berbew | ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76.exe
Size

64KB
MD5

70ed6294eebcd633adf29232443eed88
SHA1

22d1adcc72d1671fe5d445310035c52eab833561
SHA256

ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76
SHA512

ae11f7e2b1c89370850d7fe92fe6052d05996cfaca39592b5461d97e7c2466336bd40d884c062f07d28743ac5fc0b2994660a9b22555876ba7f488062122bf26
SSDEEP

1536:5QOy+PsbWoCnW/RhhR6LrF5VRb3kOgNtN:6pwsbWnnW/RrRyRRLkOgZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2636	Ndhmhh32.exe
1888	Nfjjppmm.exe
4036	Njefqo32.exe
4808	Olcbmj32.exe
676	Ocnjidkf.exe
2712	Oflgep32.exe
2252	Oncofm32.exe
3016	Opakbi32.exe
1224	Ocpgod32.exe
1728	Ojjolnaq.exe
3664	Opdghh32.exe
4780	Ocbddc32.exe
3640	Ognpebpj.exe
4868	Onhhamgg.exe
400	Oqfdnhfk.exe
2328	Ojoign32.exe
2816	Oddmdf32.exe
1620	Ofeilobp.exe
2520	Pqknig32.exe
1868	Pgefeajb.exe
5092	Pjcbbmif.exe
4304	Pmannhhj.exe
4708	Pdifoehl.exe
4196	Pfjcgn32.exe
2128	Pjeoglgc.exe
2420	Pmdkch32.exe
4488	Pdkcde32.exe
4052	Pgioqq32.exe
4484	Pjhlml32.exe
2288	Pqbdjfln.exe
448	Pgllfp32.exe
5104	Pjjhbl32.exe
1396	Pmidog32.exe
4884	Pqdqof32.exe
2392	Pdpmpdbd.exe
4164	Pjmehkqk.exe
2808	Qqfmde32.exe
836	Qgqeappe.exe
4104	Qjoankoi.exe
3228	Qmmnjfnl.exe
4736	Qgcbgo32.exe
4032	Ampkof32.exe
3912	Acjclpcf.exe
3076	Afhohlbj.exe
4848	Anogiicl.exe
5020	Aqncedbp.exe
3260	Agglboim.exe
3864	Ajfhnjhq.exe
4956	Aeklkchg.exe
1956	Ajhddjfn.exe
2956	Aeniabfd.exe
3564	Aglemn32.exe
544	Ajkaii32.exe
388	Aadifclh.exe
4320	Agoabn32.exe
1064	Bmkjkd32.exe
4632	Bebblb32.exe
4724	Bganhm32.exe
3600	Bffkij32.exe
3060	Bnmcjg32.exe
1144	Balpgb32.exe
2148	Bgehcmmm.exe
4456	Bjddphlq.exe
1996	Bmbplc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjlena32.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Jdeflhhf.dll	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Ekphijkm.dll	Pdifoehl.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pmdkch32.exe
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Ocbddc32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Pjcbnbmg.dll	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ognpebpj.exe
File created	C:\Windows\SysWOW64\Odaoecld.dll	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Ocnjidkf.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Ojoign32.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5260	5132	WerFault.exe	184

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgefeajb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfjjppmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfenk32.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqfdnhfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 2636	3472	ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76.exe	83
PID 3472 wrote to memory of 2636	3472	ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76.exe	83
PID 3472 wrote to memory of 2636	3472	ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76.exe	83
PID 2636 wrote to memory of 1888	2636	Ndhmhh32.exe	84
PID 2636 wrote to memory of 1888	2636	Ndhmhh32.exe	84
PID 2636 wrote to memory of 1888	2636	Ndhmhh32.exe	84
PID 1888 wrote to memory of 4036	1888	Nfjjppmm.exe	85
PID 1888 wrote to memory of 4036	1888	Nfjjppmm.exe	85
PID 1888 wrote to memory of 4036	1888	Nfjjppmm.exe	85
PID 4036 wrote to memory of 4808	4036	Njefqo32.exe	86
PID 4036 wrote to memory of 4808	4036	Njefqo32.exe	86
PID 4036 wrote to memory of 4808	4036	Njefqo32.exe	86
PID 4808 wrote to memory of 676	4808	Olcbmj32.exe	87
PID 4808 wrote to memory of 676	4808	Olcbmj32.exe	87
PID 4808 wrote to memory of 676	4808	Olcbmj32.exe	87
PID 676 wrote to memory of 2712	676	Ocnjidkf.exe	88
PID 676 wrote to memory of 2712	676	Ocnjidkf.exe	88
PID 676 wrote to memory of 2712	676	Ocnjidkf.exe	88
PID 2712 wrote to memory of 2252	2712	Oflgep32.exe	89
PID 2712 wrote to memory of 2252	2712	Oflgep32.exe	89
PID 2712 wrote to memory of 2252	2712	Oflgep32.exe	89
PID 2252 wrote to memory of 3016	2252	Oncofm32.exe	90
PID 2252 wrote to memory of 3016	2252	Oncofm32.exe	90
PID 2252 wrote to memory of 3016	2252	Oncofm32.exe	90
PID 3016 wrote to memory of 1224	3016	Opakbi32.exe	91
PID 3016 wrote to memory of 1224	3016	Opakbi32.exe	91
PID 3016 wrote to memory of 1224	3016	Opakbi32.exe	91
PID 1224 wrote to memory of 1728	1224	Ocpgod32.exe	92
PID 1224 wrote to memory of 1728	1224	Ocpgod32.exe	92
PID 1224 wrote to memory of 1728	1224	Ocpgod32.exe	92
PID 1728 wrote to memory of 3664	1728	Ojjolnaq.exe	93
PID 1728 wrote to memory of 3664	1728	Ojjolnaq.exe	93
PID 1728 wrote to memory of 3664	1728	Ojjolnaq.exe	93
PID 3664 wrote to memory of 4780	3664	Opdghh32.exe	94
PID 3664 wrote to memory of 4780	3664	Opdghh32.exe	94
PID 3664 wrote to memory of 4780	3664	Opdghh32.exe	94
PID 4780 wrote to memory of 3640	4780	Ocbddc32.exe	95
PID 4780 wrote to memory of 3640	4780	Ocbddc32.exe	95
PID 4780 wrote to memory of 3640	4780	Ocbddc32.exe	95
PID 3640 wrote to memory of 4868	3640	Ognpebpj.exe	96
PID 3640 wrote to memory of 4868	3640	Ognpebpj.exe	96
PID 3640 wrote to memory of 4868	3640	Ognpebpj.exe	96
PID 4868 wrote to memory of 400	4868	Onhhamgg.exe	97
PID 4868 wrote to memory of 400	4868	Onhhamgg.exe	97
PID 4868 wrote to memory of 400	4868	Onhhamgg.exe	97
PID 400 wrote to memory of 2328	400	Oqfdnhfk.exe	98
PID 400 wrote to memory of 2328	400	Oqfdnhfk.exe	98
PID 400 wrote to memory of 2328	400	Oqfdnhfk.exe	98
PID 2328 wrote to memory of 2816	2328	Ojoign32.exe	99
PID 2328 wrote to memory of 2816	2328	Ojoign32.exe	99
PID 2328 wrote to memory of 2816	2328	Ojoign32.exe	99
PID 2816 wrote to memory of 1620	2816	Oddmdf32.exe	100
PID 2816 wrote to memory of 1620	2816	Oddmdf32.exe	100
PID 2816 wrote to memory of 1620	2816	Oddmdf32.exe	100
PID 1620 wrote to memory of 2520	1620	Ofeilobp.exe	101
PID 1620 wrote to memory of 2520	1620	Ofeilobp.exe	101
PID 1620 wrote to memory of 2520	1620	Ofeilobp.exe	101
PID 2520 wrote to memory of 1868	2520	Pqknig32.exe	102
PID 2520 wrote to memory of 1868	2520	Pqknig32.exe	102
PID 2520 wrote to memory of 1868	2520	Pqknig32.exe	102
PID 1868 wrote to memory of 5092	1868	Pgefeajb.exe	103
PID 1868 wrote to memory of 5092	1868	Pgefeajb.exe	103
PID 1868 wrote to memory of 5092	1868	Pgefeajb.exe	103
PID 5092 wrote to memory of 4304	5092	Pjcbbmif.exe	104

C:\Users\Admin\AppData\Local\Temp\ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76.exe
"C:\Users\Admin\AppData\Local\Temp\ecf8b94e40853cad9c2cbf2a4d34d90a7008ff063983119d117c0d18095f6f76.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\Ndhmhh32.exe
  C:\Windows\system32\Ndhmhh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\Nfjjppmm.exe
    C:\Windows\system32\Nfjjppmm.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\Njefqo32.exe
      C:\Windows\system32\Njefqo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\Ocnjidkf.exe
        
        C:\Windows\system32\Ocnjidkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        37⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        43⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4632
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        60⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        74⤵
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        76⤵
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        77⤵
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        84⤵
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        98⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        100⤵
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 404
        103⤵
        Program crash
        
        PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5132 -ip 5132
1⤵
PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
64KB

MD5
3cf44772ebf4883f27ac36629143b8fb

SHA1
2bf631e72468f8f6c9de1a2de74de36351f953c6

SHA256
5d2c312fab4fbbaed6cb3f978830a8aaba22121f95bf66693684e886a51c0b9b

SHA512
aebdb7356c3b8b69eae52d0107cd6364594f99ff2fde4761dfb2c5ff0ac91983762a87d93519800f5b769181b2f2618d48a669786e6a4aee396ddbbb62f1b75d

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
64KB

MD5
989a8f4b0cf3b9418315cb23a2e29423

SHA1
dfeb4dbea594e9d5653d1199f0d1b1d0bcd62774

SHA256
614833b575d23e98914d11074934824be2e32f285e55726a604fdabcf0e94b13

SHA512
02e9a81d8eda1a38c9231004ea68371f090c00d04f657fffe4afb569a2018b1832a87950a52b5873c86f33c0a71218b87540ea84b66b2f98794ab314f23358c4

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
64KB

MD5
ef5b18b8edae7e96d757b3266d7430f6

SHA1
ae95850f9a2bd2c48ba789f04914552644f2525c

SHA256
c05841f748f12c66f8b4e274f6c6f26ee8011be39860f2176739669082d230f2

SHA512
564b3345fcc8ed8110905e652b633df56e8cff36e311637d102c4a0c0d559b4e446c462d59924b5a084acd22ed54a9a1c5be7d20e1c2c61477f8bf96cd1fd596

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
64KB

MD5
62e37ff57d458ddefce756b99442c0ab

SHA1
a9d7dafdf7128e58ebd7b44f0a2bc08cab11d95d

SHA256
54064ae27c3ade28c295f5c57f17e2f35cf29a6881202b8d01d679e74393bf64

SHA512
4ae8c5b865f82ad3d2901122333fcb78061bae255b9d13c85660f5ec4529dec9fb4e039051baa5f8751b84dce0b6fe26705331f2781c139321c30689f566a471

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
64KB

MD5
1b2df450125bba8c3ee35cc547383413

SHA1
3d683cba25d9ad4a309aef7a05fa82c533b303c4

SHA256
464903454050d2de5d481bc8eddb202f4629bb23f2e98bc409135a9bd5cac9ae

SHA512
da6c0083e629a3969418da1079945f5dec472328bd3d0e0564674f3e99ae34f8dfa98698410540be1a2cd5366e82b3fe6ead3e46b59e02a6a018c641fb77c919

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
64KB

MD5
363c9959d5a761b71cb4138baa0469c4

SHA1
fbf012d97682c8989e4722d6b01cdbd02bf0e297

SHA256
88ce7faa13dbe4cfeb3a52462b573249b1d596f9dc35e5d517e4ace1effe2875

SHA512
50333544e4fab90c7a695de8657880005df0e988b5fc683095162b5a78734e0b08ed5973547f1a9305c18656d9513bdd53bf17dab0148b588e9fd9e9764e3605

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
64KB

MD5
90f879083a6b51e8b279b30b63e878d7

SHA1
67d1975823c2d547d18ad72b9ca88cc9480d7a35

SHA256
6b78b45c47f20382859a779664d00f7c1924981d14e5f47c81c966d6f2bee813

SHA512
557843c639cb1c24079f92b8f85d52d7ba4652ab8cbd431559832d25f03d5970458e8d3b41149c868f1965ad78fcfe976ca594728c003cad1193b100df773914

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
64KB

MD5
4ef08606b8fbd3b0be43fb1d3502d51c

SHA1
90d6d776da024e874ea4cc62ba047cf7d3f45fd9

SHA256
158a09ad3468b3216dde51070a8912a145bc56abbdbc5346768f2a4531d402b2

SHA512
b0546da7a42b2e59d41872659b802369e11ee977d7fd0d851a401126dbcccbd6cb9d0c489d7585538a2cf359516f1524d55ded7d8d3441cdfc4bc94e2e102213

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
64KB

MD5
bea3064f3676b7e0204e8c3fa6d33534

SHA1
d58106a474d927368641ca59290f48da285f686b

SHA256
8f57b1f82a0579505d592f4ad9e75cf81b62b3308264013e370bca312f4e5f4f

SHA512
b906841c11690aefaa2d5eed549f26aacb5ca9f4d8eff3e9bca9a57d286c8317fe6c5fda7206319d00a057368b7d1a08b00999bd58a9499e8f372673f93ca647

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
64KB

MD5
d8fd2aff77add93ac276033ab4bb814e

SHA1
b06343c6a45e28fe8cec5567dd6ef9922dd92064

SHA256
bf98bb2627a3ccf3fc915cd2d02cb20ca9a59de2610377cda572d6b1e25e4b02

SHA512
259ba07984f4b082d1e3959ec62e8152fee7e5e50e0c557db7fbfb5f72ee054c98797dbac12dfe9ffdefe652731b483e81928ce352357f6fdb05258b51bb4be1

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
64KB

MD5
54ecd450d125f484dfc01f3e3cab1a1b

SHA1
4cd7836f990c3c6231ae5c2922f0a709d38e1626

SHA256
0385143927f8281b0a59472f52fb01e9c709fa39b1e5c5d1ae5f772c906d3c2e

SHA512
eeacca9aa2ac2907731b457ab4c5ed7291a51e69819c872a154f0ab26f21eacc2ce971f53c5710398e0db4a5e45b4d5917c2d8c569c65c91c61303025888d50f

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
64KB

MD5
f398fe47cc73e65a50efd71f260a0950

SHA1
7d4ec5ab3b665af9bf03382a86f36f569633ccad

SHA256
b17b62f3e41492cacc6286cdbd12988d72022a40871c728a196b2825ad52ece6

SHA512
aa648c185b819688ad9d8d1ad64e4d47ad65c946b20ea1a2ab3a6c02bc1b071e80b5b3c5da1e9f0692d9d57a1e4b9936bf4e2f5b1df026c8947f3ba9d3c02b52

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
64KB

MD5
91dfd802368d4f544a9631c9e8821ee0

SHA1
4ce17be41bb3c30a3ffa0ec84dec7bb7b47123f8

SHA256
c61f34e1c5d727652bf1d886155bd4aaf85f6dad7f14f1390ac4b0090c373106

SHA512
871e1d2972e5869f588798570d6c3fb60cbd6cff7223c9e7b33693765123e216f665d455217ea37f654418051f281b0e0ae486ff491a28d938dd003a27dd8321

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
64KB

MD5
b2a17b273332f57fb5d1f0624d324483

SHA1
9c710825716906e2772026eadb5e4b9d45e45855

SHA256
5d58ecb508b92d5acd7117b747b991eb59bb9bf1e239a57a33077248b813d4ae

SHA512
d04172c7c1637495b3b93b50a91a0ff73abf4f8778388ffb904da6b39841614ac06b07066546382a38f96a28513d82cd55e1fd6a957b6639c7a8179f0fc783d9

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
64KB

MD5
60a77244f1ac92d212d76a09cc912f40

SHA1
170cd8f828489b4c0ba45a9dc2af6afdb1d1a908

SHA256
77a95204d1390466757ff6449e9152f6286551d75f55eccf1d9e495690632813

SHA512
c436c6d15db8e21733c77ad85842175aa0feda515397acc59684c5e40755a8bf66820152a9eab7b2f23f6bd8523342ce2b0bf8de84f0b9c6d3b131bc233f7e95

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
64KB

MD5
ee25625485856b759680957db916e6fa

SHA1
8395e5b6d0176dfa2ec5db63c154d171ef0b8adc

SHA256
956200078309c6d74d4a9cf036cf84877170b90f0285adc088983295d9d18dfb

SHA512
a3e0d012aeb16d06d7115fc0a33d4776c1dfba7d2cab018158788b816cc160a01d8dd0b14ef96d2a80120b2b775866d77acd6d66e3e22d1d199498ae7015c8b9

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
64KB

MD5
f8cf92309d26b4b225bb7dc1ae16371c

SHA1
2d4965b5c4926daad76a8c63f4d6801c40eb31bf

SHA256
009d6bbfdbf5bd54aff72a14eb3f17fd55164b6f4b5ae31c4eb17b11123e361c

SHA512
5c752c682079367e595eec809e5e762d9393daf30e67f7636b1477ead42f58528fc42cafa983688e50e1ac26ca55f1127ba138c42930f4f503efe14938352a53

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
64KB

MD5
390cef5af5d3abf2296a25076f272b76

SHA1
d0bc6b1e407fb603adb8fdaa9a1465b4bcb79b07

SHA256
3ea57f965837457ecfc6e9dc84eeccb9675568b161b560984ea9d9646013152a

SHA512
9ef351e7a8ad1b48e11d78c0fdc1fc8a159cd3db56dc25ab188854e2751a563253bd8b9e60a85e3fa37e19128e1678d9b89dd1514affc10feb69ea60660960ae

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
64KB

MD5
bbb0f8ba9ba4163432b24ca385ccd2ee

SHA1
af9770ca7a10f5c05fc5b321b8ea860113be7a0f

SHA256
0f61080c02e6ee7fdb75bfc75e692d755015c38b772d6f2965288494658913a4

SHA512
4f2e3a42981ba622d6f13b7f6eacc4a6bb72745c8a19d390b31d3916047317099cfe05c41a0a16ebf54ae7b7b1c89a722bca5c73cc0dcfe73f75847f426dfd11

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
64KB

MD5
a657e6d28a56f55019909ae23ae7dae3

SHA1
755ed254de2199bf9c46558cffb5d98a3f50ee81

SHA256
0eb4cae46873e96867ce809ded20caec89028568d409635d4b0e84e9ca651533

SHA512
1e1ce55145a71945e391a2d38b5015778a20558b60626ec9c1fad65ee9771d43d43f865ab00f60ca78b7717177808127f3cfcee39cd747f684c5d2b9a00d2aff

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
64KB

MD5
85f7de514fffca64d42d49d8821afe21

SHA1
8e59acda64c33812a54b4dcf73e09abf1e77c35a

SHA256
77d112f52f67a336e54c10c8251e499f86a83a927465ed5a0c16f9b0da4e111e

SHA512
de5c3831c7872094fbc206065d2d55aebb4174765ab118179bdb9dbaa6b8cc926530662b4de6572fe11cc75809699ddb6413c861a3ccf409ef01f3a204171a45

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
64KB

MD5
a2a231f6b0d9fd6294c38c5392814f20

SHA1
cf5730ec099c81ec70ea3f20390cc3306128e15d

SHA256
edf56b8c96416e5c734166599354cad550da7d10f9b4ac03a8ec5b82ba5591ad

SHA512
f664b0c6c18f14e6f5afb2125492ec7424edf1416ea3bd7f60dca7b833219fa05ff9752a178be31fe165b239bdf715607d13638a710a96312d2c6f5b7caf8aae

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
64KB

MD5
4b344f746174d7b4c15efd987cf258aa

SHA1
7e8c8e690490d73e602c2e2321a66628b01c32ff

SHA256
bd37f8f672c72ca3327890cbeafca100a5ebf63cd2497435ca53382d81f9732b

SHA512
99ec0e9e36f021499cce92ac80389f02a9cbcf1d6c6ec82ac50f065d45b2e4a4113d0e8b9ec79328dbd015a37c22eae1dff110c09c0f157d24c13b7e2c720940

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
64KB

MD5
e7205cfabf32771b0e5893a3052850bd

SHA1
89d89ffd39a78d3dd8412d905b36886273fd6baa

SHA256
6202af536af80688c745d24a50f68fbe02fa3b37b9c73895eb299c6201bf0c3d

SHA512
55ab474d8e537e035f6067fccf6e4f22072633eb2dd80e68c405729a7dec4217a68d255f514be2c4c78bc418b4018e47be94159c864cd2471ef3038606fdafad

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
64KB

MD5
2218bc677d7c1fef41c3a4b8368fa944

SHA1
0f61dbd1875199ddb0ddca3b0e8ea692964d86aa

SHA256
86ca0494ba9f91759eeace3e73f214e9bf4cd4f859a82ebc71a1d4d33a1bbb89

SHA512
0d5bd9c0062d8f151b8d1303a2c87c3d22f2604b291760f97e29fded2871f64bc1a23bb1616ad0e1047542b2079a794f479d036c29a1829ec08190eca589a7b8

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
64KB

MD5
a16564057872aca563e7d1f1a727adf3

SHA1
0643ec588cdc0f897125292c8a736f36754d3c33

SHA256
311966b0749a4007c340fc3f2ef36385fd18eddf8df90edc6c8f02bbadff606e

SHA512
b2e25671622f8d2d804f6c88fbcd01d0caea5ac10749946906a162a8c2eac99b7f0f3db3624db83cf1237b13b8e88fa52b74dc2c7b546193c15834779dc36522

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
64KB

MD5
ba8205eba90235fb01bd68b0ec2611a6

SHA1
e370bd0b3b6130f127be34ee0f6cc6561a40e1c6

SHA256
81ab4e8a388aedad74ea8664b9c4f2ca3dc66c758b9d0ab13f3b00c84e91041c

SHA512
b52c0d7b82a7d18125cbd8f6b65381b8895389b7f4b024afd37b9e74e629f0ad3b1da6c6a34ef5a37b37cfe13fb7cb3cf788c666e067a483c76c13803f05398e

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
64KB

MD5
e68ff94f1c474d6603e1318ecc8445ac

SHA1
d8316546e3d95da7e8d7f752d699d06903f8c59f

SHA256
49ab88f135ec4ceacc367572b1faf55eeb303509e9014216b3f19361d85818a7

SHA512
db6b32d0e1dfc9fe3ab7ee41d5c2cecd43393e68a268949eab7dff2c335738390c9e252c78e99f6945d202ef6f82be23bf0d7cb6092cce040a9a2639548e2ea8

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
64KB

MD5
49ae05241c021d2d6081c1b5b659ac91

SHA1
25c91aeb761a2d04e783ed060a5a63dec7c0b508

SHA256
1d882afb56b77375a392824c3ec79534cdefe39405d6ca4ec333a2466a4c0854

SHA512
ae527fcad81a28f024c3237313e1adbc669fc7b9bd08c71f490ac138556353debf32898c33452b7794f6023609e61759fcb24a0cac78e42bf8003da489bafc20

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
64KB

MD5
a9de868049d3b2aecdfed3c8b2a583c5

SHA1
87b6520d22c72160c848bc244d5172230e58ded5

SHA256
bc2da5415a61802f570d94228a3166cd84d84be0b4a1087da3e3f88e95752afa

SHA512
d2caca87eeb86938faf30d7790e0a3d53da6e0a26694163611709037dde6c77758bc6f1b60c0f1402e0618ba2c88005bafcc976bdf1b016672c2c6b22c1f5a2e

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
64KB

MD5
1d88b0823c0af893c5b221c02c22aa60

SHA1
53ae8ea977ad7f1074e40606fcbcfc3250534228

SHA256
5a0f4de6d0a5dca6475ffa07b4be3329e1ebc9d891ef4c4e6b7aff2addf05fc7

SHA512
8ec4395b83fb46e647fa2ab8f81b236550c98bc4f6e1259ff14cf88fee77cbeba56934aebb199e6988cd0aedb534ef2d93e8d4db2ce6eb3c5567b05cc23d0016

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
64KB

MD5
c073c68a8b5188fc4a283480551ba920

SHA1
7d791aed985c00486c1c8e3e535756b4b73ecdfc

SHA256
f5c90f29c8a40ae30210e5c5329881636941831b9f4f6e81517e1b7c61d9b8f2

SHA512
8553204ff0b215390157c162b7478c711e4795c1196b22e26ab5dc69cb09d008cd17252472ad117fd28e571533a5445eb7786688a4415d4d770e6b79c03a0b80

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
64KB

MD5
9780b62f99e5d6b78f7b01a8efb26077

SHA1
8135b9761486f65cfc967c9bf7bb4f5799096979

SHA256
b4696a36a8d46a854a5bdab817630c53dee8a31b1b63be2248e81397342e0252

SHA512
0f0f5586e9f33a94ef8eb22bd10c8299d2119371262f7ab007c390377c4d516fd6a7192b20cc51f8aca627ae2dbd3ac10287579ea0ae45ed29abda6bb04fbc9c

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
64KB

MD5
96ee80144f0978730c3d3ab0c08db717

SHA1
a080e087e7a6558e4d9e38a33aeac375494e7cb7

SHA256
295883ea42c84f3490a503a03906542abc4e831ca3533562fbf6f95e72d335cd

SHA512
834399937bb11a3d6c9fd5da32e3dd89d37147ff3eed1bf19ae40c867c6daf01eca4e3fccfe0447f61758b687b454a2e8bec608d5ee62d4b8a5b8ae030b51525

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
64KB

MD5
e2d14c20c66aa607628aed1ddc41d45c

SHA1
af89fca29b50eb15cd553ff77fddeed0540ebe41

SHA256
05db3e86beac6c73b4f5b208c14394e6a1493c075d575ebc4e9bba5597e5c84b

SHA512
a21572c5029da72d65c68ad32b5cdc411813f627447a4a90227f7ccf16a2653d2f0f953852425f910aa6b6679f6c2e62a7b3208d13af5e8b3e44120be54fa7c6

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
64KB

MD5
349a706873dc38268a8b5cae7461f884

SHA1
5807bf98b94220fceac44ad813a7294857f66415

SHA256
cb57cb78b6ec43554e86918c2076f7ee07fd61c85aefc80a8fc01402711dea6b

SHA512
ceb22b010a74040fb09269ef78d4cf6c51e51c222b8abd3883f31db6ac907cd0f9510ea0926b55949dd992095acba9b071c1b01bd1cfe496ecf391f9417ca6ff

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
64KB

MD5
dda72eae2b730abf17c543299cf4c9b3

SHA1
7de69d3dde70351153c875f1aa52f7bbcd67d0ca

SHA256
8fa3a6e9f9a0b4243de2cf201048f7138c8d0cc7947ed7182c2b624c9640db87

SHA512
3ecad3ce08d722127270f19478b07cba6a01ce30fb5cf4179838a8b44cd7e157f9a0f9066053dbf27ce1fc0804faea4f0031ce7a023a397b1136da358485c78a

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
64KB

MD5
4f0f8b57390c35b36562fdcd12a5d77a

SHA1
5ac0f8893c4b76e6b7ef8339b7c944eee5fd57e0

SHA256
b1e9219bb06c60b15ba9aad3f69091a0761fa0c33cd9e0233de90b21c9c6e8d2

SHA512
25d200621dae7a3ce6bd9598264bd266f1e7273b983ac05aac3d48c211f152fbb5e9f1198881f08d3401e4dc744a8e6ea05c09bc0fd274be1232239de30ce763

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
64KB

MD5
df4a8e36889bdc7b558685f952ddadc5

SHA1
73a7e8d53a0044f7f433d77a7cb1c9def6c1036e

SHA256
985a80b9dbd631c029e145447afdc484c7632da0312f2dddc63912c0189960dc

SHA512
f80b4bd2d1ecf564704b1a1d83dc29667a2df856d966f752e1878560901d8e4f700a4e612afbaee7d42e223d81e8623a002e5958ef38f15c94611590698d71c2

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
64KB

MD5
a2781bdd5dcc6be00279effd983207fa

SHA1
051c807b04bd19a665a8137af3ab10de023a5270

SHA256
a71a1c11ee7f6f4b4e4dbd39c5ece49cd507d43113842a98c18735a349dd9c19

SHA512
3c702a62c59cfb2313f3b7b2ae88ff9cfdb55f8694eb6cb12facf6c3ed4a9b0a6d33ca593573966a30744de77c1dd191725bddf29a193e161d736f91074197ea

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
64KB

MD5
47252e8b228034d14717d9db34c44010

SHA1
55aed943b29a0f6f7ad732d5d887d637d5bb7932

SHA256
cd9ff005f34390ddd0d84c139b99f7ec6d69448ffef6634630ceb4f19ebc3f69

SHA512
6a8402237d741e51b1d991dadceef543436d049ea682e59a3d2233842d0a80d6161c2f0c266c9332f46335209e7547437ce7d6e1cf46c312d856f31b6222b3dd

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
64KB

MD5
765f874a67108289dd1c3f90754dc194

SHA1
3e66ab8fd98e2400d7ce970b74d72d5af33b2a35

SHA256
c7e8b854b631f531fb8762ccaf35c0228b980820f0eab75031977f1d1c371f19

SHA512
43abd1d0be2876fa2cf96e5696d9d2cbf1ee8bc3451b040987c48641f447efb6aa824e47b9f598cfd8bd8118c9d25bf17250146d2bc1e6da2577911dd043bb92

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
64KB

MD5
983844700f0ceb162de3f310446c21b9

SHA1
f006d73d5e2e4bf272d16581e2c3fd44d0920411

SHA256
c652b83fa9b1085e091cca87f149478276c9ce7e91cc0e544a241f167b4b6f3f

SHA512
c16784fe50962d927cdac46dea045a2a73e103172fd8ab52cb884a9daabbf01e2d74ad682351c733faf58d81ec3cdcb0ef17de90d4bcd91d996a078d51d3dd21

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
64KB

MD5
c9e7343e988f0907b3da7233806b4d5d

SHA1
930501268e40cc4299483ffb5f7488d0f745f4d1

SHA256
3869b8bedc5964da689b62d003262c2bce6494c023a0907db8adcf99ee7599d2

SHA512
0c9f7c401f083c1f465f95cd5b394b134ede14ba6354d743b37059bbf53bc8f603262ad32bf6271efd0be884bb2df5a0a3703cb0c76c019a5c09cc7f9315a90a

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
64KB

MD5
3bf702b38897525d0df7d0e808fdeab4

SHA1
a82a591b5da07e84cecad744765dc75baf42f379

SHA256
220aa78cdda498d1c8d34eabbfa0abd4060b1baff0f712c5e8d4fdbc662e84bb

SHA512
3b977516baa8e3c7cbd15371fc4465cdf8ef35d52088710a33366057ef8411ecd282b0592cf34ac820e992e80804bb2bc51baff6800acd9f215a8361221d935c

Download Submit
memory/216-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/448-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-575-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1064-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1144-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1396-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1888-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-438-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-589-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2392-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-582-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2808-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-576-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2956-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3472-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3564-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-510-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-583-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3912-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4032-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4052-224-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4116-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4140-468-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4164-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4196-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4260-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4456-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4488-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4536-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4632-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4712-569-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4776-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-568-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4808-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4848-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-562-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5092-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads