berbew | 5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe
Size

93KB
MD5

ac912e86d9a986a994dcfe6edef829b0
SHA1

dc78a608463866e1bdfa7771dae484b467949c4b
SHA256

5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6
SHA512

8051cd9ff57651635cec3a4bd032b3daed348aad7ebe53a22b7aabf833fbc15333129a92ce6b37fe0baa89914b3d6e46b7efe5040b6036497297f721f64c9b39
SSDEEP

1536:gjo5OD8QX0HV1tfbh63ntCbp1DaYfMZRWuLsV+1B:3OoQoVTA0VgYfc0DV+1B

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcppfaka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojoign32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1920	Ndfqbhia.exe
3556	Njciko32.exe
2204	Ndhmhh32.exe
1396	Njefqo32.exe
3512	Odkjng32.exe
3516	Oflgep32.exe
2076	Opakbi32.exe
4248	Ogkcpbam.exe
2660	Ojjolnaq.exe
1392	Opdghh32.exe
4636	Ognpebpj.exe
3404	Odapnf32.exe
4092	Ojoign32.exe
712	Olmeci32.exe
4356	Ocgmpccl.exe
1060	Ojaelm32.exe
1188	Pnlaml32.exe
4468	Pqknig32.exe
2072	Pdfjifjo.exe
3588	Pgefeajb.exe
4676	Pfhfan32.exe
5068	Pjcbbmif.exe
1088	Pmannhhj.exe
360	Pqmjog32.exe
4756	Pqpgdfnp.exe
392	Pmfhig32.exe
4956	Pcppfaka.exe
4888	Pmidog32.exe
2464	Pqdqof32.exe
2528	Pgnilpah.exe
4536	Qmkadgpo.exe
640	Qdbiedpa.exe
2160	Qjoankoi.exe
4904	Qddfkd32.exe
2328	Qgcbgo32.exe
1500	Anmjcieo.exe
3680	Aqkgpedc.exe
2252	Ajckij32.exe
2060	Aqncedbp.exe
2200	Aclpap32.exe
4608	Anadoi32.exe
508	Acnlgp32.exe
1216	Agjhgngj.exe
4172	Amgapeea.exe
2496	Afoeiklb.exe
4996	Aepefb32.exe
3916	Bmkjkd32.exe
2340	Bganhm32.exe
2872	Bjokdipf.exe
4812	Baicac32.exe
4548	Bffkij32.exe
3068	Beglgani.exe
4948	Bcjlcn32.exe
4020	Bclhhnca.exe
996	Bnbmefbg.exe
5088	Bcoenmao.exe
5096	Cfmajipb.exe
4452	Cmgjgcgo.exe
1316	Cjkjpgfi.exe
4660	Caebma32.exe
4364	Ceqnmpfo.exe
4540	Chokikeb.exe
4252	Cfbkeh32.exe
1480	Cmlcbbcj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ndfqbhia.exe	5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Beapme32.dll	Opdghh32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Ndfqbhia.exe	5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Bhbopgfn.dll	5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Pgefeajb.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pcppfaka.exe
File created	C:\Windows\SysWOW64\Pmannhhj.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pqmjog32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Njefqo32.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pgefeajb.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Clncadfb.dll	Odapnf32.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ojaelm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3584	3752	WerFault.exe	161

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njciko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndfqbhia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njefqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdoemjgn.dll"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jocbigff.dll"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojoign32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1920	1944	5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe	83
PID 1944 wrote to memory of 1920	1944	5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe	83
PID 1944 wrote to memory of 1920	1944	5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe	83
PID 1920 wrote to memory of 3556	1920	Ndfqbhia.exe	84
PID 1920 wrote to memory of 3556	1920	Ndfqbhia.exe	84
PID 1920 wrote to memory of 3556	1920	Ndfqbhia.exe	84
PID 3556 wrote to memory of 2204	3556	Njciko32.exe	85
PID 3556 wrote to memory of 2204	3556	Njciko32.exe	85
PID 3556 wrote to memory of 2204	3556	Njciko32.exe	85
PID 2204 wrote to memory of 1396	2204	Ndhmhh32.exe	86
PID 2204 wrote to memory of 1396	2204	Ndhmhh32.exe	86
PID 2204 wrote to memory of 1396	2204	Ndhmhh32.exe	86
PID 1396 wrote to memory of 3512	1396	Njefqo32.exe	87
PID 1396 wrote to memory of 3512	1396	Njefqo32.exe	87
PID 1396 wrote to memory of 3512	1396	Njefqo32.exe	87
PID 3512 wrote to memory of 3516	3512	Odkjng32.exe	88
PID 3512 wrote to memory of 3516	3512	Odkjng32.exe	88
PID 3512 wrote to memory of 3516	3512	Odkjng32.exe	88
PID 3516 wrote to memory of 2076	3516	Oflgep32.exe	89
PID 3516 wrote to memory of 2076	3516	Oflgep32.exe	89
PID 3516 wrote to memory of 2076	3516	Oflgep32.exe	89
PID 2076 wrote to memory of 4248	2076	Opakbi32.exe	90
PID 2076 wrote to memory of 4248	2076	Opakbi32.exe	90
PID 2076 wrote to memory of 4248	2076	Opakbi32.exe	90
PID 4248 wrote to memory of 2660	4248	Ogkcpbam.exe	91
PID 4248 wrote to memory of 2660	4248	Ogkcpbam.exe	91
PID 4248 wrote to memory of 2660	4248	Ogkcpbam.exe	91
PID 2660 wrote to memory of 1392	2660	Ojjolnaq.exe	92
PID 2660 wrote to memory of 1392	2660	Ojjolnaq.exe	92
PID 2660 wrote to memory of 1392	2660	Ojjolnaq.exe	92
PID 1392 wrote to memory of 4636	1392	Opdghh32.exe	93
PID 1392 wrote to memory of 4636	1392	Opdghh32.exe	93
PID 1392 wrote to memory of 4636	1392	Opdghh32.exe	93
PID 4636 wrote to memory of 3404	4636	Ognpebpj.exe	94
PID 4636 wrote to memory of 3404	4636	Ognpebpj.exe	94
PID 4636 wrote to memory of 3404	4636	Ognpebpj.exe	94
PID 3404 wrote to memory of 4092	3404	Odapnf32.exe	95
PID 3404 wrote to memory of 4092	3404	Odapnf32.exe	95
PID 3404 wrote to memory of 4092	3404	Odapnf32.exe	95
PID 4092 wrote to memory of 712	4092	Ojoign32.exe	96
PID 4092 wrote to memory of 712	4092	Ojoign32.exe	96
PID 4092 wrote to memory of 712	4092	Ojoign32.exe	96
PID 712 wrote to memory of 4356	712	Olmeci32.exe	97
PID 712 wrote to memory of 4356	712	Olmeci32.exe	97
PID 712 wrote to memory of 4356	712	Olmeci32.exe	97
PID 4356 wrote to memory of 1060	4356	Ocgmpccl.exe	98
PID 4356 wrote to memory of 1060	4356	Ocgmpccl.exe	98
PID 4356 wrote to memory of 1060	4356	Ocgmpccl.exe	98
PID 1060 wrote to memory of 1188	1060	Ojaelm32.exe	99
PID 1060 wrote to memory of 1188	1060	Ojaelm32.exe	99
PID 1060 wrote to memory of 1188	1060	Ojaelm32.exe	99
PID 1188 wrote to memory of 4468	1188	Pnlaml32.exe	100
PID 1188 wrote to memory of 4468	1188	Pnlaml32.exe	100
PID 1188 wrote to memory of 4468	1188	Pnlaml32.exe	100
PID 4468 wrote to memory of 2072	4468	Pqknig32.exe	101
PID 4468 wrote to memory of 2072	4468	Pqknig32.exe	101
PID 4468 wrote to memory of 2072	4468	Pqknig32.exe	101
PID 2072 wrote to memory of 3588	2072	Pdfjifjo.exe	102
PID 2072 wrote to memory of 3588	2072	Pdfjifjo.exe	102
PID 2072 wrote to memory of 3588	2072	Pdfjifjo.exe	102
PID 3588 wrote to memory of 4676	3588	Pgefeajb.exe	103
PID 3588 wrote to memory of 4676	3588	Pgefeajb.exe	103
PID 3588 wrote to memory of 4676	3588	Pgefeajb.exe	103
PID 4676 wrote to memory of 5068	4676	Pfhfan32.exe	104

C:\Users\Admin\AppData\Local\Temp\5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe
"C:\Users\Admin\AppData\Local\Temp\5a70afe2908dc66451d69a0485d92cfee5a856117cbda669bbd5c93d5e765fe6N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\Ndfqbhia.exe
  C:\Windows\system32\Ndfqbhia.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\Njciko32.exe
    C:\Windows\system32\Njciko32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\Ndhmhh32.exe
      C:\Windows\system32\Ndhmhh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1088
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:360
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1664
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 396
        80⤵
        Program crash
        
        PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3752 -ip 3752
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
93KB

MD5
4bbb70fd19c4f79420fb32edc1b63bff

SHA1
82c7228913259cc71de05bb80ce9047cc3d9cf26

SHA256
aab704681ec893df6a4804531f1ba9b348d0e1d9ea2c8877cc736657d3fca5c5

SHA512
d80eda308e83c8534aecdea279dd1fbee43d69400f4bc204ea7ff7d435f650bf44488f00f208bd4cf723b7cdb36dc1f782e9a70719f0ad3f36e2888498a22aec

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
93KB

MD5
eab49b110c4d7525c8041b7eba44f44a

SHA1
6a529c325db53e4cae673b311c50405e7c550fed

SHA256
4f551ffcdb3a665c24dfd935bd7abc74a02954c8b12666b06a2d3edff19fca6c

SHA512
9e29fd5c4a277400521f3d1207ab17a616e91e2fd97c169bbc5917f517d158dc8e20389c43940467aa3044f3c9ce46fdd41cbd68602967fa3895e427ea7426dc

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
93KB

MD5
e49c268f26373558c15578d76446173b

SHA1
e91b7c8df8809641aa54dac093d540398114a8f1

SHA256
44a0e76c8415442e37cc5b94a5b9384f7a79f8177f5e6ab781c323226eb8dd0b

SHA512
2678035dcb028a19a6e9add7b97785543e8d4a1fbd63ffab9d6d1f09208d6c4ac8d7f57ed5e1f749b0ac24dc91d03975893535f65d3cac79301ecdec7b1df615

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
93KB

MD5
c200b8f34653537ec615dfb4dbab2067

SHA1
a97627e80968f6f328cbe4b7c767c5a3cf1f5c97

SHA256
4fb867cfcf96c2b24a4a9157e8b054adf12f5bf59678d7a148cbb569ac4eb464

SHA512
604bf4f2245074de4ab4fb072c32d50818ed52113868609f59e4602e481d2d20611d0603800ebeb64f50341331b233d1154a9332b4b8801f3fb802d3a9ee52d8

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
93KB

MD5
1769457ee5e55cb1b168271ee10f75ce

SHA1
8ee24508a78e4aec18bb7c9ea00ea67a9ca4f20f

SHA256
ada798db5ae07be1793f56b902c4da5a05b26c46abd3ec5ff47fd7ef6c4f90b4

SHA512
d9657aa09ddf1802c518e6ba71b0846b99329e8b68c164200c9dbdba72a7914ca10dd9a9f7debc3adec11c0a3c9bc2ae71e74d3b1dfb1acc9c64468a76f05b19

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
93KB

MD5
e73fcf6c87e7c91e3b728c37790d46c5

SHA1
ea69ea741d7007187641c2209832a5817528bd7c

SHA256
7587778f59a38576ff3139dec27195fae00da7404acb7e64d8607c2826795657

SHA512
123559e89246af40140ada7151c1e2a47b616c6c6772c7ba5da1743b28f4e010f08d868e127d266f621c8a25dae79632ee3aa32db94b5ff28e74400eaefb1d7c

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
93KB

MD5
ffeff83915156751aeb75b0ee2f5e8a6

SHA1
036c3695ee3dc4ba22aa7241825b91722ad68e77

SHA256
b669e19eb312584c74a37d3e8ce11f9bc565e6bc4c8a91ddcf34bcb005e56420

SHA512
c9cf7707a81427548092c01f05512dc4f19a6bd6da7dcab76b5b1fbe32324a79360148d8ffea709a77054bcf20a81fd7ec20297e38ebe36c47668f45db29547b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
93KB

MD5
bb484cd54587365610c087a0751eac5c

SHA1
b8bbc6c8df26efa572a55ed3a18f878c86e566a1

SHA256
837a76d34c848ee0e4fff9c850544159b5f8d8a6ea941b4fd067f462ee979838

SHA512
d134966fdfaaed010f30c4681f44e7deda3e03ccb8beb9f022ee8f07ffbed9c82b5d14c54a5715516d832efbdeff46bb2abca356b8e261b86560df6a84516fac

Download Submit
C:\Windows\SysWOW64\Ndfqbhia.exe

Filesize
93KB

MD5
ba7ed9fa6c52a1e07d9c6ea23b422528

SHA1
da4fd8ddf97857586b3c468f5665a470161d3822

SHA256
70663e5468eb6ea633d738c56546f49898dbaa425deeef913772767097a92b48

SHA512
058424f8ef476661483d9d90fbb36c488e8f49ce9a79f8ddee646a181b0446da315d660353b62a1d897cbb68ebf3d0828f847390dbf749561844dc18fefbfc09

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
93KB

MD5
07552bb13cab5940a86ebe863f69c344

SHA1
d6fbe2098b97d5ef0ffdcffb64882581a8d3d571

SHA256
f71d25aaab4cc9ef9e5bc3ffbdff421242072ad0f8efac08b0d1b5ce14163c51

SHA512
f899284d5db947fb9b4aeff21211dcc2f5493845c2d2f3c45342b41a4aa31b8a71205cddeebf2210225f07866e93971662cdc1171d5596d7274475c12c284878

Download Submit
C:\Windows\SysWOW64\Njciko32.exe

Filesize
93KB

MD5
9a8da6c0bb714928196d6641bcb2ac8c

SHA1
d827e2b025cb79d00f995ad4e5b6149ac312ebc7

SHA256
4efe08fd8129df4f8d4ec983f65535a553fcb27121c24b97b4f16183e367d590

SHA512
6ccb691c493e0d7543c02e12a6011a30d2ffd7627787512cb77b3f13daf8a182ba2ab1407acf7aa0c26725eff741f16962cd0bbcf4a795046b0be2e1905af52a

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
93KB

MD5
b85c85269893bb86d7e48bad2e511edc

SHA1
3866a34aef03fa7375b922ae0a7677281043aa0c

SHA256
ad62909145262ca6005de835c7d4f9b570bea16dba7b60cd73a1fca051a3abf2

SHA512
f816d6639a7d8086aa4d926c0e4359b233f0af623380ab5fe12c1db158c8caede43c61fbdf0907c305d8fe89844e002abc20ece96852c25e464d7679b937f38f

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
93KB

MD5
5f224ad7d28c26ef656d966f9bb444c8

SHA1
219aa71efd2a051d4137e126a2d3a573ce616b7e

SHA256
7efca6dd1bcf9fa02456a95cfd07f4f3a470487252af21496e3010484d90d92e

SHA512
8f7bb7fa40589e7b9d0985fba58871edb97337296edd89994fed1087ab1a5279542ec00daf05fb3118d1eb9aefa49aadc36e7735217b705af61a5779b1e5af03

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
93KB

MD5
e46fd6c6060f5fd71372259f9c08770a

SHA1
59405ba3601c8e48f6141f967639edfc988987f5

SHA256
e3858fe0a1ef22de68e9d2b2added4976999ef6dce3673717ce2e5e8f9e940a4

SHA512
e07d3c733bdd3df0112ab1df10aa4805f85a0631b9b07dc7113fdb5ff4548d85a307357c6550d96eba45811ea9aaa2ec3f5c4728f063aab9df7ee5de2d24e009

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
93KB

MD5
031229d9c50d68015e2abcb89a3c9280

SHA1
996fc27b21bf03d1ee9c1612671508f7b73d4a0b

SHA256
d1a602290ab9b5806dfd59e2aeb614368cd6dcd930a0cee340ccc42c8aa3ecf6

SHA512
3e6b67bc2daef39c7d86a1049b24e8537d33fbd3f5feab5fbc40ac23b76f84bc6806d8332502b601bfc3e293ca9eaa890d09c07959e6c2aa0f58821da7e2acf3

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
93KB

MD5
7dbafadcb1df6348b7a18991dbd18b5a

SHA1
7b89c123d21cdb07d56a74660a95e40f95728428

SHA256
8ba752874e4f3a57515cbe034315b4aee8dcb27bbfe5b9f23dce2e83c6286052

SHA512
82e2066ca488c99f129a06af5eea6a74d8f6039b8731d76a97b3853d76ddf140abbe80023dd12592cc905f5ef861f25b97b3031c832e9a979a393aa6a3b76eda

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
93KB

MD5
5c177242869e512d332fd3fedd12f0b2

SHA1
a763614c70502b5da39fb906496e913ca851cb0e

SHA256
10b60b7172177057543941286ad4e27784bea337ff8035722333ce18ebb65ac4

SHA512
e2c742736ee52d427717d6701acc9670cb4090b33b2ee33ba4c8c92541ef7695f02eeb067cff1a0d135256d7fb746df58e563799dd62c046a46e6301728d8c6c

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
93KB

MD5
570a12e0e61cc14896183b0f84130f8e

SHA1
aca87247b3fbd16a0f0d8763a2bf149132c07dff

SHA256
85e58f76821ae75e5eff16de4f80a20fbc32c87ffeb0a168d75090e27c3772ad

SHA512
11b625e0a225c8ce83991b404706094c600003f50dc4ebc929ba0c2a74abb410dcb0045c52f6dc158b3801e879f9b0f51bc0149ce46f5cc35318f3f97dcdd989

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
93KB

MD5
9862204d3c14e433f222a5409625cef5

SHA1
66e8dae3cc51aa8368c4a7d7213c765ae3d355cf

SHA256
4f0a1cfb82fdd0861ad117ab9643142eca6b35aac09a58d9ff1ec31f6721f588

SHA512
8a61fb1448edcd27b9de1276f3ae0c4dfa526e4a85e471049054c5efadf7f4db090a274aeab383664ec7d267fc65a83c9fe74245474cab1574d9fcd398d6a194

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
93KB

MD5
82b081154e0ea7629ce0fe2eebd52444

SHA1
66c6fdcb5cfe0c37dd453571cd7e1c69d5b119c8

SHA256
2387090532adf24b2b8212835b8565513bd9b3988a056eac3e156d766dc56db1

SHA512
0f3b1fc0cc6f890f862fdf341b4b99b91d18855eb4230424bd221918b6d184f8e5e152c4a5689aab935a6d5ed5658690f97dbd97348583db274541621f0985a4

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
93KB

MD5
673d7f9443b441e80b550dbfc56506dc

SHA1
73190268b28795e0c6b861c7c3c85009db038415

SHA256
32bbb8f5ea9b37b4b439cf9a46d54b5c6bc0741104c4c33ea7a56d26899a1a80

SHA512
3b16b2662ff774d5f81d5094dc9a5a4dc2a4930b3cdb0cf7c59ddc6e7d3561b10480315ca2946a2e9ae13fa79b4bd7ce55d12df126345f997cfd03b6de68081d

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
93KB

MD5
e42879e65ba05d28f5c76fc13e56848e

SHA1
b4622fc6090ccaecb1c852527f13e83ed76d7018

SHA256
489137e709ef24852d89c10b4b788e5f7e7aae5982575ce1c6cf575286f54ba3

SHA512
79cd362365cda037382d4e4923e917f26020c4f1fc334e6186bb250969435514d6c3ab6edb4f8f6da5b9517ef47bc28d0852ec67cb50b04290c8feff1393d1b0

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
93KB

MD5
dc6c461e652d8b3becbc73d02bf0919b

SHA1
0bd5e70b18e1cc480d734954c8f080b5a54a0d3e

SHA256
3ad3bafd757ea2ffad765ce3d1840dec52d6afafc405be9bd3ed49f1cc3902ee

SHA512
bf26176091c98b547e0f62a827dbb91063c79743058dae14f363586e096bc8073f406846478583d9ff1b3f732a38c954c4a58ba30b2558a81c79d28df5541998

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
93KB

MD5
6618caa33ed3146b923fb55f8e142083

SHA1
cb624771664a214167e97444a11bfd4ab39ae885

SHA256
98ffd81984bf1e01a815df384b991a812f6dabdf66a7d0e086c5532dffa3bdc4

SHA512
91609344dc580a1f573a3b5644ee9c5f8f6925e874f2f9bebcac462005d220e959ad58b8d11b756f6a2b99f78929d48f2659fe1137d0919ef1513349cce58413

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
93KB

MD5
12e198060619696cbaea301adbe06423

SHA1
00fce66eedbfb976f23883bb66532e5cb31eebab

SHA256
6e4b6a73b90950f195d00cafe5495e1172e2ff17713f2ec87f0bb4654aa77b0e

SHA512
fe3037efe5642b7412473aa85ef97304b5193fd4505c2ed009d78f9db7e90be0c451e30e6c55e3afebbcef3263d6b904031c41783649b9177182cfc660e80ca5

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
93KB

MD5
cdcadcec510e5c512e78e9f33f49e826

SHA1
c81e2fb0096769ae2405f0aca7a448940a40e71a

SHA256
60295354bb64a03e2ff423ea5c0dd8d8b7ab7d96d1af343a7b48d953190fb0da

SHA512
b08583cda77b27b29a9c2a3f67481ff2cc059a3f70f4ee860586b28acd26b506efe65322135f6ffad173fcaf61126cff0049a2eacfb2d064f12ee296526178f9

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
93KB

MD5
4baa624c366bdf819b8131a2968e001f

SHA1
64baecc8c06dcfa517b172c43ece19f1992ad32e

SHA256
99524ae20c33c7a1e73fcc4b909f939961d6a5639647aecb2c71077a252820a1

SHA512
684889a235fe0e58ecf21da2cdb582135cccf6b8811dab347027c92a9a5e810a4768d0d74542a3b9a9d805506267edba6ca7efcc9df3061be8a90cdfaccc080c

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
93KB

MD5
2cf0e135608698d06d3ac72911d4ed96

SHA1
afc1d81b934b471c71b925c86073813909fe3dc9

SHA256
e7940be0a663cc0e89d5a929979357add3559d433f5ddedd01ee57b151229e07

SHA512
571acbcdaae1f4a95f5351a065fffdbe8efb805861e01873b708e56aafd5f7603ba1d25c7cb46c431a8e57dcea6c405af933e4654eb47740e50124bd9a234db4

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
93KB

MD5
892bdb758cb71ac824b3b665a828365c

SHA1
b15d05c1d65e80a418c7a0a78560f494ab3ac3b1

SHA256
97dae7ac6313721e98996e9df808e630b3a4e1c1691fdf704db585c7def4695b

SHA512
6e6fa38359c3d3c13ed9499adfd54de9aa162785109322e402d148b947bc74787179298f1927cda9d8ffce143d3ffe670387c8304797ef4cf07741354a7afe8b

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
93KB

MD5
bf9c59fd087f0a8ee15fdc61c717a913

SHA1
7e2ba6ae7f64305f968e8adda7da49c160d4b24b

SHA256
2873b781f45cac71aa54004f9bfcfb02da7cead31615e797465759139ab96cd5

SHA512
2a41e7c883413417fc5a6465427da537913bd18754b5a1c28b3f7e737af88d075862d11ab4f648f306f70d3ef8b352d08ced1929e8eec4514a819659f007c87c

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
93KB

MD5
6d004f9d69be5a3fd8e4b4913b6f9840

SHA1
160ce13b96eddcca8be16aafe340ecab237dc3ad

SHA256
17919bd811d1d53b443824107d93b448f54722c7366a1b1865f27839d2c4bdda

SHA512
9a61272eb1ff7415e430a4d6f4c4072ef911ebd85b1247c77aa341c66b61d0c540bdf60372798f88549d7224fab5c5bfc3746aac117a75ba4fc2282c77bc8f06

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
93KB

MD5
3ef07833ebd4940c6e735985020ce11c

SHA1
bf834f2244c3a86214755be0ce227543b5c40ce2

SHA256
94c6b9cf2955ebaa8c15710557f4c2b64b95ecaa2350bd0bbea96607bf154011

SHA512
75c50c1448c21868e100fe4ff74560edcdcfcc9361588eacd2ca9b3e1ea58c8c0fe9fc78999d451eba87a30f912f0cb32c6f362bede6a67a52c865ccdc17a8fc

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
93KB

MD5
206a3cf1c09319b9f1a2b0446dacbca4

SHA1
4b0fecb970a6046cbddaafe0a6850280d6b5bdec

SHA256
47ca2393948a075f493ae854d7a16c149a3fd1f7824f680571f6e623fe30acdb

SHA512
6abafbc0f9d37cb1f256bf833dffdce1bdb66f236d2e7b25c241dd622adbadfd4ffd8955929a03eebaebce0d9f685b8de265d87257e600e4be28699ea598f7b0

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
93KB

MD5
97c0ee2d2e53cdff5a458c8f330aa6d8

SHA1
79f72d676bf84e864297ddc25060acb4fc6f6c23

SHA256
a4bde500e16f7a36c1c54fb5f210ba6fee8d3a9e82751cb328c1f25cad01e4e2

SHA512
3df183077732dab74f656c7e17b5c7e635a70838a34b652007be6c234a200eef56159d504437d44314979b147a0d464b0de4558331463ed6807228efc6ce29fb

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
93KB

MD5
54fccb85b72db14e856c0ccf6e782fb6

SHA1
19f2346773948f260d95ba0d709aad6bf872b6da

SHA256
fd1b7fceb8b4f3b005fd1b96a53524fe1670f628b80462865349ed5cb315192f

SHA512
df86b508c7a9c77868f8e19dcf564240e21e9b196f2c255c8b35cb5ec2b94e5b1c583c4db0d9786795c09bdf103e8c10a1effad8be7ac527a1d830a05638f65f

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
93KB

MD5
e3860b35fd6049ee4dfb902ca5007432

SHA1
9c51fd15ce9270303788e0a011390d031a03fc2e

SHA256
00b1e955e5ff861d728595de43527e0fe854eed9c5142892babb04ee827c6b37

SHA512
02bbab45edac6d1df9f80b20d921316339b15853c071beeed31d311ee262bfb719bd850a71e4663df3a54f2a11c4514426317e2fa8d055a74a295f572ea5870d

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
93KB

MD5
e5834cc7818eaf6a375d9f1c50b31639

SHA1
54cedbbd31a7b82124fd09865e00bdda7eeadcb3

SHA256
94e03081dec5026e40763796296a382bf7327ff13e489912bd77f86279e66b39

SHA512
51dabfb240dba3352b96603e5c670605bf2329925264e8b12c31b6c3ae922005016a7e5610d1fc98ceffa2e4fb9d5c08121de65add6f020de4720122097a197f

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
93KB

MD5
f597369fadb17e94e71b587d99244067

SHA1
fc32711802eca08b059699acdaffa1fef7f81a50

SHA256
7b1c3eb7facc02184a7645916330bca4e145084e1cc3631ff92996d5b2f8e532

SHA512
67ed06bff090eea66fe5c17930e3a27c6b6230c506b723ac91891b47d0d33b6e6e7ec0acca50289d6f07ac951af2c5e7e998aaa858c94f230f7bfd5db3d7e1db

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
93KB

MD5
b728bf77616fb2df0c61fd851e2e2d23

SHA1
e71488923549aeb9dba237e7a731f83e681cd68d

SHA256
d6d249fa608d3f88840d17c2c989fcd767d14933eff2412ba6ad18dd98d6efb7

SHA512
8b8503923aed2adbb24a8973e59b857ec7b236281ee7b13151ff67140bd3fd57e300e0272a23af9c9f7fc08bb740c132155c448ad7a62545ff2d08f5c15a3d7a

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
93KB

MD5
c854e0b1bd35007587bd9686b8040b69

SHA1
18714b0ee4725e32f2ea1fb823064dbe35a175d8

SHA256
7c471784a3a5eafd97c5e11abd8d9d9f39c392abf59db2c104d41986013c58eb

SHA512
9baad0b0b9ceb80071698b1e734ad69130dd003a6ef80d1667354acd128f5cdb393f03dba7614a56737003355a1fa8e2e8228d65e8b254acddaa5470d28cface

Download Submit
memory/360-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/508-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/996-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1188-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1324-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1392-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-529-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2060-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3404-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3692-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4636-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads