berbew | a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169N.exe
Size

80KB
MD5

c40ef6b2ea25521a0bbba05edf4d8900
SHA1

9e6d53cc464a2b7f0529db55a6e938108ef88279
SHA256

a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169
SHA512

a4148d40556fff0c1874d58de57ff9fb51c67bf8e0ba239ef4c3af1523fb033627b4eb29a40f11004c8873ab38ea411db0a8a62429287fb9a5fe520da29e9c91
SSDEEP

1536:p5VIyuMBAcfCZTe/GQrmQqqjVHuAYQInyreWNm2LhJ9VqDlzVxyh+CbxMa:hPrfCZGv1qqjVHuAsnLCLhJ9IDlRxyhj

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3312	Ofqpqo32.exe
4792	Olkhmi32.exe
1052	Ocdqjceo.exe
3604	Ofcmfodb.exe
2840	Oqhacgdh.exe
3156	Ofeilobp.exe
3920	Pnlaml32.exe
2504	Pqknig32.exe
4068	Pfhfan32.exe
888	Pmannhhj.exe
948	Pclgkb32.exe
3360	Pjeoglgc.exe
3116	Pdkcde32.exe
4124	Pmfhig32.exe
5108	Pcppfaka.exe
4076	Pjjhbl32.exe
2792	Pqdqof32.exe
5072	Pfaigm32.exe
2784	Qmkadgpo.exe
1224	Qceiaa32.exe
4744	Qjoankoi.exe
4204	Qqijje32.exe
5056	Qgcbgo32.exe
2244	Anmjcieo.exe
4196	Adgbpc32.exe
2180	Ageolo32.exe
4868	Anogiicl.exe
216	Aclpap32.exe
1152	Afjlnk32.exe
1888	Anadoi32.exe
464	Amddjegd.exe
5104	Aeklkchg.exe
4864	Ajhddjfn.exe
4448	Aabmqd32.exe
2856	Acqimo32.exe
1260	Ajkaii32.exe
4928	Aadifclh.exe
3164	Bnhjohkb.exe
856	Bebblb32.exe
2788	Bfdodjhm.exe
4092	Bmngqdpj.exe
2700	Bchomn32.exe
4344	Bjagjhnc.exe
184	Bnmcjg32.exe
2960	Bcjlcn32.exe
4768	Bfhhoi32.exe
4916	Bnpppgdj.exe
4940	Beihma32.exe
716	Bclhhnca.exe
1256	Bjfaeh32.exe
4800	Bmemac32.exe
2800	Cndikf32.exe
4888	Cmgjgcgo.exe
4816	Cenahpha.exe
524	Cnffqf32.exe
2584	Ceqnmpfo.exe
3776	Cfbkeh32.exe
4576	Cagobalc.exe
2396	Cdfkolkf.exe
4144	Cfdhkhjj.exe
2492	Cmnpgb32.exe
1988	Ceehho32.exe
3268	Chcddk32.exe
1128	Cmqmma32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ofqpqo32.exe	a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169N.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocdqjceo.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pdkcde32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
220	3092	WerFault.exe	161

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqdqof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odaoecld.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 3312	4212	a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169N.exe	82
PID 4212 wrote to memory of 3312	4212	a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169N.exe	82
PID 4212 wrote to memory of 3312	4212	a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169N.exe	82
PID 3312 wrote to memory of 4792	3312	Ofqpqo32.exe	83
PID 3312 wrote to memory of 4792	3312	Ofqpqo32.exe	83
PID 3312 wrote to memory of 4792	3312	Ofqpqo32.exe	83
PID 4792 wrote to memory of 1052	4792	Olkhmi32.exe	84
PID 4792 wrote to memory of 1052	4792	Olkhmi32.exe	84
PID 4792 wrote to memory of 1052	4792	Olkhmi32.exe	84
PID 1052 wrote to memory of 3604	1052	Ocdqjceo.exe	85
PID 1052 wrote to memory of 3604	1052	Ocdqjceo.exe	85
PID 1052 wrote to memory of 3604	1052	Ocdqjceo.exe	85
PID 3604 wrote to memory of 2840	3604	Ofcmfodb.exe	86
PID 3604 wrote to memory of 2840	3604	Ofcmfodb.exe	86
PID 3604 wrote to memory of 2840	3604	Ofcmfodb.exe	86
PID 2840 wrote to memory of 3156	2840	Oqhacgdh.exe	87
PID 2840 wrote to memory of 3156	2840	Oqhacgdh.exe	87
PID 2840 wrote to memory of 3156	2840	Oqhacgdh.exe	87
PID 3156 wrote to memory of 3920	3156	Ofeilobp.exe	88
PID 3156 wrote to memory of 3920	3156	Ofeilobp.exe	88
PID 3156 wrote to memory of 3920	3156	Ofeilobp.exe	88
PID 3920 wrote to memory of 2504	3920	Pnlaml32.exe	89
PID 3920 wrote to memory of 2504	3920	Pnlaml32.exe	89
PID 3920 wrote to memory of 2504	3920	Pnlaml32.exe	89
PID 2504 wrote to memory of 4068	2504	Pqknig32.exe	90
PID 2504 wrote to memory of 4068	2504	Pqknig32.exe	90
PID 2504 wrote to memory of 4068	2504	Pqknig32.exe	90
PID 4068 wrote to memory of 888	4068	Pfhfan32.exe	91
PID 4068 wrote to memory of 888	4068	Pfhfan32.exe	91
PID 4068 wrote to memory of 888	4068	Pfhfan32.exe	91
PID 888 wrote to memory of 948	888	Pmannhhj.exe	92
PID 888 wrote to memory of 948	888	Pmannhhj.exe	92
PID 888 wrote to memory of 948	888	Pmannhhj.exe	92
PID 948 wrote to memory of 3360	948	Pclgkb32.exe	93
PID 948 wrote to memory of 3360	948	Pclgkb32.exe	93
PID 948 wrote to memory of 3360	948	Pclgkb32.exe	93
PID 3360 wrote to memory of 3116	3360	Pjeoglgc.exe	94
PID 3360 wrote to memory of 3116	3360	Pjeoglgc.exe	94
PID 3360 wrote to memory of 3116	3360	Pjeoglgc.exe	94
PID 3116 wrote to memory of 4124	3116	Pdkcde32.exe	95
PID 3116 wrote to memory of 4124	3116	Pdkcde32.exe	95
PID 3116 wrote to memory of 4124	3116	Pdkcde32.exe	95
PID 4124 wrote to memory of 5108	4124	Pmfhig32.exe	96
PID 4124 wrote to memory of 5108	4124	Pmfhig32.exe	96
PID 4124 wrote to memory of 5108	4124	Pmfhig32.exe	96
PID 5108 wrote to memory of 4076	5108	Pcppfaka.exe	97
PID 5108 wrote to memory of 4076	5108	Pcppfaka.exe	97
PID 5108 wrote to memory of 4076	5108	Pcppfaka.exe	97
PID 4076 wrote to memory of 2792	4076	Pjjhbl32.exe	98
PID 4076 wrote to memory of 2792	4076	Pjjhbl32.exe	98
PID 4076 wrote to memory of 2792	4076	Pjjhbl32.exe	98
PID 2792 wrote to memory of 5072	2792	Pqdqof32.exe	99
PID 2792 wrote to memory of 5072	2792	Pqdqof32.exe	99
PID 2792 wrote to memory of 5072	2792	Pqdqof32.exe	99
PID 5072 wrote to memory of 2784	5072	Pfaigm32.exe	100
PID 5072 wrote to memory of 2784	5072	Pfaigm32.exe	100
PID 5072 wrote to memory of 2784	5072	Pfaigm32.exe	100
PID 2784 wrote to memory of 1224	2784	Qmkadgpo.exe	101
PID 2784 wrote to memory of 1224	2784	Qmkadgpo.exe	101
PID 2784 wrote to memory of 1224	2784	Qmkadgpo.exe	101
PID 1224 wrote to memory of 4744	1224	Qceiaa32.exe	102
PID 1224 wrote to memory of 4744	1224	Qceiaa32.exe	102
PID 1224 wrote to memory of 4744	1224	Qceiaa32.exe	102
PID 4744 wrote to memory of 4204	4744	Qjoankoi.exe	103

C:\Users\Admin\AppData\Local\Temp\a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169N.exe
"C:\Users\Admin\AppData\Local\Temp\a0695d188c1aa4bf82891b792b66c56dae18478bba0374adafb96794c1a0a169N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\SysWOW64\Ofqpqo32.exe
  C:\Windows\system32\Ofqpqo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\SysWOW64\Olkhmi32.exe
    C:\Windows\system32\Olkhmi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\Ocdqjceo.exe
      C:\Windows\system32\Ocdqjceo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1052
    - - C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
      - C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:184
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1256
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        67⤵
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 396
        82⤵
        Program crash
        
        PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3092 -ip 3092
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
80KB

MD5
0cc911c071dc09e12dbe776955d80fd7

SHA1
58676eb1dffb5059c067161f242f1cba707bc32b

SHA256
5b0da03679df558d0e99e51df9d34cb336c22e1db4d0a751d845cfa2c9292ebb

SHA512
e922105f384db28a78f86531ad6d0477c95d1799a8dcc0845ca0a02bd9fcd1055a455db52b61c6befa1752b843876bdebf0588993cbf2ff2789c97f17ad665ff

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
80KB

MD5
8feca5f2e80c3cbb2defd834a439df48

SHA1
9a8e81d6f00aa91606c3158fbd8933aa768c23ae

SHA256
a22277a38f1d3d785105b32b25192f92836fb4f9b7a24fee624be67296beb2a7

SHA512
282b5438fa840441a9510f1274eb6a0c2fff605d58a4564d652a193364217390c8cdc46225321daa17ab24a401e950012afdfb9b3f558b55dc4d13c680fb116d

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
80KB

MD5
316dea4ec60249780d88dd42a18444c5

SHA1
fc57710359f46bd608826e7713abf988c43bf350

SHA256
59f09946ef31e8ff7602e5c8ec24374fdc8394ebeea89b9d022195f7e9dfa95d

SHA512
1722f7f9314f3924a684f2db0c03b0ebb522d96ffda244103decf0605913fc064d1430cee14a45f230f4095839a1aca25edfe70af52bf433f359106628ada693

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
80KB

MD5
36ed5ae7d0f721dff3c86da31d5a9672

SHA1
17035e36fb530bbd099f0cf72eb6b5970d7fed64

SHA256
d7164fe269af2922bbbd5f8f1d9d532a5fa947c9e74a3d3271b421638a4a7d40

SHA512
275ddd98c8ef5420acb5ba4fc3fabd5eb27324db90c5c7f147e245d93aaabea6052cdef8b784eece9a077136e33a0a070c3d877995225c01b19af004f4b8b495

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
80KB

MD5
9a47a4dd59f266e9757a4e56c4d6f820

SHA1
0adfabb759589c18f3208c28bd8fa445b22b58c9

SHA256
8312ccb2f97793c2feaa8751c2a452f844b1c449fb01910a9dbfd6435007cef5

SHA512
baa2f345c0b8e958dbd585363037afd975694c61638afceee829c3b0f5de6b5d1ae85e03a9cb883dbce5fb2f3c7ed21f4150e8655a5dea9bf71a6c4b6f15b70d

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
80KB

MD5
147a9cedc7e3a9a06c4c8452106cb805

SHA1
8cfcf1c872d8bb76805f913bfbf6aa4e84293e3d

SHA256
ae173280ead581fdb89107898e8d5475cfa768f26e0cbd5d5d2281b33c0d4d25

SHA512
cbf04544da20c19d527bc73920de355dce0b8662087be96da0d05b3608ec1eb4909b1ca2c234f878ee1e2895e215e0d4f46de52dee619c5a65d8d759421ca065

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
80KB

MD5
a4681b7cddd0956df53259dcc5ecba3d

SHA1
445ee35092ad10daf9c8afa5e005b3e594487e86

SHA256
0a3883593283c994c2d24d51652d6f468481ced461751a6c1ad03df68d8d6c58

SHA512
5a00e3e4e77d21549b822fb5f78dc1a57d9db524d04ee63a20268326f218b99750ede8b284bfa563dc81c8b4300a720b5611b230bb3e4c04bb7bb75a88af98bd

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
80KB

MD5
2368af8523a9ed35d134b31459997a7a

SHA1
5ba1db0bf8262ed5c9143b383cf826c10a0eb961

SHA256
e65d1dc421ea0ffe1598c6292a67f2976a39ea8aa2bff7ddd2dd1b0e97e62037

SHA512
c0f356cee153489f83eb60496fdfdc093836a04e3da9bb88a7a2c2ef50d3fa925ad066cc58bd196a56dd2a0de7cd54bdebb6e5b30a28e075968584f471dcbefc

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
80KB

MD5
2629c583c2f8f7e4d8e8dd726ac11572

SHA1
b7297b9c9da9a9c1d353cefba2ac8b9b2dd9d49e

SHA256
4d6dfa2db4d4915e93daf621aaba323f725d5b691e24adb22fd6b2003681bc23

SHA512
407bdf0ff273b01bec4e584f371cb30786726b22cbb41cc2d11d0f7b356e3d4b629bb2d1d54e8108cf0ade428a587abc9e01c54333bdd3450a0a21d69fd93c76

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
80KB

MD5
4fb349f4b52da4ac3f0d11dee38a0db9

SHA1
940f593d650b0a8885d57787d2d54a365dbdf5ea

SHA256
6c644a127bd70821c20318e47463b3b68a010d4877cb24d4780f5c79ae594dad

SHA512
324c5ee16a513f42acd47e0958f0165ae84f62beecbc2af2338850757e523b867fefe7d4d4ebb12c432de94a663b99522ea694930c023e3ad576880f23e112a3

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
80KB

MD5
f8d7d4b0028f478ac3f5069d44b1575e

SHA1
1466d7cbcf74984f764d28eb4b2d9644b5071325

SHA256
1a7bcebc99f35916ce02375a25e23c3419192e26b38149da13be730210532f5c

SHA512
f5b121c1e0396165b5e2e1de4e6a96082fe2260247f757c6c195d392aaf812f0a60b5ee669f961b4d1eed43d051871b8d7c80b191e05e39e0f8ee9e93b9400d5

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
80KB

MD5
d67e26e57caf2b85f6af7785d186aa0b

SHA1
672aa9d46f0b2ddc1a2f39f6f0b6cfb49d6d8cae

SHA256
31d40686bdeef43997894d96d4fe12cf8b670d26fc44e8371e890446a05bdf75

SHA512
53f5dd667edb909d9abd79dba333e49ffbc4f47759337121e07f7971fd7a4d85d472378dd529170ee52a8efe59feb1e6f9134745939e57dd02949717599964df

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
80KB

MD5
5132174da5d7dfdc3e3c188a5922395e

SHA1
99aba03207a97594ab4058c55fc45575a8d06da6

SHA256
d05cbde9c5d02557e10275c2d7630a1a6c005abc921ddea64ca7fef5cd84a489

SHA512
77eab5e5920d3404a12fcd0d7cd2cf8107638fce04629064ef6d3f27ca8dfad34e45508dd53e86f9823abc0de2277d43c65a9f959c8d9df00dc07836568662ac

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
80KB

MD5
e8c98dba4f4ce5388d19fc93288bc386

SHA1
11f12656aeea7ac7fb99ac89c8ae7ea379dcb67d

SHA256
9e22d22888bb70e0642d71e4c514369881ac8b2ae6f2e53950d54a585683aef7

SHA512
e8a63373d46f566ae9db7062faf4ce863e35b676a24e3fc24ca2d34526982bf4a1959eddf3ef8b01b5c9c8e03e6e41071f0ed93cbf7039739344afec9e94ce10

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
80KB

MD5
fd7e9c12ecbc177fb49741bedac1e49e

SHA1
4655c7c6dda0cdf5bb41a539022086dbe2dbb1d8

SHA256
2751dfd14fb615159a54352649a99089bead9d56ea203602b8670124474a56b7

SHA512
8e32c8ad4b4b8bdd2b035b30133a14dc1635307a220256d84aab366fd7c6d1860accdb100464c28d5f112d964c9601be0088cc6b547adedde45b4f040e1c6e0c

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
80KB

MD5
d00aa8e61f09c3823469c1e7f90cdbb2

SHA1
5b052e8757e018f7a31a340db5c7f55ded0e2a17

SHA256
51d385353a677ce6356c381736cfcd3449b9245cae1941cf23c9fcdd392b349a

SHA512
e1190af06ed0378110b0cabbda8d514baea8bc7d18bb77014768ebe1ec4514a2151df3d48d17da2a817cd3699cb4504aa09887fdc09a5f46b9903e59e1fffb67

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
80KB

MD5
724ae73eb675281efe1c576d37d2f74e

SHA1
3d43cd1d45545e62ec436994f6b8438fbf4c9fb9

SHA256
c7a510eff3f6038c51f818cf67b4c21f247214f4f8b8bc68448439ab2899f08f

SHA512
66351acb533becb19432c56c4a97bb32d8f18b22aa8d3a6150e358a28aacdf2811b483cecc75cce89399b9a15fd7d866cc2bb022cd1110c4eb5008d0d4af7fcc

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
80KB

MD5
8536f51b3b8c45c77590b1ab5241e5aa

SHA1
7ddcbc858efa5dc0d5b26499cf9bb6641688cf32

SHA256
1f1ce07a7f438e718d7eceae15a598158ad6b92621d14f9f3b45d852f1f7d442

SHA512
a4ec00713fce186cacb9c0d00dc85d50777b95011e8091056eda677586b02197479dc0f4698a66d7bb03ae33acc4e56748edc4e659dbb50234123298bd83849c

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
80KB

MD5
734d4447f4e83180f298a40732ce562f

SHA1
d1b4a063c523d01d06dbd1da88df0e712c475af7

SHA256
a44b1a5883867d40a8de1a6336b6421bd657e4b22bd4bae58969ca0c46431b93

SHA512
217897975331b05fc5bbacee7b8d05ab1d09b6ae8d0ca556c467272f0d5b04719a4258b30df73cc506c2f2749b88a81504138b28b284d1ed0edcc554aadf395a

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
80KB

MD5
5f2c95a625c2a01d0f0fe69ca7c93a34

SHA1
902cc225df49624dc6111b8b07927a1786eabb0a

SHA256
56959ff379ef0dec6a96b20d9a21a675e47f0493a674ffb4e5a9c14cc0fe0cc1

SHA512
7eef9ea21dca56979d3fdab39d985faf89286a47f95a33dcbe558ed3e6ac6eb49396f0ce405ad2ae48a837f074e30b4f68dde0e1c59df88a47602e84502360d8

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
80KB

MD5
e2a407b5155e4b4c97681559449cb146

SHA1
868f2279c895364e7754ed0d27ada33e91352bb7

SHA256
10daa5ea6f8669c2d53042ab42d1326575fd91fcd9582440d2f9e52f010743ab

SHA512
c9eb0c90e358462abfefb4cc4a2b40fd9a238194b793bdd0628272a8e0b0eb7c127ee7cf6315db791fe0500f3fc899b17752f6b9afb1c88f8e4e942be57a24a5

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
80KB

MD5
0dcf861a96fdcdc029ee5b84b99f97b1

SHA1
05e7deda77225053ffb7c8f58e84b8287088428e

SHA256
28286efa675c59370e6fc8f3fc0984eda9a4ddb435a1a4e94904414b9ea11a32

SHA512
f38fd6296143c0b711e45b044c64afdc9433a5a179e7f9cf8fc424bd24c27ec9856b2328a797c5ed600400205cbf56f433a485eaba9179aef879719c41a16e6d

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
80KB

MD5
1bce3a83781d739521d2d44176f50785

SHA1
d4e26f2208b1c90e1296c79ea149efe6106abbb8

SHA256
fb195501409e52af86b9acdb2d5c6651d00fe4c2b3ef8c92cb5de645237caeeb

SHA512
0fe0031f82bbff26ab739a072d2fdde644b3ba9aa1a17006e7f80bb3a98858775a72909368bda216f1093c32b4659c6d1353e2edc77b4d648698d78bb470d2b1

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
80KB

MD5
bfdc3b0d43ef18def84f8357a902d4e0

SHA1
77f5b59823b986250d76d33ed916481ac12c16ca

SHA256
ce603b602eac909bec1fec191804ce502a1b70aca533e4a4279bc631d330fe2d

SHA512
233bffefe411c11a57cdb7dfe158b050323234dcddf7eac3bd0500e9244b8eab431e6dbc14df07ced23ec19bca6e702fcc9be6da7726f05cdcc5a2f301744909

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
80KB

MD5
48f33dd71371fa451a966249732c5be3

SHA1
f638ecc626264aaa94763ee89c023d5c84857627

SHA256
02172a69aa4f3a73c183914cf3a8634bc23afac7f88f5b19eec0770df24a71fc

SHA512
cc4f44943f7283ee3444834c21e93cfa18110db38bfbce08a0a682ced604cbd4383fa5be1b58d2f9e7fd4c3e3a354f6df1bea0bbe0400f4410349251a5d82626

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
80KB

MD5
f18a6d7990d79d261591b58f44742eba

SHA1
96ff74974c2985a9e806a9521fc7446383c2b8a7

SHA256
a03155a60e0e5579b923e1fc3b5c7090e8c2ac305aec614bb18c381b2ad80487

SHA512
8b91af0c1158f7f1fd03f8f72c7eeb2a39d70f572152c90f6a188a45a0bd9a8db050eb785177e869c6842cb2e5b8b0e5ff1a134a03b8f4fe999627741fefdf6b

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
80KB

MD5
0bba08f2633f78ed3c89d43dd7afd7c1

SHA1
a72169c01abe48b4069f7c1705d18246d726b1dc

SHA256
4774ed208bd3252018cd89a22c69d67c93ff8895d3c562ea9327063ffa069fad

SHA512
2a8771a9847a5d0618278c05d14ce8f6366426d4361795c5e0394280c8b21da8bd7e6b0594b9ff8b9e98aab823b77a52456888ef3f6a436a125d4a4a30d27463

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
80KB

MD5
1487c08e581f5d6d796cde6837b4ab5f

SHA1
3dd9391f09f6aff8091143b8d66849b36b87c9c0

SHA256
96fae1ad6b6eab14e1bfe0ca9d317903677b235d139a0691e6cbaa58cda29c56

SHA512
08792ddf85e65c5629ce4f5c1fb59bd9ddf33186efc0eee4a220fde4327d3413d8a59cb210ebea28a69bdc9becfd0b4f25e993e0a5f7af2c481eade8bc6d61a7

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
80KB

MD5
55b800c270a89f427e9742fcea4cf9c9

SHA1
a34ee89eea3b5cb57a14764e62adebf5109b46be

SHA256
58858106a45ce76ed9951f0a49c36256e1498de99487abc81ca261454715c090

SHA512
c0983cf0b259c1864d1e930d08960359d98bc61ab0856197a1b480cafa23231846fb67a6f9bc675871b8d9dfb1ecd727d393d0599f58e33fc200cfa4c4573a24

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
80KB

MD5
e3a5913261324505aff1b49c8b7da5cd

SHA1
ca76774579938e77c59829e8c963c17f92cf2f5e

SHA256
588f878594f25e7c6494d0295e0f4d1c9d65e8f9f47cf4db3c595d2d40d44505

SHA512
ba293160f6ab50c484c33d1a3482bb028d8187b0b01cd4d3eb815e38e2c333442372fd2d22b291a6f914b3325bdac5bc8ef64554bf20595865ba13863e31ab67

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
80KB

MD5
222b51ff3c841f02b13e271340d030ae

SHA1
232525ccabf3a7b5770e0ce44a2c66db4ccedde1

SHA256
003abb7a18c9ea64ab60e1b7853d422e1cd68a0ed9463bfd7fa0cec735e7777f

SHA512
5767ff749420606ef9f3c3acfe80b8afe034f4c0f0a6d310d388a127d67c35fb24d8a2f7d8441dc8a22c65824f1f20f99b0001fa15201b7844c4209fd715f246

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
80KB

MD5
6caa96b552629fcf9493f78b8de73352

SHA1
47143fbaa8f490841603df6b53d2fa11d5606ec3

SHA256
8abd12eba7f01fd2ee7aa5e3357227d680917a48784463a60898a669ddb3dda8

SHA512
24eeab87cd22c7b48a7b022497829f27c12775ae6e03fdd60d9da8ead65df6e547133574fad11a7a70a251f80d36cbf62de18c65c14183afefbfd7e1a3542b09

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
80KB

MD5
2b70b13851fb17fc810f4be0399049b9

SHA1
557fde71fabb4b5442780a29ebb78ccf1ae10bc4

SHA256
ebe1915b30ad009e3f6c09c5d7f55ed53e70f2ec1666c35330d5d6fd48d1e6f1

SHA512
0c1e5095d3a771688e3e7f92426b0f3cc7bcce80d130ed8786abb3203ce2360dfdf61cae4f570bb78d171a0166f69971d6e81278cbf43365b6856feee2a0e081

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
80KB

MD5
03cfe98322481c071db0bcc3fffa6a98

SHA1
e1f65032d4a9cedcca76a47efbe8e0e0f2ac70ed

SHA256
d9f9a997a1389b39d80451f3731a9601ab4ce8813322793438c20925bdefd72c

SHA512
12ec23bf618bada201cf56b74990f26e1783ab7331c225013019f74dffdc9e840a8e868d3d0b672b39b7f976e2fc9f26e6c4fcd6d786243f81ad8965d029cb3a

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
80KB

MD5
209e5254a7b85e199e920e08e361fbb7

SHA1
d978dc05a358e6ef2eaf2496c7aaef3cab5b2771

SHA256
491999ced8877302cfdab8de6fcd5fc2ec715b968f13131ad4ef9896cec0d1f6

SHA512
871668e230d7815e92188cc50689986ca550041da50f81ed2123f048bfa10d9017946c9324aa40f3becbf47123e8e8007563975f4b786d26fe5089c226e698df

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
80KB

MD5
b916d5c455cba0a8967151d86a7bce1f

SHA1
792c667c97110fa371b956f8f2454d6f4d55c25e

SHA256
2570d49e285e44751866f36840feab004dfcee4c371989ef82e5752aa6a1ec0f

SHA512
fa45ff470dae693cc27a431da5f9bfa9b4e61748c215e09dad5ca0c76da3dc921d81aee94a61384842d24f723a5d43599d88bba73c95a917eb4504b5726d28b7

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
80KB

MD5
882577e9c06497390c482f4a74437adf

SHA1
4b01f6d5ecbbec0373d45c4bf6dd0e25d82382f1

SHA256
35b3f80a96521f7ec417efda09888d8b639ec3078bb35ba6782cbcb1dc5e60eb

SHA512
399b7566747d87cb586294275f837ec59e93a87986de3fd84f417ced397e81e8d206531051ec3c2a04f5d06a9a370187c8a827504855652d145c26045b1b3a56

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
80KB

MD5
773eeeefe057273b8392af03eab9a6c1

SHA1
3d8b594c4c5e4d9a334e342861b6be578d42fff2

SHA256
4a9e2487b90b07e43d12858b56241f66560b6cc519f6ecccb2af26c6572bcd9b

SHA512
b37d9736b8454c1693f4a12f0e8301b91385324e8145d9ba1878ebd688a1f9713599ced08bc0eb71aebf11395e6dd648a393c525f8175ebceb7a88942fe783d6

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
80KB

MD5
ad918ba0d788f52717e64680b4e2bd80

SHA1
27ed9b7f0826daa95693c522eac54e7f74b3fd6b

SHA256
0f7db3341ed353e1c11717d81e01b844085927110af475e019885df30b386593

SHA512
919c999d8fa99d3747f2d96eecddd7319729708e853bb92bed5aaa99a2811ff63b41399cfc74bf1c70e7c6b250c1b041187eb2c0c62606ee41a71294b0af8be3

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
80KB

MD5
9c3daa2a8e724a0228b1c95e74dc16b4

SHA1
3bbe918a3e87a90eae9d0c2eb142d9edfedacb6b

SHA256
677bd97a1861d4968345a484bcf3ff1b304596fe2435628dd20643653faef1bc

SHA512
9d7a9f29d8e08e70e30469b211eafdea2878840737fcaf44f4fdc3b0cd388ad4c9e2b38b5725128df62a0e510f981b2e861d70049ae60a2849c298070666cb1d

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
80KB

MD5
a8a38646134c3d7ae3e2710827945c13

SHA1
08a4a927d1921ad60db832e635eae30810f5b5c9

SHA256
db9c98851f200c3a618cde25ad6ff973b75032ab0bf3ee6b6d3eea786309a31a

SHA512
bc1e7ec627490f42d4e10384f5892e12c7c56857cc744f4cbff7bf65a8b0cd1c40ee2979d99633f7c10de74504f308e9930a97817b0a2f2ca8e95d3d434a1111

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
80KB

MD5
b83e90a90d35fb57a7b158c3b72bf7b1

SHA1
4def63364108eb89585d012c344081cc148bcfa7

SHA256
6df39fd3324163f2a5a008b947d7b123923935769158d9846c25dcae7ea134d9

SHA512
84c3f277c930fb82214cfa1f261576b8823120334248c65886f789bee443df3235404800c931fdaa98f66932f6610ce4897ff2c32eaabed7ad7900293f3d935e

Download Submit
memory/184-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/464-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/524-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/700-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/700-556-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/716-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/796-521-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/796-552-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/856-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1224-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1256-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1260-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1888-246-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-558-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-549-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2096-540-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2180-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2244-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2492-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2504-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-553-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2856-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2960-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-546-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-548-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3268-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-547-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3360-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3512-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3512-554-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-557-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4076-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4124-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4144-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4212-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4212-539-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4344-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-533-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4432-550-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4584-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4768-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4792-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4816-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-527-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-551-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4888-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4920-559-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4928-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-555-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5056-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads