berbew | 89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 22:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814N.exe
Size

55KB
MD5

c46e69751841045acfdfdcb80709cff0
SHA1

d6d37a802e858b6ffb28779475eb778381183e69
SHA256

89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814
SHA512

93c81b6579591765c0818f76626d3f05ccc6886b4bd4e34bff570a3bfc7852e1e4014fe1b865a84f5c060026bae9106b813a1dfebfda7e7a8e221ffee17e872b
SSDEEP

768:fzckpCxvAOjGtwGcem1WQlX/Z6SSR7fa+sZ34MyzWPJZ/1H5+Xdnh:WR6tE3llxoaryzSa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnneknob.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgefeajb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
2440	Ndcdmikd.exe
1912	Neeqea32.exe
916	Njqmepik.exe
1432	Ncianepl.exe
3192	Nnneknob.exe
4264	Nggjdc32.exe
1116	Nnqbanmo.exe
4064	Odkjng32.exe
3168	Ogifjcdp.exe
1200	Oncofm32.exe
2068	Olfobjbg.exe
3748	Ocpgod32.exe
3020	Ojjolnaq.exe
368	Opdghh32.exe
4244	Ocbddc32.exe
536	Ojllan32.exe
2484	Olkhmi32.exe
4260	Ogpmjb32.exe
3756	Onjegled.exe
772	Ocgmpccl.exe
1676	Ofeilobp.exe
1920	Pnlaml32.exe
2320	Pdfjifjo.exe
4280	Pgefeajb.exe
2888	Pmannhhj.exe
1464	Pdifoehl.exe
632	Pjeoglgc.exe
232	Pmdkch32.exe
4424	Pqbdjfln.exe
4340	Pgllfp32.exe
3004	Pfaigm32.exe
724	Qgqeappe.exe
4680	Qnjnnj32.exe
4308	Qqijje32.exe
3252	Qgcbgo32.exe
2996	Anmjcieo.exe
3524	Adgbpc32.exe
432	Ageolo32.exe
2000	Anogiicl.exe
1404	Ambgef32.exe
4040	Agglboim.exe
224	Ajfhnjhq.exe
1164	Aqppkd32.exe
4752	Acnlgp32.exe
4796	Andqdh32.exe
1968	Aabmqd32.exe
2764	Acqimo32.exe
4868	Aminee32.exe
1228	Accfbokl.exe
1316	Bmkjkd32.exe
1492	Bebblb32.exe
1284	Bganhm32.exe
2604	Baicac32.exe
1052	Bchomn32.exe
3740	Bnmcjg32.exe
2896	Balpgb32.exe
4484	Bgehcmmm.exe
1960	Bmbplc32.exe
2040	Beihma32.exe
740	Bjfaeh32.exe
5056	Bnbmefbg.exe
3276	Belebq32.exe
4232	Cndikf32.exe
2856	Cenahpha.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	Opdghh32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pmannhhj.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pgllfp32.exe
File created	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Njqmepik.exe
File created	C:\Windows\SysWOW64\Nnqbanmo.exe	Nggjdc32.exe
File opened for modification	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Kjpgii32.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Goaojagc.dll	89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814N.exe
File created	C:\Windows\SysWOW64\Njqmepik.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Gnpllc32.dll	Nggjdc32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pmdkch32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Nggjdc32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nnqbanmo.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Pdifoehl.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File opened for modification	C:\Windows\SysWOW64\Opdghh32.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Chmhoe32.dll	Ojjolnaq.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Ogpmjb32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2308	4696	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njqmepik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nggjdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfofiig.dll"	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njqmepik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2440	2668	89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814N.exe	82
PID 2668 wrote to memory of 2440	2668	89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814N.exe	82
PID 2668 wrote to memory of 2440	2668	89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814N.exe	82
PID 2440 wrote to memory of 1912	2440	Ndcdmikd.exe	83
PID 2440 wrote to memory of 1912	2440	Ndcdmikd.exe	83
PID 2440 wrote to memory of 1912	2440	Ndcdmikd.exe	83
PID 1912 wrote to memory of 916	1912	Neeqea32.exe	84
PID 1912 wrote to memory of 916	1912	Neeqea32.exe	84
PID 1912 wrote to memory of 916	1912	Neeqea32.exe	84
PID 916 wrote to memory of 1432	916	Njqmepik.exe	85
PID 916 wrote to memory of 1432	916	Njqmepik.exe	85
PID 916 wrote to memory of 1432	916	Njqmepik.exe	85
PID 1432 wrote to memory of 3192	1432	Ncianepl.exe	86
PID 1432 wrote to memory of 3192	1432	Ncianepl.exe	86
PID 1432 wrote to memory of 3192	1432	Ncianepl.exe	86
PID 3192 wrote to memory of 4264	3192	Nnneknob.exe	87
PID 3192 wrote to memory of 4264	3192	Nnneknob.exe	87
PID 3192 wrote to memory of 4264	3192	Nnneknob.exe	87
PID 4264 wrote to memory of 1116	4264	Nggjdc32.exe	88
PID 4264 wrote to memory of 1116	4264	Nggjdc32.exe	88
PID 4264 wrote to memory of 1116	4264	Nggjdc32.exe	88
PID 1116 wrote to memory of 4064	1116	Nnqbanmo.exe	89
PID 1116 wrote to memory of 4064	1116	Nnqbanmo.exe	89
PID 1116 wrote to memory of 4064	1116	Nnqbanmo.exe	89
PID 4064 wrote to memory of 3168	4064	Odkjng32.exe	90
PID 4064 wrote to memory of 3168	4064	Odkjng32.exe	90
PID 4064 wrote to memory of 3168	4064	Odkjng32.exe	90
PID 3168 wrote to memory of 1200	3168	Ogifjcdp.exe	91
PID 3168 wrote to memory of 1200	3168	Ogifjcdp.exe	91
PID 3168 wrote to memory of 1200	3168	Ogifjcdp.exe	91
PID 1200 wrote to memory of 2068	1200	Oncofm32.exe	92
PID 1200 wrote to memory of 2068	1200	Oncofm32.exe	92
PID 1200 wrote to memory of 2068	1200	Oncofm32.exe	92
PID 2068 wrote to memory of 3748	2068	Olfobjbg.exe	93
PID 2068 wrote to memory of 3748	2068	Olfobjbg.exe	93
PID 2068 wrote to memory of 3748	2068	Olfobjbg.exe	93
PID 3748 wrote to memory of 3020	3748	Ocpgod32.exe	94
PID 3748 wrote to memory of 3020	3748	Ocpgod32.exe	94
PID 3748 wrote to memory of 3020	3748	Ocpgod32.exe	94
PID 3020 wrote to memory of 368	3020	Ojjolnaq.exe	95
PID 3020 wrote to memory of 368	3020	Ojjolnaq.exe	95
PID 3020 wrote to memory of 368	3020	Ojjolnaq.exe	95
PID 368 wrote to memory of 4244	368	Opdghh32.exe	96
PID 368 wrote to memory of 4244	368	Opdghh32.exe	96
PID 368 wrote to memory of 4244	368	Opdghh32.exe	96
PID 4244 wrote to memory of 536	4244	Ocbddc32.exe	97
PID 4244 wrote to memory of 536	4244	Ocbddc32.exe	97
PID 4244 wrote to memory of 536	4244	Ocbddc32.exe	97
PID 536 wrote to memory of 2484	536	Ojllan32.exe	98
PID 536 wrote to memory of 2484	536	Ojllan32.exe	98
PID 536 wrote to memory of 2484	536	Ojllan32.exe	98
PID 2484 wrote to memory of 4260	2484	Olkhmi32.exe	99
PID 2484 wrote to memory of 4260	2484	Olkhmi32.exe	99
PID 2484 wrote to memory of 4260	2484	Olkhmi32.exe	99
PID 4260 wrote to memory of 3756	4260	Ogpmjb32.exe	100
PID 4260 wrote to memory of 3756	4260	Ogpmjb32.exe	100
PID 4260 wrote to memory of 3756	4260	Ogpmjb32.exe	100
PID 3756 wrote to memory of 772	3756	Onjegled.exe	101
PID 3756 wrote to memory of 772	3756	Onjegled.exe	101
PID 3756 wrote to memory of 772	3756	Onjegled.exe	101
PID 772 wrote to memory of 1676	772	Ocgmpccl.exe	102
PID 772 wrote to memory of 1676	772	Ocgmpccl.exe	102
PID 772 wrote to memory of 1676	772	Ocgmpccl.exe	102
PID 1676 wrote to memory of 1920	1676	Ofeilobp.exe	103

C:\Users\Admin\AppData\Local\Temp\89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814N.exe
"C:\Users\Admin\AppData\Local\Temp\89a2e42337ff9a839c8057a2747cdd8f9791217a2c54c1d3cbbc28f94d93a814N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\Ndcdmikd.exe
  C:\Windows\system32\Ndcdmikd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\Neeqea32.exe
    C:\Windows\system32\Neeqea32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\Njqmepik.exe
      C:\Windows\system32\Njqmepik.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Nggjdc32.exe
        
        C:\Windows\system32\Nggjdc32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Nnqbanmo.exe
        
        C:\Windows\system32\Nnqbanmo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Oncofm32.exe
        
        C:\Windows\system32\Oncofm32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4280
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3252
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        49⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        63⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        64⤵
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        69⤵
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        76⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        77⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        85⤵
        Modifies registry class
        
        PID:4428
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5020
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 220
        91⤵
        Program crash
        
        PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4696 -ip 4696
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
55KB

MD5
2a24a14fe9db1a131ebb1bf10c7bfb26

SHA1
26424f0288dd1bf69f975e78814728551c9b336a

SHA256
82e36d6703844addc6a6573957fad4c9b223b0fb0bc8ba504967ce1c798e04c5

SHA512
b644d75d09fc50a7ebf2ccda4c2e29ad88f9ea41c8fe3306512de9bd16d3b3ead512c090f6dbbff00d8490fcfce1a71fcd5ab992f55c111ebc59dca4571abb72

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
55KB

MD5
3e8fa082cf2c995944662e08137dc1d9

SHA1
7b272c730b6448d89c29d7e5c12d067778e13479

SHA256
4550c67fc6340309f799ae8c955b1544cecc8dbd7ff4ad5903a4be3daa09057d

SHA512
f2c101991153530ac59c044fb1415b0b7890324c98d242824e1d115d98ea7e71d8eba4a8c3d4423074a8b04f92a2166d7ca499feb61b4fc448bb7106b3942b8d

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
55KB

MD5
b506d20ba2ca03fc34c69b1f73e18024

SHA1
1a1ed91fb12eb9bd279373c2321ff3885b54425a

SHA256
f131cbac89662d9a85c6c26418aa97c90ddc68ed013e50053d7838c32abee1be

SHA512
1a4c8c6e0cc88a2548a169307723bc6341be1fb847dcbf2fac6d9325b263153fe33cc10758188762da681e57bef74a34704b48b316f6fcf597f7038708a486e2

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
55KB

MD5
67f00037ce81931f1c4380aca5d3d216

SHA1
a6a3ef22fa95734ce929e4072ade54d6ad5a5e5e

SHA256
d5be3b96be5df14702d54a8c09a3687d70180b7bb80db7b1452f8a69c10239a2

SHA512
f83228e555f634201b0c3074d6be548bfce198c27de0ebace3a9c1307b92dbfec0dc73b718e1f2d9daa740f753ca9b1168c7aa1fdb997d86e8fafa7f63579711

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
55KB

MD5
0e8befe8ca985df04312b67ac6a07b3f

SHA1
a85472f43f331191ab845e20f2ddfc1a4d93424a

SHA256
cefe0f28b6ab3dcea166182a66f9848583dd178f5ace3a3f1221d3dd71a30385

SHA512
8e6043f1f11e6c44f09dae3f615039cd7bc700352908190655d2375c8cf031a8ee9732238b4c8d39e138bdbd70dcbb6429d752a403c70c60a61968a9452f5ce2

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
55KB

MD5
da8c190e14462b00dcd147506fd066d0

SHA1
125e2a31df7beb76b95fceafc83f32caea1ef7fb

SHA256
a6d4a5c5f0071c37e42e27eb0335811db08e5a39a8f6cef445bde8afbd979954

SHA512
0921418d8999bb42fef8948ddc0d754bfa854d0303643faaae25d0bb77e4565adf28bc99286fbd83dd1e265ea8fbd402c1c386a8e1c620ccc2c70841c28dac63

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
55KB

MD5
1b9c99c032a860eb85fa668afdabdf91

SHA1
1f8f052b06e86c641b0d2a2da2a99e6ad4a557fe

SHA256
c810e2d6614d64e6fe20a32ddc08bd36e6c3501f4909e262601b5cc96917f83e

SHA512
fb7693c1ff53f3c10c2bf8e01867d1639a8996ac6fe96f81de4dde024097ee8a0dbab9422ec1db37b4733ef6134928e11788a06f959cb1b007d3e7f19e694b93

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
55KB

MD5
21a6fc12c4409441d3109c47fcc363f7

SHA1
b1bf6049b8f927f1a02aa27e7fea4e06d292858f

SHA256
0b64d0b6b8be64b15ae29faedda63966d21d005df1fe99bc236a7de3cda10317

SHA512
a2875468fec46c0640a3d337a29266767065d51d0ac172f0a9850b5836d2a18f7f25fe659878edf9ce5be3f6918da339f5572fe6cc0d18f558e2dc77590e611f

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
55KB

MD5
e7f795651ee04d78714d7053749dc35c

SHA1
bd6061e9ff40cb6be548508d18988c993d4d4d1b

SHA256
659971edd218288f3d0191bae34649de3d0eea27393c9f1a6721cfa8f89c4d23

SHA512
c87c2f6cd280a68a687ea33cb9d816ecca80d2d783c9e08b3d0e9db210cf48aef3ee75fc1e6c52577bdac75dc53733fa40a2a09e910d497d17c8fcdb742ebf01

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
55KB

MD5
60c41d89e1788cfca2bdbd2f82f6a32f

SHA1
19b3346dad73a953cd65ae4a14cc44c0535b4c6a

SHA256
0e47196f858033b17b6151e5d78799c78bc3ddeec3705e26d12caccfc32c0d55

SHA512
ee0624af003fe85a7d1204af2686d8f7d28ded77d9051614c955b09c4bac9323befaf30ebd44f7ab75e12cdf46ad4bf395c16bbf180d620490073d00a63f1246

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
55KB

MD5
d72a2823c8c239f788ffefad1c608dd5

SHA1
4db0e750e9358c89ea5a84ccaf656fad28d060e6

SHA256
8d616cf1ce536ed9ca8df9961a23f31c22c591e6ef99ccf9c2884ea5c1abef73

SHA512
59f019a8ae9c471fa5ee0232105e77e526f84e9db2581f8878997663276b5348f9cb8c5a5ed44b758ef1a9b291027a560866d1b977193f551b830f4a511e5124

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
55KB

MD5
49400ba9ddc92f0b4331fd7ae36db889

SHA1
db98f93197af866796c456315a1716e8d33caaa3

SHA256
353029df068e92c25076988513d918923facefc8d575f25b2440b56df516f945

SHA512
06c35a92200f15929d4f0422d381c760fecdb57076e7b92e4f3f8780da08d9ca7d60e1703e74c6aff82bad354da317a1ebe0ec81afd5c8d5575c236f55d08bad

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
55KB

MD5
f4aa3ea39823591156d7a821d64afc56

SHA1
79c4b241df228d55ca094de91339b8bfa42dae5d

SHA256
7b7d95df5d8b41be21ade31dcafa2faa2f50e849a0c00991d5d92eeeb0a5d1fc

SHA512
eefd2b47cb36cb2681d2059de3e8ce17d0fd56b48aea66fda86053922576931beae6ce0d06e7b22d0f9d6f45b8ef8d517a061ed65c6b93f33b92167abf168923

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
55KB

MD5
1bc580e9fe3f6dae237936ddb3f1cb85

SHA1
23392e195b3c1055e5fd21a18e55fe63a29a0abe

SHA256
e3e1f6754998415ccc39a68a713980cf389f2ea9f0d75d3ad36a4d1e33ee64cf

SHA512
f5ea983e5344992e0b1076b6f0ff2f63f13bb1edbd992a51a37d76cb1ab8e3b0dc87f029cb8ca64f6a9dd262bcb244b7f8d8d1deb29d3cefebc761b21f26f5bd

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
55KB

MD5
43c8b8163d70574cb2d2d21035f0fed5

SHA1
08992d954914f02ba28e9c4339769e97dc11344a

SHA256
0137ed18d09a2bfbb17f77e4cda2aa6d279798dd03f3b7b2a8b8985c5ff5aad6

SHA512
ca39bab4493e9687e02a80d0d9f1e3784bb27e59c2d41ae38038f4eb5295a3bca796475bf3a9e02e01470c9808e2ce7c7d95bbc0ef252ab1747ab07a9eac3e4e

Download Submit
C:\Windows\SysWOW64\Nggjdc32.exe

Filesize
55KB

MD5
4d6c4a8fa3c691500f40cbb859daa78a

SHA1
444ad6241e2c7fa98a47a0e9a0bb5ec8725834f1

SHA256
3a56deb772507b2b51f4a0f5d731672d76ef9d9456a784ebab1c7b4c507be8ce

SHA512
cb281d8e78eaa372ac0cb865dbfde313bd9d8cf01cc6def40ae248126cbf94c8095a606d73d23e714d3d8d060d85a330b984e45e5fc937d0a748767257ee5d6a

Download Submit
C:\Windows\SysWOW64\Njqmepik.exe

Filesize
55KB

MD5
ddbd97a138fe9736c37330a7f428d1e1

SHA1
87640faa2873df9568099592c7313f90695044de

SHA256
a5428802213db7afd96cf894a012b93cd90bf2d35b1325999303b80c89adc7e0

SHA512
94048e8d1948a08cd02c4ab1b4efdacab5165140e803b99c07e933150065713a8f691a98f3af7d1501f91f0bbc8add0bae1888f23eb4e81e924bf44cdefc4d13

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
55KB

MD5
7026d71fbebfacd1b1b4f040090e58d5

SHA1
ff62105d8a829d327b5cef2691364ff673dc53b2

SHA256
d10efaa25a51380bf9d9cdc39beae54b2aa6420fd9c1a147db0ee684faeac30a

SHA512
bc191a166dd6aef234d685cf1a505aeef13ac41cb3a1ed224b9933fcc26a606bbf1c21de5c2f439618b4f2c37206c27729fd8bc8f17e14d6b19ac7f60bb80e6f

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
55KB

MD5
05bcfe65476d8d0210c530e82dcb8986

SHA1
0a3c25a0f0cfab7c5b0eac826f0f49a1d72e9fa3

SHA256
7c6790bb7c5bdf18266f9850cdd10ac8a2b3ee9d5f8c5a2f5a8ead8d7955193c

SHA512
d621625e617266acf968e965e5975df75c673d5247555348ba461dcdd74180ea60c7f5d51bad10db0fadc12cdc81f55eedb10c6bbb0360e4828554bae99a0ba7

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
55KB

MD5
384247e0d907b2394487b33939321149

SHA1
37523602323b70f9696921ea4eccacdf42ed255b

SHA256
5b886f897ce45a1bb5655495900dcdf2dc542d02b3d90d63332318142b16ae2f

SHA512
06d6527b9ef61d83467c4acb972198a233cad9851787515cf7093f63e0184aebea99b561e2e7a8eb565a452c7a416ec60ff3b56a80fd761745752f9d1e24a217

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
55KB

MD5
680ed1bb60893546100d60b6165e5977

SHA1
89235dd17150956ea4f97e64b4244a26073d933d

SHA256
8f48794a6bc06ba5f5353aec513658b5b2f4693450ccff976b9277caf7b74a45

SHA512
e1cade9e15341ee1387155d479d3bf60cea5c9c10072da88e4223b6fd9020e3f108c16b9b964efbf45fab42119b4be3951fc1ec6674223a35a5d9942cad3719d

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
55KB

MD5
95e39ecb07d0cf23ccb2b0b49eec54f9

SHA1
ed06480b808fe8a0fc44b94f610752f66681834d

SHA256
982c79624032ffcf89ed8e097c356a98e347b60d44346146933f89b8edd5b46e

SHA512
64ec28051a9887263d65bc3c0ab1d6246ac96da987a1301f86c3c0b729312d2d2c9955bb712b7a4126d19f28c22e7f0dfd5daad3acc9a4cbe99e5609b0d76732

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
55KB

MD5
101bca48dbb7f4f3fa368704cd170033

SHA1
d69ebbe5fb9121f432a175e6b0e5153b3374e765

SHA256
9d5c3bd2c32333681094dc5147181d0121a510f2501d6b24a8b59d471577576a

SHA512
97975cf4fda6fe10f1e9ccd5deaa9e954aa1a936087c41e0445a2cfbaa66a4ef05aa5f1256b9d0b7dbaf1739ea7646e683d496cee1f2b8a49958f5c4f8252ad2

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
55KB

MD5
cbb87584e78ce7cb1886ddaca680b972

SHA1
a8d052b475c466f1314c6c160f6a3bef012b5b35

SHA256
29ed3bf5b26690da3f9e664d497995845ff055fe881ece2a8f447c935bf02bbf

SHA512
691255ecc31697bab5d7fea0e7b15492d834ae46d182ddd8b8bfca9d5d87faf76078aad4b066849a11b7946802899c6a845dbb9e06dc01df305522f5b7c44d01

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
55KB

MD5
a83ab579ef2c2f0f49372fa7c7519f58

SHA1
fbc67e7f81a2c4a65d419404381a1edeeb0e5bf1

SHA256
4404808db951b0a2e6810b887e27cfdcd2e3e4420ecc3fa064099a551ae627da

SHA512
57c3cd17602f894d65be921ab08dd0f816ad7bada0c889d4fe648b0853f0bf3830bae926f94e412da63c0e3375b9d130a135568e5daec1dc3362fb571c3ef3c7

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
55KB

MD5
0b746393bb80fc89645a0c7c5ff91d34

SHA1
3057a6f06295be583986bb01b674f8d9446cd60e

SHA256
48dec561b2b2150500b6c47cda39d45aa97b6f03edf23da677e7793f9170f6d3

SHA512
38ae1ecd7300cd02d6fa0a81142b7a7584713e27917b9f9c3fdba533bd92cfad426b0e0248d941a7cede5f56bf3e5ea8cd76ccce3b4af17d9d679915ebca9329

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
55KB

MD5
070ba9a42cfae6989c8ef16b2ad77870

SHA1
aedbed3e568eafac725dacc8e7f9f88131831fcd

SHA256
00f93fa206904270e9b62acb87139ffd04c9d427a262141be3db82783d77ccb0

SHA512
6958387cb58ba990b8383c7cf8ec6aaa9e99acb58d3d3ed434abf853a5b712637b26a9b9a5dae355045c6a0f38818a47fdbd8ea1d23c5c6aa31fbeb7964f2f8e

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
55KB

MD5
25c828d07fa5ea689cd9f55a6a68a4af

SHA1
3fc88b4c1a06206f2422cacb59e02b3cca514372

SHA256
d7f949e39a87e08aba7674b440905fceb5b8dccba549b5113e564de6ed142b9f

SHA512
3e7fbd1d315e9d2d850aa92316c8cf82566242092e4d76400846b3eb7319dc85e0994cf86260b62b00571bdff320c10e9a3c80ac84d2e14db606ad057834e112

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
55KB

MD5
1d09b69a5639ec34019db968e61b1f09

SHA1
c84efe1c30c06f4d7bb10414af7bf169ae52e5a1

SHA256
bccdc62f45524d531aa533221ea0c133155f916fcb4eebc2a90616134c0e8144

SHA512
4f0323ddde72f26079f8565e0dcbf5ef12ca49f551ef16c236e3b9b9eb51760510a62911375f5fa515c99786a7193f37b051a76b40c6dc069ffa78e290d8f77d

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
55KB

MD5
b264cbc7623475b82519bbe3e86d760e

SHA1
6bfc49eb136c62abbc7a2a03c076f687c282d086

SHA256
9e9b493835cf30df2344285576509c2a8acd94f3d6e85cbff071f0d8816ef3c8

SHA512
e6b01cc87777aba3a231a0670ed64029ed311b20422ce6e56ef06e3da7007fafb537a43b2ef440b389587fbe973b65b9f93b00de20f843e7442ae63866ae4a4d

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
55KB

MD5
fa641c15e0e883ab0f78e6902b3057c4

SHA1
27cfb87b5c35b0b1bd4ef248e6ddbf9677c203df

SHA256
d30da664b1bf8553ba0976c2ed9ca529a6ab5f94b1979555d0dd536dffab12ef

SHA512
6d3a8ad75830ac23181be6995c1be7ec59cb287a4e2fe824132bd43e41504f01e3d152f58f2b4d20f2f9889411c533042f370bc9c1284519cf2bad5cc76f2cae

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
55KB

MD5
f98575bd154d7fac6920e94dae3f7282

SHA1
88f995f7dd29c530569f6133eac3572ef3abebf1

SHA256
672c42a5d72e5f91226f5bc18a5a8c467307b79255123d4f8b3e9eae8380ee04

SHA512
f5176238e9c65f93aef4aa953d79cdbc3321359e87fa0dce4cee772c6d951efa706c4031be7999c66c18e6bdd02b151fff8fb5b5021dffceb5034f6b566dc8e7

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
55KB

MD5
adc2be994aff94fc66c3de004c20df0a

SHA1
d32ee0304aa1fb25115cb41e4ddae87bbc68df36

SHA256
7ff9eba80930bbe7dd5ceb22249ec9dd8130ff967c3cd97c6e954c9d9e574abf

SHA512
408242d9bc0ac8f76515a8d8acb571bdd1c2b64fdae9b8d8712c9de7512961b5d1c346bb0f93da26a9585cf5d0a4f0e1d08d31048457ea78eae4c3d93eb9d071

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
55KB

MD5
9372ca88fd4463d4c7b572536534d632

SHA1
612f0fb220903b3cec272586f5dac232ef822881

SHA256
9551bff712253d2feabb2d652d8a9080b7934909c1bfd9cce86074f433f002ca

SHA512
9222ac4225f0b4f9444bee13dffddc0b3a541c86b534d4083179393a9944c3da41bac866be4e5a6e7a90810a7304decb0bfa74aafc1b5c0d1e1056d3daa26ef6

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
55KB

MD5
7db1779f02ba03c22757147beb66288f

SHA1
bde30135077706e99eca93d35248a4838f3a0366

SHA256
e52feb8dd2638828d5689493f69a2e2abc0f0a4ad873870039170baeb3580d21

SHA512
f2c9a47b7463ba43b852b14e779e9754dd5b972eabc9b2a42948801a414e9ff0d7da89cb2216c66188d97b046c4f9d80cb44fd46ba4b33b24063332fd27502c7

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
55KB

MD5
c30d78d0f94a245ec9ca163b29c9223d

SHA1
81f768d36880b9815303d5484ba7192372598936

SHA256
4f44750a12ecaf124392d3ee6a7479a9385e9ac268d828cdd3af13ebcebcc600

SHA512
193afaf3e2a88ad08df92977378f71757f9cf3026233ac85524fdaecfe8dd16cfda320dc74e86343cc7e41771cf7d9aeb91542f3aa423b6e59a5754a9a97c0c0

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
55KB

MD5
269689d49e7678278d4acfa60522e68c

SHA1
0e4dfad1b140199b61e0a7b6133a78de4759dc3d

SHA256
0c7a35d4a68637507a2fa644b1cb78e5d47f990835aaffc1c963655206823e53

SHA512
a5a7ccecebccd82c39b534910ee7279a3f6773e54d71daab45ceeac6b6ab27e71a1ae6b9a9e163ab06f173bcfdb7fe22692af4caf7d7f3f2e5ea4dac5714343b

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
55KB

MD5
fc5ea4a6bd80dd15a5d96ea96def102d

SHA1
6a1e55bff8e0914647531719518778bda373ec5b

SHA256
1ba28fb04dcd14aca824131e86ce408a02844881cb24cfb12ac0334b6485c6c6

SHA512
4b4a5b51cc5129f8f7ed5ed6694c90841f6fb1c491129fb8d9658012b482f91564e519956abb198bd6f3d7c2c1ee1872254300b42a356e7a5d8e22cdbcf621a0

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
55KB

MD5
554ccfb126fcd533d3484998fc9d8f02

SHA1
175aad9587142429026c0149d6ce359f507df796

SHA256
c5bdf25bf97c0903f22389cf2482a698874c63abeedd03f94d77f5189d4a8fe3

SHA512
0624bc278430148af4bd186af4d2939883894baf397cd0d4feb51d9f13586f47cbca4d63695e531827799c7c73133cb80fc59fc021b90bbe3f9ef0397aad509d

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
55KB

MD5
654c07a5c2d44c650525d33829d7d92f

SHA1
b80ba739dde1f25bf00b48ac9876dc7bd33941d0

SHA256
f28f9e136c7728fff1b5d83f5da51eb3217492aa69b2aaa1fbed037db7b3ec7d

SHA512
53eb2fd04a6bec9c154d1a9a1b42fb3ce508594d63ae372b540b5c3c6e300300ef4ed0f8130bae1716f4a8b12e5efca1f5e939011bb44ed50f244bb64f004625

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
55KB

MD5
f364d11379d5b27608c01444956d3e13

SHA1
933c270eae5d48bae0f3641617e1893e2bf7af11

SHA256
9803e6a5d4a41ff3eb1736056c83d19e8fd64d84b538487748b1352f3beaa4c1

SHA512
431326eecb85cb7ff59ef0ca2f2476e0ce8506020105141d0d1be08a654feffb1ae18186de6ef111c1cbb931d92cab3affe854e9f82f1ed0c19677f682cb3166

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
55KB

MD5
2f17d20145dcf3fd47831fafee720dbc

SHA1
6b951e91d8f6361c8dcefc9589148f77ebdc972e

SHA256
5598bcc6273061a1e2da79afcfe95f85a18c0c55400f3912f798e38bc64d5ce4

SHA512
07ff0652fbe4e877f016079f9fcd350abc3d459483a953165cb03506b403b333e27b950033d24fe93f9cc592b0b2dd471fd7f783b7ebfcc552c389ab4cf19a58

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
55KB

MD5
e7d100b83c2deadf68b2f1fdac922561

SHA1
46c8cc9f02ead629ece06dca3d91f89a9cff0289

SHA256
d5cb4e8adb2f15e8d7fbc21c0f3a2b89e048a92886164b2a2df8771910c08c0a

SHA512
ede84c2b542586d79bedb24053a7fe2ed89cc8897fd6caa6548b03da21fde7806bb16166e37ac286d040cdd92617db5e64b76926f86cb07c8259e67238509a1f

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
55KB

MD5
d6de214ef8705c19115b1d69adb71f38

SHA1
35a4d84fca7732aacfe155db04919e2b08c6d691

SHA256
c5a3cece6f97089c82d3932c2d2271f749c4ce4ae4fd3fe62d1d67bb2664c260

SHA512
6a26e40bc189a67c98d54b534d08ba9338e74782ccf602925952e658c2715ff5498136c43a603ddf11b240c555608872f1606b8f1b0ab35d1e46dad6893b7620

Download Submit
memory/224-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/368-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/812-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-694-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-681-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-665-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-643-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2668-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-671-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3276-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-672-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4264-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-569-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4868-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads