berbew | 05e527183c5d39c518425ac013e689d055226ad7b94b71fb0c05336fc1f9f574

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e527183c5d39c518425ac013e689d055226ad7b94b71fb0c05336fc1f9f574.exe
Size

93KB
MD5

443d38f74ea8cf0cb20952128c70914a
SHA1

a163cb1b40cbf0a2d7fe44eceac92853116ead62
SHA256

05e527183c5d39c518425ac013e689d055226ad7b94b71fb0c05336fc1f9f574
SHA512

347eb2303c72802edae7626d71ddbfa5a0c6985eb191a4618dc80a82d4cef4afc2e5a71768f43a9b12029082a03ae6064361251a63f7dd3d0f2582cbea6e6ee8
SSDEEP

1536:TPAXCaOcLKLG/50E7+xt4BBUprqp/oQ+/81K1DaYfMZRWuLsV+17:9aHX0E7+3prjb/sKgYfc0DV+17

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
3992	Oqfdnhfk.exe
1376	Ogpmjb32.exe
872	Onjegled.exe
1256	Oqhacgdh.exe
2368	Ocgmpccl.exe
960	Ojaelm32.exe
3608	Pmoahijl.exe
2720	Pdfjifjo.exe
3452	Pgefeajb.exe
4568	Pnonbk32.exe
5080	Pdifoehl.exe
4044	Pfjcgn32.exe
1988	Pnakhkol.exe
2212	Pcncpbmd.exe
4064	Pncgmkmj.exe
1352	Pqbdjfln.exe
2736	Pqdqof32.exe
1332	Pcbmka32.exe
3404	Pfaigm32.exe
4552	Qqfmde32.exe
2724	Qceiaa32.exe
4980	Qgqeappe.exe
4780	Qjoankoi.exe
4540	Qnjnnj32.exe
2904	Qddfkd32.exe
3748	Qcgffqei.exe
5092	Anmjcieo.exe
4280	Acjclpcf.exe
3600	Ageolo32.exe
8	Ambgef32.exe
1508	Afjlnk32.exe
4420	Aeklkchg.exe
4740	Ajhddjfn.exe
1012	Amgapeea.exe
2148	Aeniabfd.exe
724	Afoeiklb.exe
4972	Anfmjhmd.exe
3948	Aminee32.exe
4220	Accfbokl.exe
2972	Bjmnoi32.exe
648	Bmkjkd32.exe
4000	Bebblb32.exe
1496	Bganhm32.exe
2964	Bnkgeg32.exe
3688	Baicac32.exe
2980	Bgcknmop.exe
4396	Bjagjhnc.exe
1200	Bmpcfdmg.exe
4516	Beglgani.exe
3628	Bgehcmmm.exe
4928	Bjddphlq.exe
2744	Banllbdn.exe
1588	Bhhdil32.exe
632	Bfkedibe.exe
2340	Bmemac32.exe
3904	Bcoenmao.exe
3144	Cjinkg32.exe
5016	Cmgjgcgo.exe
308	Cenahpha.exe
3952	Chmndlge.exe
3956	Cnffqf32.exe
3792	Cmiflbel.exe
3380	Cdcoim32.exe
1664	Cfbkeh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Diphbb32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pnakhkol.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pncgmkmj.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ejfenk32.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2920	3668	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05e527183c5d39c518425ac013e689d055226ad7b94b71fb0c05336fc1f9f574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ochpdn32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3992	2544	05e527183c5d39c518425ac013e689d055226ad7b94b71fb0c05336fc1f9f574.exe	82
PID 2544 wrote to memory of 3992	2544	05e527183c5d39c518425ac013e689d055226ad7b94b71fb0c05336fc1f9f574.exe	82
PID 2544 wrote to memory of 3992	2544	05e527183c5d39c518425ac013e689d055226ad7b94b71fb0c05336fc1f9f574.exe	82
PID 3992 wrote to memory of 1376	3992	Oqfdnhfk.exe	83
PID 3992 wrote to memory of 1376	3992	Oqfdnhfk.exe	83
PID 3992 wrote to memory of 1376	3992	Oqfdnhfk.exe	83
PID 1376 wrote to memory of 872	1376	Ogpmjb32.exe	84
PID 1376 wrote to memory of 872	1376	Ogpmjb32.exe	84
PID 1376 wrote to memory of 872	1376	Ogpmjb32.exe	84
PID 872 wrote to memory of 1256	872	Onjegled.exe	85
PID 872 wrote to memory of 1256	872	Onjegled.exe	85
PID 872 wrote to memory of 1256	872	Onjegled.exe	85
PID 1256 wrote to memory of 2368	1256	Oqhacgdh.exe	86
PID 1256 wrote to memory of 2368	1256	Oqhacgdh.exe	86
PID 1256 wrote to memory of 2368	1256	Oqhacgdh.exe	86
PID 2368 wrote to memory of 960	2368	Ocgmpccl.exe	87
PID 2368 wrote to memory of 960	2368	Ocgmpccl.exe	87
PID 2368 wrote to memory of 960	2368	Ocgmpccl.exe	87
PID 960 wrote to memory of 3608	960	Ojaelm32.exe	88
PID 960 wrote to memory of 3608	960	Ojaelm32.exe	88
PID 960 wrote to memory of 3608	960	Ojaelm32.exe	88
PID 3608 wrote to memory of 2720	3608	Pmoahijl.exe	89
PID 3608 wrote to memory of 2720	3608	Pmoahijl.exe	89
PID 3608 wrote to memory of 2720	3608	Pmoahijl.exe	89
PID 2720 wrote to memory of 3452	2720	Pdfjifjo.exe	90
PID 2720 wrote to memory of 3452	2720	Pdfjifjo.exe	90
PID 2720 wrote to memory of 3452	2720	Pdfjifjo.exe	90
PID 3452 wrote to memory of 4568	3452	Pgefeajb.exe	91
PID 3452 wrote to memory of 4568	3452	Pgefeajb.exe	91
PID 3452 wrote to memory of 4568	3452	Pgefeajb.exe	91
PID 4568 wrote to memory of 5080	4568	Pnonbk32.exe	92
PID 4568 wrote to memory of 5080	4568	Pnonbk32.exe	92
PID 4568 wrote to memory of 5080	4568	Pnonbk32.exe	92
PID 5080 wrote to memory of 4044	5080	Pdifoehl.exe	93
PID 5080 wrote to memory of 4044	5080	Pdifoehl.exe	93
PID 5080 wrote to memory of 4044	5080	Pdifoehl.exe	93
PID 4044 wrote to memory of 1988	4044	Pfjcgn32.exe	94
PID 4044 wrote to memory of 1988	4044	Pfjcgn32.exe	94
PID 4044 wrote to memory of 1988	4044	Pfjcgn32.exe	94
PID 1988 wrote to memory of 2212	1988	Pnakhkol.exe	95
PID 1988 wrote to memory of 2212	1988	Pnakhkol.exe	95
PID 1988 wrote to memory of 2212	1988	Pnakhkol.exe	95
PID 2212 wrote to memory of 4064	2212	Pcncpbmd.exe	96
PID 2212 wrote to memory of 4064	2212	Pcncpbmd.exe	96
PID 2212 wrote to memory of 4064	2212	Pcncpbmd.exe	96
PID 4064 wrote to memory of 1352	4064	Pncgmkmj.exe	97
PID 4064 wrote to memory of 1352	4064	Pncgmkmj.exe	97
PID 4064 wrote to memory of 1352	4064	Pncgmkmj.exe	97
PID 1352 wrote to memory of 2736	1352	Pqbdjfln.exe	98
PID 1352 wrote to memory of 2736	1352	Pqbdjfln.exe	98
PID 1352 wrote to memory of 2736	1352	Pqbdjfln.exe	98
PID 2736 wrote to memory of 1332	2736	Pqdqof32.exe	99
PID 2736 wrote to memory of 1332	2736	Pqdqof32.exe	99
PID 2736 wrote to memory of 1332	2736	Pqdqof32.exe	99
PID 1332 wrote to memory of 3404	1332	Pcbmka32.exe	100
PID 1332 wrote to memory of 3404	1332	Pcbmka32.exe	100
PID 1332 wrote to memory of 3404	1332	Pcbmka32.exe	100
PID 3404 wrote to memory of 4552	3404	Pfaigm32.exe	101
PID 3404 wrote to memory of 4552	3404	Pfaigm32.exe	101
PID 3404 wrote to memory of 4552	3404	Pfaigm32.exe	101
PID 4552 wrote to memory of 2724	4552	Qqfmde32.exe	102
PID 4552 wrote to memory of 2724	4552	Qqfmde32.exe	102
PID 4552 wrote to memory of 2724	4552	Qqfmde32.exe	102
PID 2724 wrote to memory of 4980	2724	Qceiaa32.exe	103

C:\Users\Admin\AppData\Local\Temp\05e527183c5d39c518425ac013e689d055226ad7b94b71fb0c05336fc1f9f574.exe
"C:\Users\Admin\AppData\Local\Temp\05e527183c5d39c518425ac013e689d055226ad7b94b71fb0c05336fc1f9f574.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\Oqfdnhfk.exe
  C:\Windows\system32\Oqfdnhfk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3992
- - C:\Windows\SysWOW64\Ogpmjb32.exe
    C:\Windows\system32\Ogpmjb32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\Onjegled.exe
      C:\Windows\system32\Onjegled.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2904
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:724
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4220
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        66⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2848
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        81⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        85⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        88⤵
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        92⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        95⤵
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 404
        97⤵
        Program crash
        
        PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3668 -ip 3668
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
93KB

MD5
fddb49422c189d1d3c51e7d9b7dd9fa3

SHA1
44844681a8b20b639d49947710bc12990024d0bb

SHA256
9b5ecf7e929e72aced233678c55b0c8831d5f185a98e7efbaaea0ad1e949d8e6

SHA512
4ad85cb31f51bd457eb1a6c58004c8fb6150826df4095ed8e292bd1a9d40f162365ede94a6a0c02da56963bf2abeecd12893988135d039f64bff0815b8563aed

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
93KB

MD5
4114346830e3789536bb69fd3a95e59b

SHA1
e5795dc27e98f1017662ebc20b356d832ced0f09

SHA256
03b21e559b98c9168f92bd87a42ad4250205154cb625e2abe7ac9687e5556532

SHA512
0c1b5add30ac21c8bae021659252071111ffb446f64389f470fc6c5770d0289a4c0adbe6af020f66436f008e40065d520c80bda7be0d61c8ba8344625241aad6

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
93KB

MD5
f29e275b68363e5ffe304e41a250a677

SHA1
c3e35c2095eeb93d3aff4513e3836dbc5c8a564d

SHA256
903a4ecba60851efdaa68d43f974039af1ab982b8b507d3cf1c13662bebfce43

SHA512
8c5e3ba50d490f99457c040e2529ae5908e963d4079239533f945a64f783d29a1573a218e5c120141331fba2b1ebdb1584686aad0893e43cffd5af4da86590b6

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
93KB

MD5
64537076f1b1611384e517c4aa8c87a0

SHA1
c4a25f2027027aea92dfa7c657dc16b92f251d15

SHA256
4d9447f157955a7ba044a02dbe7fe5b5bc60fd6eda2b9f6045e853e730eaa483

SHA512
ed958141274b510286f2e3bf00a02e33f28390d95c17bc542dc2bb1066cff258b86124be4ef4476deb84ad6d80033b81fbd4d1931b4c6869adc107ec25298334

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
93KB

MD5
e1b44b0076beb33d84ea37b5ec849443

SHA1
8d7a5a359b029bfcc609f7f9b07c0ccda04c3d8d

SHA256
76a10c7a0cd12c6c945d0b88fe8f41215edb6fef2d1c0956082a8ae32c945760

SHA512
e96520499f2708e7a704d9fc8b53308dfce1f23dd66b3e8cb9d682fb7fd6856b051a456b7866a70e8cfba3e1d1f47390661cda9415d2bc094ec814af27e78ac2

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
93KB

MD5
7dedd1bb01a4a0f3415d54573e00eda0

SHA1
391fdbba9cffc5f022cfca177bf2d9199024b761

SHA256
6c82e90968a86ec5fc3353e2ffde014e9c0ef5f45b5bb00a94df8bac808d299a

SHA512
d6cf5446c7463619c51363ee2e5d634b2215456616d1161c1a5339dfdc756f0b345beabd4fb7280138f9986d4d6074a97be04e6cdbc1b01599a30cbfb4b1792b

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
93KB

MD5
fcabc93b5157f2e8d1719163ccf2f853

SHA1
237dbd5e733598076d38ad6d2f91f0ec5b3c88d1

SHA256
1318f60c916ec07e955ba5c5345bc0203865069cd0b821da5c61d9fa0bf71b4c

SHA512
fee8daa3e5407dc7efe1823f84168a331bc80824f3c9a3e4837ee461994b2be3712f5160eda9ffec761bec91b53494417c730e777af36e7d029cc84866a1515e

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
93KB

MD5
cf63480502105b4f5a13f528f63030ae

SHA1
0963b973f6bcce5846f29aff8563c7b118b805e7

SHA256
6bbb5409c12ea7ab940e52ad075e243a44109070026d61e4dce561b764603bb5

SHA512
c0c97b5d14aff07223dc54f48c79fca6576c7d530b51641e729c7940b61757e15894f0a14bff3fa855c515eb2750143019398144dfbe921234fad8039d0a4e3c

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
93KB

MD5
78b2db61e7b9e1eda54786f7f7a2f8e3

SHA1
3d248149e57aa20cddeef4c4ae98c5638cd915f4

SHA256
014be60c5774f2d1296a04db5b24e78a4a9d0c23e703eee32d0dce8c9052ab36

SHA512
7e23f06e580b77743e4eb4b599c37a0998704c43843244a629a3780d85ee52ff7ec3352dbbfe6758d4a8ae24962125b4273765bf60e7888b80611263b0aec59b

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
64KB

MD5
0fe293a7aeaa54dbfd6d2420b1d4aaf1

SHA1
830f718f7ee12312a8f3dd5caeef5f928f4819ba

SHA256
a3dcbe741241ddc9c7587f72cfeb1a03162264ebb33b2133c271df36002f4a8d

SHA512
b98895f38ac7bc7d622406be7706146032bfe439237e07a294077aad2b560c8017bbf65111d7174e83727638dbc80341ed7c5d92c4cc8710cef4ac42c0c183b4

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
93KB

MD5
dba97901f4917f558269614eca512565

SHA1
c90537536c5fc0379bd74069e0f8663e5f4fce07

SHA256
49ac011035942d35cb01fb985c7de918d40d8f18007c38f2b9f2e4ea27f94334

SHA512
e4a0845ee8581ce6372c652a469f20cc69bd5a4573f018046576ae2aa368c3cd782f65546ca3d8041d2e8135c8dadf8f4bbd9d0d533187095450572985c66276

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
93KB

MD5
15ad4980242d3d16c897bb34c0b0aa70

SHA1
9f0651067811d8429a22ead85307424fa6ebcb1e

SHA256
6a0f9e1ea8c3a2c2bbd8c0834ef8199ebd99e3045e3b22e817357431d5a20ed0

SHA512
8435706df20b43504bf3d9bef98c047763915a05bd71393ebfc28977f680502bf321cadbd512a37fab4748de9d2a1a8b99cfd1af1741a14ba82c7c8daf19e881

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
93KB

MD5
4444e9310660ed4f47ebe8a6fa49616b

SHA1
9c3a3575dd8894795a69bccae2e27bbf96f8c6c3

SHA256
d4eee13039dc2d59b2884188f0d60ef687ce1b28f396c147250a5b5d08b16c42

SHA512
c2805fec8b1e740b6bce9417f429ae7b7e823cd3205742ae0391ba74591f371211a47544dc86fbadf2a8cb5e735696e851f3189bdf13e000e10103f9d226afe5

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
93KB

MD5
fbf657a856ee1a8038984b635049f2be

SHA1
192cc576c564aeed2f098c88dc6aead3495f51fd

SHA256
754a0f768477b89b3e2ab53f0d801844ab64f6c0b26fc89469c47cee5b5918ef

SHA512
1390bc6333884283c411a823b041bbb322255205ac5520fd6a8f8b86116403ef039fc9c772df054f391bff2543063fa3bd17943129f43f0e723c101e06d0f5b6

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
93KB

MD5
4e46ef75c859e483ca8aa362ef8cb8af

SHA1
b4f33aba452be7509d3214957c0208772c288713

SHA256
1791739926a2630f631480c32e356e3295e865db3685a788508ed92b72af6e20

SHA512
61be1375e905aae3b09438b7cec413cfaa5b3a59e4a2b995bd9deade9143bfc8a84ed3a38f054f57624c69a27c8576154c9a8b873eec777abb82ef2e3f712c0e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
93KB

MD5
9ddfb2da7094f76b3752bf8f4fa10760

SHA1
4b3f46f80bef3ac70b699c42042bf3fccec5063a

SHA256
b48ef05c54c5f0d1b145b88b678133f653d4008a12da5e97b68dd7713bd3a8e9

SHA512
bc710e068b16b2f9ac86e05bd4dbbe32615751e1c59dab8a379f1561b5163594f981dd3b67ed11c8346886fe10df1f29afa4a4766d61c5c30a3522258e23f1e4

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
93KB

MD5
aa9cdcb0c22fc1f119c4d811fda9d213

SHA1
21862b2cec410d9f9546b82c2fa5e7ba32e86075

SHA256
8aa89e4b32f3b7c3fcb2f620480e68f6549540c7f87ded19681f61e1f6e4c6c1

SHA512
97abc0c84f2c9691eb0f7ad42a3bbc57da13f688329b1671a766f564c125bce9541dc5d5f75dbda85426424b2069775223ce14c7164450d4aa11435f8658d400

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
93KB

MD5
fa6050eee2db1518817b585e10560fbd

SHA1
31a828f05cd75d40e776aaddb61f70634be33720

SHA256
2aad73793f5a200de1a0bac3c69bdcf6c2366831948bb633be77e8d2eaa8af87

SHA512
5b45a68e21ac559edc0b293f145e5f86047bcda772f64da149b63fae7e5cf17d6c853415eb3c217cc4f0679f9a03823f476e69ff7bfcd944958cf78410bed1a5

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
93KB

MD5
34fe4850b851f01d7bfadfe98ca3086b

SHA1
10dc1f155f423ba38b3dccb319cefe591dca8f11

SHA256
3a358d22cb8bc1f92866f5ec479d81b69883febfc3434e129d5f1acc43b1c7f9

SHA512
78d199ffc9b9d1ee055ec5af61d68927cf09c5b834ad086e663083a53162aa065b93dea7bdbfdeb748bda9231e9823a1410954a7b060790da4368b9db9a854b5

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
93KB

MD5
f5550f9915d8baa072f636f50cead9ec

SHA1
237c9618d2ec12bf53b55498ebfd2851ef3f2830

SHA256
840840191b18d3dc3e77994d998571ea41ea8248a621314e6241c618ea35322e

SHA512
900d43ba2c8db5531eb8bf6718d794545afe0d778b70faa8f67777193c0012fa613b9ccc50f693838705724f715b6b5b6fc5dd448adebc68535a2f286fffa1d7

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
93KB

MD5
dcf6bcbac6240a1628530d7d5d82c023

SHA1
934293b7dea23e5a95076ad8b86ab3ec7566ef03

SHA256
8b480415a88f2e22c24df8a6dbb64beb540ac3eacbda57ed169b0bff3415d203

SHA512
da9e90436c1f802729539d80b667870ee5e1d9169333f3d2a9d7843edadd0b3c22b3d298bfdb4dea5b709df24c2f5e73be55804706a806e15da53bbc9c86af48

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
93KB

MD5
627fc36ddddceee345876f6eeaa80190

SHA1
4e60186c33241e60bdf8b17343573b47ca07ac15

SHA256
fca06f7f798ee7ad42e0de5cb47f68425b09ff30095cc49a4fdb1dd917410934

SHA512
4ce0bc7df778e6858152451a2f15271d631863fe728b13c8e9c7c5598e3e7fca9fa82c2076dee9666295d53ad40bbc8431f7ba1b70e354dbac313cfc5522ac1b

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
93KB

MD5
973faff0aa1543b9375d17b360d38050

SHA1
dbdf582ac40bff1c31e0d5ca6c38d464aa7bc319

SHA256
cc217508225a4b933ac3bc9a4964ef855cac9375ec12f045dd4d3e9a706b68a5

SHA512
c736e3d0b5765b44417c44cc87da5db81ebf1a90b676e0bdc5cd43fbf3f402bbd1cc13cf686973cc179902c19be40fd3ac808358af977172de83372d9f7fc71d

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
93KB

MD5
f5d6ddb7194d62ada78ec08efbcf971f

SHA1
4557eaef4c583b702e044b1cd434ca9f1d3f1134

SHA256
41cc56a79896093d10ec1c30bfbd7d4c9606abb780173c9bbea350c800a340d3

SHA512
bd1b4180a354f9bf396c24767d31b62997a71f1376b78483325d6e7ce55e0023e2bfa637490f66aed1a212f939946998c5d133a2eefeee0572fcc9491d4d079e

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
93KB

MD5
00e9bc169aba8d5c85e1d8f81f4348af

SHA1
7c5f782ea46f61e6a0b11fbbf55dde3688ac8228

SHA256
63b17e547b43aff421c5205b28bf09cecc23c832e320590b7adcc31563c4efa9

SHA512
8e2cea87ab168d97bdb329d9a394baff8bc4dd90d593b61cea27f45724df113d68d05c2cb6f55ee074e96748b2eb2b64e70551fe4659c3321fddac71c1b9f556

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
93KB

MD5
5676111c0511c017f50354c4674fe86a

SHA1
75b4e4a43f9dbf8def23c3c8880127ac45105e4e

SHA256
149ae4d70a3811d0d8b65b9c76530f02e14db609ded9351b69540fe6b4d421d6

SHA512
247fc6cc8dfaa4a9baa360d819af4f2bea8df4afa226c19540a33cb05b5bc05d17ccb8bab2b246094fe019a59bd6e3f5f588017e78589a236c2dc5256adea6c9

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
93KB

MD5
bed2d869b0ed7db570d361b9998ce62e

SHA1
ddda4f1adedba096ea780868e730c69e10e5d929

SHA256
d6195875ab795a45c9aa85eee4268b221ebaf8be4b434c0003f87591f87f3c1e

SHA512
ba7a231e16911d457b89043e0fea9137fabc7204706a314236157d627ec93b2c2432fa97f7e2c7fd78272e3d6c598d9780d33ecfbba902e509fd2405fd93f3c2

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
93KB

MD5
86514182a9a02e8bdeda95af5a5ec1c8

SHA1
d5d562740c649f09b0009b6c9d9b414122938813

SHA256
f265b553fb70a8471946058e86db899a56836d980557aa981a411812b264fbf0

SHA512
55f3a6be63e1022592f615f5ab3b699d336a36f69d231207a8177767c1f22e3989e9d74b9dff3fcd3dc79957ba4edb4d146de299c03b6f2e24f6f1fa036f6ff7

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
93KB

MD5
d668822e70d8c0eeb96544a109bb6a10

SHA1
b14dfef9a3a1f9c8f1bd31593dee541e1eab2ebf

SHA256
cf39ac22681962cba5b66c6cc93e5b153c911ebae8b0fe1a369bcad9ffc0bdbe

SHA512
4a3b21f9dd4f05f0449a3be013f130721c68841f099d2bb5f6b379bc91c1c643976832dd2aa6e08ae898022fd3fc0aeeb9fdf98efa7d6d3cce3117806b4a7426

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
93KB

MD5
2267f52ea139dc224bb187babf46aca5

SHA1
f73b74d3d51fdeea48be7df35f1f6a85fa390610

SHA256
490cc834dcb521a2de93ca4c0e5ad79ccdc9cad836122e5f22ba26a47c7f780b

SHA512
f9fe0fd649987f2fe7444d2bd874438ee2f5e38a7d96bf1cca692b35c57ff7be644f69a298c6e462f8f0d7422a0d0ff8fab2633da8060dd65879445ea1344b31

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
93KB

MD5
b13e698d21ce6245f2349b369379fbb5

SHA1
c1c225e189b2119b8919e5c4655a014e666c4e18

SHA256
25f013069b8c50304f140050357e233ead8a7d0c2f474a446264953f9bdc74b5

SHA512
6cd8de76d0840362b59f85e0e87bb64b22e6338293e549fbfd018e7c244284dad651c3d0f270853d5954b40b26e645204c813239fecab1902baa8df1c09e09fc

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
93KB

MD5
5694ce5511ab3faf84ca3ee566122396

SHA1
c5ee591cd08c3fa1b65842ec5f5a7f867676db8d

SHA256
1261681f28c3983c520dc9485897dbdf98a18fb12efe3533dd359ed84be3e427

SHA512
76cbfc282c912e5e74b89a573f591d025eb8a7940f5a165509b952dc023482a402177afadbbfd1a9d0ec9fe76eec962c8a21b3f40f3f3ec7ad1e639c7587607e

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
93KB

MD5
1884541af8bb750f6bcb48f6c69794ad

SHA1
329565bfcc963dcc2d7829dc9d60c5de0b48c7b8

SHA256
f15f60253f97e3c2b15ab41d346122df5543c1bb60059d3e4b598aa753b5ea75

SHA512
9192f357356085db16741def153818aae331f49b814272034293089e6901ca190192ed680a1d4d80b7f0c4c55d67d9d29549452884c9f5b4637dbd89af7b2a14

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
93KB

MD5
a2111bc4e8e6a91bedf96a157839bbbc

SHA1
c14705b5dc39e37ed66cae7e95fbacb12dfc5f02

SHA256
c8a7a40e2fc1bbdd66b87b0089e5e4310b8f3454463810021261959373e83e48

SHA512
0c2b9c1d4dadcff97ef530cfea51f1dfb8a2a51473a39cbded7a63d86153dea07554d26ea404ceae6e78f1080ca95ce62ad477a12b911201da1324270b9bcc63

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
93KB

MD5
2fe85f1df01b96f77e40a750eeaa9b72

SHA1
c4f47a6e913008549dd3c6290e9960686cdbdf43

SHA256
e54fef153cafae3d8be4c0972b33523213fe4a2149a2b6fa9455c3355beb625a

SHA512
5fe00c1d28406a5c2c00ec10d3bc64a0db0f569932324469f5da6250120adc40e6c0e8814ff9688e4cae1a224092a8de1a1207be90f844ef4cd5e1c88c92519a

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
93KB

MD5
07411637cca8402647486246968e72d2

SHA1
091551b4a1e61c4e7c019e7d278b83f16ba0fecf

SHA256
690cee74a75604ad9b8e6ad4e0158d717afad39e0b98410acaafeaa8734f96bc

SHA512
d479b60973ea3b1f7e51b0d7bef474c780a10b3b533f803c8d21300e8038d4ccfd1e23d6cf760b4525c088260260ad59b54b5a590c5dd2454c8b103b4b8b4e36

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
93KB

MD5
c9cff501e7b78bd6d060ebcc788b2c8b

SHA1
8599e935774a39e1fb8d2f61794543b1d79991d6

SHA256
02ea097217c1a3b324b13658308baac5af3818bf9dc44ef1552c96cc2de0bced

SHA512
abf10246f304ea664f248082aff33f0ce9e64d067eb3508238f30a0e3891348c8832dc679c8aa213753aff78ef40298693da004211c9adc038ea14504a4bde4c

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
93KB

MD5
0055c8e8f46c2229a3c66cfc71ebfc27

SHA1
6b097815666896ccc84e80938e1093bc90dd0654

SHA256
e198ded97776a1d40c9d2a4f70a4022f32be88a7a62763d1498b5fcfa29b3716

SHA512
06b077ce5bfbf411d713cac1ab6aab5a4191490a4d4902c2d544e2c9ce2d37925d0ead6d78ccece81e5e9e47addba0a5ef1879c92f09726b4c53bef1e465dcc3

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
93KB

MD5
dc556511fd0a8f751074b4a5235a1159

SHA1
0773dd729082913e96c1353d16907234d539b566

SHA256
3f5d2606dbb3e6123ab28b8d93d8472cda9984bd18e15d730d304ef4e378bea8

SHA512
f4ab612477607e2d69c25309569b6a3441e287279545d0d1bd571f4a7aac6e6761f459074e069d0ff5fb0a8dc1cdf4ac37c1a1a269d8ac2250004e1d947a1e6a

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
93KB

MD5
f7e457542a53567d7d8f77f4913f05d0

SHA1
80a54c7476d3927dc248ab6dc9b70073ba0336e3

SHA256
f55bddd59452348e5340059cf28edd399a694f4ea8a87eb654310f0fbbb85132

SHA512
60f4462c478d32151932c4ae8546367bcbe4efa444a629b3afea19ba7ef03fe6fb40a5f90b5041b41dbc1759d0b35408a834f285d716df9f5b51a12edb300187

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
93KB

MD5
dc721d8ab4fe44f63b57a1961af17214

SHA1
dd55ae92ef63981e595197ab7d1452efa713e34b

SHA256
cf22f63f99ce4209726c309804e5f33e1df185022bb6a3fafa8b951ca4e785a6

SHA512
4a60c1b7b55971de5d3ee08fb2998f16666bb8bad317e9ae4738a450762c364a4fcbf599b1112542e1298ece404528a27eb750fc21ebf2d6069b8afd333bc90a

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
93KB

MD5
9239c88262969578008ba466b91ed8ff

SHA1
15d9538de647101bac4bbd0e0ab376991390f253

SHA256
1efa1b648b53d56451082571685a7b0a1137c0790401f88fade4628bb00b9177

SHA512
faf090b326c8afb14631df08306884dfe468a5d80e6acf3991c28feb8d940f14d4be990e109be5cf9f76070eea1b6a815e8ff7a6b69d5116944827561ffd9194

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
93KB

MD5
fc2b14b392b3ae98785b8fac8290b1aa

SHA1
145dc56afc5f8743f5c28fd6a593a1bb1e4a236c

SHA256
f45fa91cca099bf16713b1bde81404903302bf104761e02f09e31401db276c4e

SHA512
df19c6ff6b046379b23803101e4669f426d7f96a8bec275efa530d77bcb3b3935e81fd41c45b5b920b17b4f794c7a604fb67ba8d684b2b9edf5bcb8cf0dc1606

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
93KB

MD5
40d1cc13debac094c2d400fa0d660639

SHA1
64ffbc9698d4d71b13e7d05a0532e885e4cbe926

SHA256
c973a5b77e9c26af5e8a76252ef18ad61adfec34f22e3d72649b8b2d021dd399

SHA512
d209883d4edf2ddc35a6fe9563b63c8e9529b381de93ed198443f34585442b374b22e8cef61d49c8626559dba53e2aa4a01ac3b0d0b570c1b8ee4b35cb7c8cd6

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
93KB

MD5
6250c9f991eaa78a304eaa6cac51dc73

SHA1
98856edac9d29165258ab291c2b05be63c5f6c2e

SHA256
4482215d69fef01488253aab8ee149355a6c0cd592a496fb3ebac8bc8a0939ba

SHA512
098fc40bc9bfe6b2aae38707431f3a1fd6d83b857833213af4af5ca66e33e44664b3f70c36bc8a001c6bd556df37f3dacb5fb7b9f9ad283fec71fcef28f38104

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
93KB

MD5
0f9395011e9f86471a1fa19384d3fc8a

SHA1
e084d85679bcad8baf13626903567efcf2bf9c7f

SHA256
348c03ab18c5297cb5e73d7c974c4e322e5209f9f1c3d9a2731e6b3cd37b7e08

SHA512
b966f5e1b627ff4273661fb5b8c4b01ef7c6394f4ca863190ddacaa999fb638ff91e50dc0dcff2b97fb04f9764f20ef96c4a05b8c83cd56a27283b215d65aaa7

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
93KB

MD5
57ed43374791e08cb23ef9688bcd5f92

SHA1
09f97e934d004a3e80bc3d28b3dfea743c09e75a

SHA256
6260066120327e765ff2bb5edbe79ebd5d2ac52cc7749c6990b859adede3957f

SHA512
1368f78d165a05226f0e7334e659a23e7580c00cbfff4931efe7fdeb1b0b0df82021cbfd1acc0d89617a4ee188c0bbefbd7ce6d702dbe78052d1f33a83cf48b6

Download Submit
memory/8-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/308-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/648-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/820-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/960-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1496-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2544-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3380-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3564-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3608-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3628-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4220-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4780-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads