berbew | de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888N.exe
Size

337KB
MD5

5ea9a29716c6fe81986852b6d56a8270
SHA1

4dcfd9c59996b28e9d952893d361ba6d42e2014e
SHA256

de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888
SHA512

688c41afe97b0a33d94d81e2a7d589967055f450aa7c0e50e44600cdc2cc680f12631824d07e5a5732d185ac69d28a00dddba67e5c06c48f50e72ad2db87e361
SSDEEP

3072:O/Wqu4kB5YvgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:O/WquRmv1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
2664	Olcbmj32.exe
4560	Ocnjidkf.exe
2916	Oncofm32.exe
988	Ocpgod32.exe
2112	Ojjolnaq.exe
4820	Ocbddc32.exe
1132	Onhhamgg.exe
1112	Ocdqjceo.exe
2316	Ofcmfodb.exe
4284	Oddmdf32.exe
4908	Pnlaml32.exe
3588	Pnonbk32.exe
1996	Pclgkb32.exe
2156	Pnakhkol.exe
3900	Pcncpbmd.exe
3888	Pjhlml32.exe
1720	Pncgmkmj.exe
784	Pcppfaka.exe
880	Pfolbmje.exe
4652	Pmidog32.exe
3648	Pdpmpdbd.exe
4408	Pfaigm32.exe
3720	Qnhahj32.exe
536	Qdbiedpa.exe
3680	Qnjnnj32.exe
2344	Ampkof32.exe
3272	Ajckij32.exe
1956	Aeiofcji.exe
1860	Afjlnk32.exe
4340	Aeklkchg.exe
824	Ajhddjfn.exe
3192	Aabmqd32.exe
3400	Afoeiklb.exe
3488	Aminee32.exe
4376	Aepefb32.exe
1268	Agoabn32.exe
1088	Bnhjohkb.exe
3912	Bagflcje.exe
4016	Bcebhoii.exe
684	Bfdodjhm.exe
2696	Bmngqdpj.exe
4692	Bchomn32.exe
2668	Bjagjhnc.exe
1548	Balpgb32.exe
4044	Bcjlcn32.exe
3796	Bfhhoi32.exe
4988	Bmbplc32.exe
3572	Bclhhnca.exe
3604	Bnbmefbg.exe
576	Bapiabak.exe
4624	Belebq32.exe
2868	Cjinkg32.exe
4656	Cmgjgcgo.exe
3872	Cabfga32.exe
2372	Cdabcm32.exe
1012	Cjkjpgfi.exe
3024	Cmiflbel.exe
3636	Ceqnmpfo.exe
1936	Cfbkeh32.exe
1224	Cnicfe32.exe
2688	Cagobalc.exe
2636	Cdfkolkf.exe
4700	Cjpckf32.exe
4192	Cajlhqjp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Hmphmhjc.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pnonbk32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Olcbmj32.exe	de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888N.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ocnjidkf.exe	Olcbmj32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pncgmkmj.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Najmlf32.dll	Olcbmj32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2892	2288	WerFault.exe	166

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocnjidkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najmlf32.dll"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Ocnjidkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2664	2244	de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888N.exe	82
PID 2244 wrote to memory of 2664	2244	de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888N.exe	82
PID 2244 wrote to memory of 2664	2244	de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888N.exe	82
PID 2664 wrote to memory of 4560	2664	Olcbmj32.exe	83
PID 2664 wrote to memory of 4560	2664	Olcbmj32.exe	83
PID 2664 wrote to memory of 4560	2664	Olcbmj32.exe	83
PID 4560 wrote to memory of 2916	4560	Ocnjidkf.exe	84
PID 4560 wrote to memory of 2916	4560	Ocnjidkf.exe	84
PID 4560 wrote to memory of 2916	4560	Ocnjidkf.exe	84
PID 2916 wrote to memory of 988	2916	Oncofm32.exe	85
PID 2916 wrote to memory of 988	2916	Oncofm32.exe	85
PID 2916 wrote to memory of 988	2916	Oncofm32.exe	85
PID 988 wrote to memory of 2112	988	Ocpgod32.exe	86
PID 988 wrote to memory of 2112	988	Ocpgod32.exe	86
PID 988 wrote to memory of 2112	988	Ocpgod32.exe	86
PID 2112 wrote to memory of 4820	2112	Ojjolnaq.exe	87
PID 2112 wrote to memory of 4820	2112	Ojjolnaq.exe	87
PID 2112 wrote to memory of 4820	2112	Ojjolnaq.exe	87
PID 4820 wrote to memory of 1132	4820	Ocbddc32.exe	88
PID 4820 wrote to memory of 1132	4820	Ocbddc32.exe	88
PID 4820 wrote to memory of 1132	4820	Ocbddc32.exe	88
PID 1132 wrote to memory of 1112	1132	Onhhamgg.exe	89
PID 1132 wrote to memory of 1112	1132	Onhhamgg.exe	89
PID 1132 wrote to memory of 1112	1132	Onhhamgg.exe	89
PID 1112 wrote to memory of 2316	1112	Ocdqjceo.exe	90
PID 1112 wrote to memory of 2316	1112	Ocdqjceo.exe	90
PID 1112 wrote to memory of 2316	1112	Ocdqjceo.exe	90
PID 2316 wrote to memory of 4284	2316	Ofcmfodb.exe	91
PID 2316 wrote to memory of 4284	2316	Ofcmfodb.exe	91
PID 2316 wrote to memory of 4284	2316	Ofcmfodb.exe	91
PID 4284 wrote to memory of 4908	4284	Oddmdf32.exe	92
PID 4284 wrote to memory of 4908	4284	Oddmdf32.exe	92
PID 4284 wrote to memory of 4908	4284	Oddmdf32.exe	92
PID 4908 wrote to memory of 3588	4908	Pnlaml32.exe	93
PID 4908 wrote to memory of 3588	4908	Pnlaml32.exe	93
PID 4908 wrote to memory of 3588	4908	Pnlaml32.exe	93
PID 3588 wrote to memory of 1996	3588	Pnonbk32.exe	94
PID 3588 wrote to memory of 1996	3588	Pnonbk32.exe	94
PID 3588 wrote to memory of 1996	3588	Pnonbk32.exe	94
PID 1996 wrote to memory of 2156	1996	Pclgkb32.exe	95
PID 1996 wrote to memory of 2156	1996	Pclgkb32.exe	95
PID 1996 wrote to memory of 2156	1996	Pclgkb32.exe	95
PID 2156 wrote to memory of 3900	2156	Pnakhkol.exe	96
PID 2156 wrote to memory of 3900	2156	Pnakhkol.exe	96
PID 2156 wrote to memory of 3900	2156	Pnakhkol.exe	96
PID 3900 wrote to memory of 3888	3900	Pcncpbmd.exe	97
PID 3900 wrote to memory of 3888	3900	Pcncpbmd.exe	97
PID 3900 wrote to memory of 3888	3900	Pcncpbmd.exe	97
PID 3888 wrote to memory of 1720	3888	Pjhlml32.exe	98
PID 3888 wrote to memory of 1720	3888	Pjhlml32.exe	98
PID 3888 wrote to memory of 1720	3888	Pjhlml32.exe	98
PID 1720 wrote to memory of 784	1720	Pncgmkmj.exe	99
PID 1720 wrote to memory of 784	1720	Pncgmkmj.exe	99
PID 1720 wrote to memory of 784	1720	Pncgmkmj.exe	99
PID 784 wrote to memory of 880	784	Pcppfaka.exe	100
PID 784 wrote to memory of 880	784	Pcppfaka.exe	100
PID 784 wrote to memory of 880	784	Pcppfaka.exe	100
PID 880 wrote to memory of 4652	880	Pfolbmje.exe	101
PID 880 wrote to memory of 4652	880	Pfolbmje.exe	101
PID 880 wrote to memory of 4652	880	Pfolbmje.exe	101
PID 4652 wrote to memory of 3648	4652	Pmidog32.exe	102
PID 4652 wrote to memory of 3648	4652	Pmidog32.exe	102
PID 4652 wrote to memory of 3648	4652	Pmidog32.exe	102
PID 3648 wrote to memory of 4408	3648	Pdpmpdbd.exe	103

C:\Users\Admin\AppData\Local\Temp\de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888N.exe
"C:\Users\Admin\AppData\Local\Temp\de3ad84f3e7eb9d635a84faec8c664885f8c5e399045d402ea82e557d4589888N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\Olcbmj32.exe
  C:\Windows\system32\Olcbmj32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\Ocnjidkf.exe
    C:\Windows\system32\Ocnjidkf.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\Oncofm32.exe
      C:\Windows\system32\Oncofm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
      - C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        27⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        37⤵
        Executes dropped EXE
        
        PID:1268
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        69⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        84⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 408
        87⤵
        Program crash
        
        PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2288 -ip 2288
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
337KB

MD5
2fd4d1b3fc09d97c1ce4510783e799d6

SHA1
f801bb80f14684aff680b28c83e4239a68a2aba0

SHA256
c7d2f431b2e9463ae4d78b3a32c4d03f6851c0ed246683ae51f8ffbca529eb2c

SHA512
8f4962ab32d0ce723f6ab97705bd3a180be6042fe3485cead6380adbdd263182c2ec8a06055420b244b8a7220d5ef2a493205c7bc51df86afc848a9f7f8a2130

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
192KB

MD5
8d135baf76f8464b8dc56334d1fd199c

SHA1
867e1020ad4d86a0fba3df598ce7fa6c715546f6

SHA256
bc3de8ee4433f64cbd1bcc305b8f39c2be0b051e661e8b0950fa503be541eb35

SHA512
0e091017d1df30d79513f757d2ebd2a8653793d530cea4bcd90de1a9f9562c775c65c847c33cd36d779b4c0e9c2aaf56c5a53859f80ee802e53fb9a4cdc22727

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
337KB

MD5
e36dad942665f5e7287edc9f715675dc

SHA1
10167351c3ed3155874af4d4c3c1ea24cd7faa24

SHA256
f36bd4da4ccfbaf009eb0f04887027955628403779691c665dcd87c549685bc1

SHA512
8ee3e1213f64dd2cd4e0f4181bfc16f3671fdcbf45141608e90a47171b891fdc5fc688d91793d513268a71df29a985fb33f0b49470c37e62f7dfbcb7a727b56b

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
337KB

MD5
858e077019f0305fb60cb733a6604f2a

SHA1
ac526abad5bd868e5a65b52597fafb5154bf38da

SHA256
6c683d31b587a49b882546548e2225a57ee525d511ffa3d3329a5d5c63d7c07d

SHA512
f7275a7ff471e65d8c3a2971c869c35be3069b0c4cf1965f6e77f0d4f578325cc754b6ed5b8b00c987de38ec8c1070cc63f8903ee0c2a7bc77db053dc5308c9c

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
337KB

MD5
fa983ae33fa0e0db1cd028bd0ec67d95

SHA1
92d4109eae5bdba447eae2c74775c0b97190b427

SHA256
1b049850327f5b3733bd1c4898c9c93332f940a3cf51318f6c6f617efbd2f368

SHA512
e0002fae8edb5227ed9d588272674b59d3d0cfd935476e43e5619afa0f36a5393b5a662534731ec4ce5a9b90bedc90b5447bad1235a2fab057f2ad6f5f94bd56

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
337KB

MD5
3316ffbbd69a2fb24855b6b34e175a6b

SHA1
ccd6d003461f90471a7a8278e9880872c7ae4837

SHA256
a79c8ccc190e4c86882f9a190889be3d9aed679d27b3854ac53b3f58f8b59c62

SHA512
7dd55227ad5e9532b4497353823ab06265ac1e663dd126d67e667e06f6e37c77ecc7eff10df17a23a2fae5be83afa2eb86ccb0df7741b5e4dc8a4f7f3d54360a

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
337KB

MD5
8b5f9b5193e9f6c044078fcd30bb69ef

SHA1
5ea06b6eae1bbbe3d97940d798f0b93524e1c324

SHA256
cabd96fa7a6f93f9d243289cce93de90bda7e241b68fb2de05af0ff7d463adbc

SHA512
ae2c58ca97ba05b12bf71cfdd4c5c39dd8ad2e5da0e77d2aaf0037ae25b4da1965c358707b6dfb682ea01a9ccbc9a8ebb94b19ce0f0d01a1daa170915e495f3f

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
337KB

MD5
762f9219c68f18eeeb1fbe2a5c52ea58

SHA1
7329ca78e7804a76ea362198185ec72c0ca1ff10

SHA256
ccf4eea4f41b44119a249ea674a12056e1159d545aa5c963a5b7474356f65fea

SHA512
410850dbe2b02f3fa63066bc7a9b4b7e08f4d78cb6735bef5045c474a02920eda160fb40004d3622d90245e428ad1ec0d38dd598f8cd39cd71a637f385465372

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
256KB

MD5
dc8d0710ebfaa7b8e41161738c26c724

SHA1
aeff4d3c60bc5d32b264b86b16d9144ab661962a

SHA256
812f95945fea6e2040690ec74f5694a93e882f9e8c7d16611edf37ff51791506

SHA512
6dcb37bbf8a767da8b9fc04ce951eb5268f2450f0eb2e7fc50e0e2c8498afeed26f6c4296fb72a0be29c4a8039e1cdd2f54286276dc2be00a4bd1625e16b5c9a

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
337KB

MD5
b30aeef18bde7c8d3ce6dc7ce8b358d0

SHA1
f1aa663e81038c9ae29ec2f2790e0b1eae509968

SHA256
07ca39d01362fe0222e5c7434780c4b53d27669cf17ac6fcd532734ab15df9b8

SHA512
30962cc4f642fd6ca462f8b71d9f880aa88ceb7d9eb3bde064890bb53def5cb32dfb53ea4e4915b3735f1848f92172e4e278efdc3414b55e564a3ef26f0aaae2

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
337KB

MD5
226323ce448f6bccc53c85de02b70931

SHA1
152d4d4942621bb116be754017cf8cd3853f1a6f

SHA256
88da2b99fc594e0c83df04698e0aa9076b3af47006740193682cbd386bc9b003

SHA512
c54369c81e541f5334ccd3eff02d0f273400d0d9f00cb64c4b3871a36bead041a72f93cf78e1bcef8c903099b70fa99a11fa4e14bddf6ee4ced89d3328ee0b94

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
337KB

MD5
597cf60ae45882068e7ed861f3ca53d2

SHA1
82608ba2478678a405d50296d9c0019b939f65f7

SHA256
546247a1331078a4eedb945f103ae8e0b1874339237ce1d3dee5f3a63b02525d

SHA512
d38b92b649e9ee57f51008b133816926c20a6c600c82c868c3dfa1aba80eee71a0e4183707252fb3f5d20a2d54541357ed6d9b50516e288db2a42ab00a6e51eb

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
337KB

MD5
71896b7afadc0fb742c157826468d702

SHA1
dc621208604f99c53e33a6638a2cb77f6f8dc1c5

SHA256
8ed482b9bc62023f879a29e2050583d20c0923f2919fbb6ece10dae9d28eec1d

SHA512
0219a891c2ad061cdaf74899b4cfda44b9c416f56dbdff235479dc7004e18ee746fabab547773d0bb5fe97ea902e1cb99a368f7064d772e0122cf8757c3061ca

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
337KB

MD5
c22e7c56e935c9283082c33818f032e7

SHA1
2b569934092cb175832285413ac345bf229470c9

SHA256
0f6940453b67c05d1be868ea4a20c4f579dfbfac5fe728b232c735ccfea788cb

SHA512
47cbb5604d72cae1e076077fc65eb03f9f998f32df6210b3b01a0187b765e52734d4ce2ecbbe8970dc70e267e5318b5031915d782b5e8db9c1e88f7b06ced8cf

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
337KB

MD5
88b11692af442fe18a853d859f1c0cb9

SHA1
1279d46d52ea5bfd6e8fa935bfe32183320d159e

SHA256
cf0c950d45e0f8f942a5151c13706dccf7a4aa75662dd21975c66b07a40adbf8

SHA512
53ff27fe1b1e0b9972f57d4b402dbd6b6d15da3976a6123726a9105174c09f9692a715890b89cd503f19a4bbe94d1fc0b16129edba4df979c8f027b558df9bc6

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
337KB

MD5
1d7828e6c2533d660b0ae0c7b644e6a4

SHA1
5f1d6fd1d6f6048730bcdee7aaad386d6e995b4a

SHA256
57a8673e3c13f81a0664e9a3ff856ccfbb401f5bfcf7aada30b77f5759b8eec6

SHA512
34ed454b7dbd6b310a6c6936612ae82b0c40c235287c2688e14cac1bea98d88756ce9148755d814b612fe15b0e7d9e851f42fa9cf6af5a4f1f7d862d3d6010d7

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
337KB

MD5
c1afea73e2b7c87464a1e7623e70c20e

SHA1
c135864d9519f4ad407180dae41881b1e775dbde

SHA256
44cce72c4c0119b8ffa111b39d900f770753bfaa76ace68e0ffb6e767bcafecf

SHA512
3c0dfa3204b4f69b0842f6e14006c50094363d5c57686866c7ff37982e06e74299a49f398b3cf3958852106be35709de0971f78dd3778b33859abc89d8d6c675

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
337KB

MD5
36d054b20dcd9ee7c329c004100aa356

SHA1
e35cd3264b9eb21845166cd0f6a05cd700ea0bd1

SHA256
a24dc4bdb16af881ca0a57c786063333592ba34522690964def187388bfd3a7c

SHA512
f0f32e292932d3902655a6f6acf74a54b49ff40fd12fac9a0860fba8594abd27a35b1164ed8dd3966826142e02d2c8d3b138d6b7c2ebfb5579383866f805a993

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
337KB

MD5
4a2fdd6f69506fb037f60901cbb35462

SHA1
c6307d272b7bfd5be7a272bd2553dc93f294a96f

SHA256
e192267b7975f7cfa94bf9bf4e614da03e0f72d87dd6b4b8475654ed93e207bd

SHA512
73bf8f59d03bd1a9c871323f88674abc2de84a5311d6903e9aeec8dd9426c72ef66e9612c4a5af4d8a4e596ebdd40d937737500a674f80d8a7535b8561b38e73

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
337KB

MD5
b5c9883b8ebc8c464649e93b7e466fe5

SHA1
dfd34e35c0a45577f2a4dd992bf14642cb1a8345

SHA256
29990317d04e2200aef3e0a7938426577a50f44c03a6eec631d1024665f48256

SHA512
6d13680ef1a30819c1e51593f986022108ce61d7378fcfb868163fdbe90a599673fbbac8543d5a419cb6945a71d9d0a3c63dff26bb9756273697694c2cedc43e

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
337KB

MD5
1facbe6c39b75fae93ff028530a2d1c6

SHA1
0752e42e86c11fd07cae7b566b35c509dd6391eb

SHA256
1b836065bfbf4a1776e3a3b4e188e47bcd054bbdaa789cc1dc02569228e9740d

SHA512
7b25b011fcf9717c233361c75e7971383c4401d6eb604ecf7b00c3b378ae39292ca5e1b00459d8705b77d8bdc63c8154319fdaeca9af4a39508573dd635d6a56

Download Submit
C:\Windows\SysWOW64\Ocnjidkf.exe

Filesize
337KB

MD5
916c18bcfd84f7a1e9997f016eda6065

SHA1
7de57811664897ee185e6ea5340897971aaacca5

SHA256
e2dfd05004aa2bd5612ccbe33d5c0f83596d63b3ca0a33a347ef878ad5e98fce

SHA512
c95d5a28bbbc3261f70ce8aa9b6f80e8835fdece20b2db9d5f3e78a5d8a9e10a5529eb1ddd7b14c4b57e2ed65dfa758ddbf6b01e677c26fe89143f38839b5460

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
337KB

MD5
141bcfe2b57d54b417216b9600adcbad

SHA1
66d426e5b359056eb8d6d07bd3f95224e222f6a5

SHA256
297cf7b3e21906cde773ed9611435ac5be713cf581ce1738c8b7608870aceb75

SHA512
49bddc514c92dc13691dcacd58c610c237b9edb7bb9588cbebbc60cbf631eba34b5444171be501fdd18ed2db52221ae6dba96dff8f2af181595a545b5be630c4

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
337KB

MD5
902d6ece494fc8bdec0219f01ac1a1de

SHA1
34142b3f9d8ee60eee7b076d01df924edc20dc6c

SHA256
0ce7d2901413b106d25a6a3254a8b9fc5380d8d523e3dd71af74a409304bb8d7

SHA512
4b6d0c5c98ce9d6ff768a98e5925d630eb4a57ddcdca4e1ad59ca746dbd80c7bcab87a7b654da879f6aa80f79576661314696c46630e290981a20f209412095e

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
337KB

MD5
498774ac22993618509bc371286b01f4

SHA1
f332c7180c7eb26ea085b6ecc7fc1d5931a9c277

SHA256
df450c341999376afba398813e6cf0d587d1f079c4e2c325e5939a4fa7c04d6e

SHA512
1d991c6c31450b319d0e5d7709e2dcb19cad3e3215deb88d8295525b7821b127df45be3f73b9231597c31fba3c6ebff0dec096e57201077bef43c1dfed7ca98c

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
337KB

MD5
d86ab3c69487518446f76911133772b7

SHA1
c6f40411ec06c7541147a5d453d523a9a042562d

SHA256
4b71b7d18c571e8f2d1c4db42727bb7c9bc7f2225b05749680737d3aae3f6b46

SHA512
9dbc024dd9e9c50f417b44336201e908fed68a0daa2d58e8e181b63d9254766874aa59967c33ddfbb96cb098f331c23d1cf1ba9e58be2396667939925c9f2f68

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
337KB

MD5
5fc384fddc7aebb90704e62722939807

SHA1
d9dfe60c4fac0c20c38782e329777b7e6cfaf866

SHA256
1a34451185eaf265c4736e9d3fb7d55329adf74c4fdbe3ca6c8b97908ec843be

SHA512
633daf686a184af85ad4df3808ddc78c4161e30c10bea74f32d2de0c4dbfaca9b2512c63615f0fcfc0ca0c0f9d58178bda41306e05caf5c83cfbe24d5bee784b

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
337KB

MD5
a5e05b3cd138a38c0fa674ddad936980

SHA1
b620f86726dfc4d25ee5a21d05a884d70ba447b3

SHA256
84a7a6aa703303bf65fc6ca90a4b3c3157ca3ad2379fb382f4c176cac0c53e5c

SHA512
d7ec989c567389b3adc3279142a5492ab3f77f77714c49aa13dffa36579f183298287a644c2e0aea5a9478d467f7c56930871bf6168e78e62af0d5cec20ae233

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
337KB

MD5
71db01fe4a7d22aed883d54457058e24

SHA1
6cdc43c80d5c11dda931fcb578dddf392ef1acc5

SHA256
1d6e5c2153cd468ff0b9c7bc75d3f23c9a45d0e84e20c7da21ef64c0f72ff695

SHA512
d87016303d8edf35d4e91c768c1a48a3d03bcaf10010761e1a66a04a2bde33ea0368282b2f0622691fa735e390d2afd17f192f7c910150d0df3c3ad1a5128e2c

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
337KB

MD5
658bcd5fa86ac9507f2ed068d3b9cdd4

SHA1
531be2fcb7ff62e0bd3a76f776b4d8cd0b25c229

SHA256
5217d12e0406aec887afb0bcea59c8618196d75d4e1c4070d4154018314f98d3

SHA512
98ae9ea857cf6464933dc6fedb7e6792db40bee40841fbf0988c9b929a166f24c6504386ab29f3f9d523d7a0775aed79421d1051ed17bc6e7cf1b23fe384adb3

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
337KB

MD5
6153460a05feaf8ba02442f40cc9f641

SHA1
dcb2487a2a3a5285af4c820ad3ae98b9f82776af

SHA256
764b4c19a40b692c4335387aa1bcd6140264330f26721688ac5219352187204b

SHA512
86a3149aa82a9cf98d3f1abae40b1457fd999cea13fe635fc8543e7b9f748e893da5e2930aadcb04e90b4e932b9e601d143dd5e4507c242dd80b0fae1e983752

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
337KB

MD5
5957b6503a45a491f593b0a026dfb5f9

SHA1
c7b7cc1b1d85b91cd08fb62ff9a81ee286176b37

SHA256
f43944139687f7d1288f4defd6a17cf7b185a565dbb63179dd77637794845bbe

SHA512
daf06e9ba2b50a93b2a174c90c919e97272d7d89df0aff08828cbbdaea4fcbf4a00046a873e62f1534cee0948478c367b0da0f2324251378ea9ecb28e8bd0d9a

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
337KB

MD5
c76ae9c07ed6d0d066839e447c24ebcf

SHA1
0a91517b9703d1e5a2faa1c9f13ac378ae7593ca

SHA256
1c85c81fa645326ade7443e494c63aa4de08260df3d341fa813201cd90ad1348

SHA512
f1496a9aca807ba704bdb2951b5c4f2330c0718fad072baea76baa5bbde044a469c30d4b3ce16204c220c1d30a38d87dda7d5d635b289a94523dda200b553e19

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
337KB

MD5
9d28183afed3a0c54cf00808a9d74242

SHA1
94eeed4a6624574f38fb1e802bea771deaa9bc96

SHA256
e2e38e9285252c718cff436d3711d66a908df5206bc206df180fcc73175d9b5a

SHA512
4de91cb1776b8b62bdb26b3bd9980b0fdefa348785353ab868b812588b5423ce9955cbdb875d7193300f82ab936238b43332dc0258e0159520c59082cf3209c7

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
337KB

MD5
3b30493e994cdb88e9e9e3dd8a21bdd1

SHA1
0938eec66523072efb953c8f352298e4dd2fdbdd

SHA256
3e20e9c08ba7453f38f87998a23d8eaffb848a3c4a16bbe9f70f1c512857e63f

SHA512
8d2883b32d31a30cf78599f5a24adf08af472409eadfa0392d7ccd7b6adf1c51cd4d0ad33b6e33f7d8fc6ba652a817a4af4c58c80bccc217c50dfcb720926c3f

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
337KB

MD5
686ea1856dc326fe2736d72aca5d73c3

SHA1
fe76ae29b053f218c1136f0b018cc855f25f0c98

SHA256
7d09a1f9ef4b6aa14b55fc95cc19ce5ec192675f0beaf117945ca40739d7a2c9

SHA512
157758bdc73173e7340fa31ff1a32f8b404578371ef05ef920a9980c11d01a5f998b9c50c25e1cf71cb1a1e72738752c1c6484849b5c798cb650504eb692164c

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
337KB

MD5
c516c565f0870151e398c548eef8c6cb

SHA1
eca91ba48c466cc79de5f4146c27be74647ab258

SHA256
42b39de5f954a837433a18a74eaa7f09fe72df513fc7b87500855a6415df3c04

SHA512
de621676fd7e265744caf7dc4c4776323c3e07a59d616c51c07f8ae081cbb4e947052ccbcb8beac304e7783472dc6c736d9b2778f601455e6c4caad48dae7051

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
337KB

MD5
6c2a1f32bbf75dd6d4a4ec7eca12e234

SHA1
e1ee8cb0d7b91f693c0078429761e7b9473af902

SHA256
050f84787bb83dda89efecde153541e8d86a706097b8d1205923ed183d58e53a

SHA512
55e31b7598448b5ec38156f44477733416964353d72736c5255eec2ef9fa01684c9bd5e3850bd521b7f12ae051d35fbb59a1958f8b0103bf0417182e4e9352db

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
337KB

MD5
4dbe8964ffc82d66b372428cb245473a

SHA1
dd4467929ddd5ab109d5755dd31e05f807fe6547

SHA256
232e092eadae8b34c0d946663f7d235ac4eaab6bdc8fbca2f5f46cb0153056fd

SHA512
661495fc1200e63e721b05a43a03b74977f7f107fd17321f3d88bb24cae048e680709677869167048073139bc735d7da776ceaadde60d4a7081212fb72e7104f

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
337KB

MD5
bb230a579c1571f857a3c85af4251edd

SHA1
f90f1f112844e15a075f5ce234e766aacd17d0de

SHA256
ef50c41acff5eb3a9eae583943e1f0e057567f51d1358e20789a22bf8cdb6e79

SHA512
2338d229bdb2e19c69cafcf3ac62823d5b3a57df9c1317d68ebdba53c31274967839dab0644a1b59ed3651f7bd9a25a72dcddf525070b32d41455d6ee8fa0309

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
337KB

MD5
5de0b4662c73fd4000b0740d2024e9d5

SHA1
d48dbafecb70f53598f2977c1c6db4d7e9d63baa

SHA256
46cc55768e1c3f1780e42843bb33db4a834d8bf4394256864140673332414f92

SHA512
62f6e3cee5215c236542bc200d8e30c5682fdaaf19e7856730544b30ee25b4fc038758fe51d5f12ea13f254210092f61f8957371ee3605f568a92b47a1daabb4

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
337KB

MD5
b8482cd496fd88caa4d130d0995b8570

SHA1
64f5b6f68f7c28fa4fcab7605d6d5ca8dcead320

SHA256
1e74eac7c1e23738d49c54b46f74fbd74cb319d159708cfe95235cbc284dd6d3

SHA512
dfaae1a41143b80edd7099947dd6cfc44d1b9ac321ace8c1cd3f5a96997380a0606a7c9165895480e162a44af7a1fbe6a88cbc6e70ab15837351dd2453b5202e

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
337KB

MD5
fbd76c40aca43fa1d0076efdf82b1570

SHA1
f0ed81572d96a4570ea59d84e718649d96da8e32

SHA256
130f5a03290aabd332c7b3a48a2d7fa0bdfb3c20e53883e275f2570eac53d7fe

SHA512
7966b8a5e1a428b1e0d85d9e98b4b3a4ff0e20adbef9bdda09221ebbaeda2a130376f25843bb56d1a88d7f069fd5e49b42670fa46aa354997b18b8f6ad01ac32

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
337KB

MD5
70094ac4fe13af3effb2133619f6ca43

SHA1
0ec6ecef8a78021a3a206d871501676001b02a8d

SHA256
d7ea59b8bf5eb34243306562e835c03112896f44177440f16e8d78df53c8696e

SHA512
0ed5e1478818c5fc2134907f2689268ec31948dc0f758f5cfc2e494f543aaf9e38ba3cf7309105b36444db1591450c649ab70941fabd7e525f6fdb03a0567a4e

Download Submit
memory/536-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1336-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1736-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1852-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2244-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2664-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3612-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3736-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4016-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4044-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads