067f0754fe31a1296283b6d97c5622abe1

SHA256
4b4cc3a07407ce435425d983973939dc0241092ddb8944c6cac2bb02161316ea

SHA512
d02d82db41a5984cf4b07edb643626ed8ca5eef2e40a875e83f6a3643b9c6bf44c4ce6bac6d2b2ce10955f018b7e0bc6f8fae9f90ba859336f9b9d85c556737a

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
465KB

MD5
1de2cbdbf7351959670e4b02a7a8f11f

SHA1
de7547442e08a7be74f507c09d596cad300bb76d

SHA256
7fe6cb1874c26a926c6c1c5a98dd9ee074f58079260788b84b64ca9d20c7879a

SHA512
9cccd2f8396ed2ae3a231d08fdefcc79b3df31fcf3fce89d3476fb285b234ff7344ef521ea61cc7b72b2140556b24e771f207a52e390943235664742a0f09bc8

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
465KB

MD5
09f9838e0bc4157666715141ba66a46d

SHA1
129b4e9e35f014d57828830685a5bb521bdc3619

SHA256
2c58df800180118f938a8ad021f1352c68b40076906c71d82122ac44f1444013

SHA512
112c01fba6f9aaee905ba05fd1db2ec0affe8cdea19efda35744afafbaacb1521abed254378346c67da7c67872391773b414c4053ce7d11b4ab20bf3e0f6b18f

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
465KB

MD5
5fb674c1bd6b6aa7a30241b91eca42d7

SHA1
1d8ab9afc57e1e589002c7225b9dd473fb019759

SHA256
6931fea57be38f0300ced7f242295d2dec7ae555440a7149b3216c2aa683ad69

SHA512
f8b879233c1b2dd6b2b84b84664e314a6864219f51103b9cccae5adcb7ce82f35f5310fbddc2ea6db18e4fcd350f90b563abc8e5259c974ae87a25385efe102d

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
465KB

MD5
9825d6405a2228e833507c0ecb339ab5

SHA1
d170fb016bb60cc885f42f46a046f4a10ac584f5

SHA256
6ccf31862bce70d3a383bff2398b0bfa542c1120812e1e663ef4bf1706adb29b

SHA512
af7c49fde35bca6435454f6ac2a7a29bf0c22fa7e6c9d34fd50da18b5badca18691384cb9654ffc0c3e01a365d6533ae43d6a78cbec35e13ef4e8b0d752ee24b

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
465KB

MD5
cd06dee8e7277d29710731624d40a526

SHA1
778f02a85a65c3fc84f5d55ac1eafa1c945f99e8

SHA256
8f798d001460508c109cb0c4aa36129f85141649b2829d2abce0372a07b03f5b

SHA512
2a74d2a120a99dcec3619ac90e7219891cdee8ec36bb8c5172db08d14a4246444a090f2554a0659e0ef068bf7404f331b24c94e1023064da686ee98683df1c16

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
465KB

MD5
4e34a00d4d36555b77d105507252ce74

SHA1
d866f8d1490bde7a3929f192ccdf113468b456e7

SHA256
fcf796636606fc41f972c1628a3f585705495a1657fbe8c9c5be916ba0d1a071

SHA512
1fe3d68ecf4d9faefaa486587de59d16d9fb20b369009d9b53d261b2e117e065ec425e9b3ff05cea1d0d86c3d1d1c41fea5d19fa329e93e8876d8c08e7cc6b66

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
465KB

MD5
6ec26ab3abb32cc2d1212a003ca71291

SHA1
63e40d2a8c639d83d23fb3073dbab4ac89c978ce

SHA256
548cd74bd737c8c7260ffe01f4fbf3c004816b8e1869691b6c69d719f3f68731

SHA512
92f4f7f46d12ebfff152d98a4c7d49798d99524249be4d0ebd731f62e576eef6b4a5b5d755677a0395e8ee96ba59aef77c7b730b068f22e996412cd3e6774a3f

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
465KB

MD5
a371fa3fd1e31d85addd600dbbf4b62c

SHA1
f6fd034b9cc07beb00d64c08a8db9b0b329451dd

SHA256
8f21f1d9d9c965a8ef21bcb329ad3d1a0832c4d89ef4ce7a302210f6ec763708

SHA512
d476b77aedb4b6b192beeb6c7cda65ef3c9e4eb1cc6a520e2474703cbc5fb2ef677941e0d11bb382248ec17a2c2efd2679519388ddcccf12d075354f9469bd58

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
465KB

MD5
fcd3e428cb1010207dccfe7ccdca177c

SHA1
83a80c6e953143e16a582052d4674c3a0bf54b1b

SHA256
a844b6d906777704eee030b09b122305c6e28c37bc6293585f796e2abdbfaf72

SHA512
c525f55dd99a77779d3884564be6fa09d6b4480d5653324d25e4838bcdda5ceed623e9a4b1cf94c328781720c47b132388e07791c44aa95dee7eb75b2f4f3d27

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
465KB

MD5
a7878bbc71b8f3946c5e892585970097

SHA1
551e952fe9040e5ce60f60ed42bc857a539312e2

SHA256
75654757bb6584db01faefaef9778eb426af45b52ee775fcc98702f4e44ae5be

SHA512
ecf6a0505e879a7171f095eb357bc98829fdf00f032054b7859ebe558ee5283eb018df48cd71bfa92fb15fff84c7720f5b17db7acdd2dc619d706617d9aba288

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
465KB

MD5
dcb386d132fc1382a47f0f87bd15ec83

SHA1
5d6be4597dd8a18a8583426cf53e98129cef994f

SHA256
fdd2a02adfbdf1a182ae01e81a7f3bceb1285113311e75efbb01f922857e6107

SHA512
fda6dca8caebb96b1897f1b67cdf5cd5a8f53e17fe1cec9adfef5ec934c4c937ca10201b43ce0f4b66c57604ce9f6f0c68cf089f14dc4300a2cd80ba2ca59524

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
465KB

MD5
3c6528791d4e89df100d2fcb63ecd92f

SHA1
49a3bbe9537b0625cd8182d0456a95a41401dc43

SHA256
0f0b44cda454d4a681919f47a22cbcfd24679ee6ad61c50f59e014a92169d76c

SHA512
935c6f5892273019bb04c740a7a1f872f21f7bb17cfb9dcf74a39aaddababf4e7d7cc4a7b73630e47ba0d54d6b452d9f4fa8424226a4077d1375515ecf232dae

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
465KB

MD5
e3125ec22dbcae02fd4c3098880802e6

SHA1
68062b66f8972074fc25d81df1341816ae73a9ec

SHA256
c3df3c8427b57cbbd7581f9bfd47dbfdcbc1521640c245fabb21296b5f970d64

SHA512
f292789bdebe0db1f422f54b8077dac0272a365893575c8e641ff3d65fc18a58f4feda38099a51fb9e3de8b39e3305057de45119ed7f408371fe68504df96cd2

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
465KB

MD5
7cfdaa5d85c74e202c7147c9b25c0a16

SHA1
868a287d634c2016ae6606141f0b75e4599a8c69

SHA256
1de279b737bb4eeabc2fe70dd8444ee89ba46c5ad5c9e71468c175d8f2f02e69

SHA512
0890cc86c0f4eaa9a07363f6be42e3a9001b13cdfbeaec1e66864646e55c6cb4e7463daeb15c27194cb17c9092aef96e31dfd40b7107a5255145ae4ce951812f

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
465KB

MD5
93505c71a5629cc78b92c75e30aa8a16

SHA1
51dc7e4a756538785ecc84dcbe72093397bf135b

SHA256
658b035b90e09d70269ccd0e36ce42b5acd703cda24504f7c06cd9da78d29bcd

SHA512
8ad973063af0c4412c7a8869151be6dac3ebf95ea4f70b9656f6311558ab241495fe97b8d604c5aa03fa36c529b3a11dca3b854e29df1d9ec20ea24361d0323f

Download Submit
memory/448-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/944-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1688-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1980-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2204-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2444-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2868-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3168-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3316-594-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3624-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3668-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3700-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3712-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3744-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3768-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4360-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-607-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4760-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4912-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4912-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-343-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5028-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-618-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5088-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-613-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-600-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5148-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5180-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5228-451-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5260-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5300-462-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5348-469-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5380-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5424-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5468-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5500-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5544-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5588-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5628-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5668-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5708-523-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5740-529-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5780-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5828-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5868-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5900-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5948-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5988-565-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6020-570-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6068-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6108-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads