berbew | 51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
Size

246KB
MD5

f84bfd729b2396e2029649d257a1125d
SHA1

688313bae60f434669560c4956829769225bd10a
SHA256

51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce
SHA512

04affca5e257af4d386c188d68e47b58606dac323efc03357b4deb37277d8c819522873f5ea16e686213e5811a9c51c2d0e9b384eb84b1d1c1ef3aaabcfccdb3
SSDEEP

6144:oIivLZFIm3qB2B1xBm102VQlterS9HrX:otImHpas99D

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdqjceo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4740	Ngbpidjh.exe
4260	Nnlhfn32.exe
1140	Ncianepl.exe
3080	Nlaegk32.exe
4536	Ndhmhh32.exe
4656	Njefqo32.exe
3620	Odkjng32.exe
2820	Oflgep32.exe
1132	Olfobjbg.exe
2364	Ogkcpbam.exe
4808	Olhlhjpd.exe
4396	Ojllan32.exe
4084	Olkhmi32.exe
4788	Ocdqjceo.exe
2320	Ojoign32.exe
3180	Ogbipa32.exe
3504	Pdfjifjo.exe
2824	Pnonbk32.exe
540	Pfjcgn32.exe
2280	Pdkcde32.exe
2660	Pflplnlg.exe
2336	Pqbdjfln.exe
60	Pgllfp32.exe
3884	Pqdqof32.exe
4404	Pcbmka32.exe
4800	Pjmehkqk.exe
1384	Qmkadgpo.exe
4980	Qqfmde32.exe
2096	Qceiaa32.exe
2900	Qgqeappe.exe
116	Qfcfml32.exe
852	Qnjnnj32.exe
4356	Qqijje32.exe
4068	Qcgffqei.exe
1256	Qgcbgo32.exe
4576	Qffbbldm.exe
4856	Anmjcieo.exe
2908	Aqkgpedc.exe
1004	Adgbpc32.exe
1652	Acjclpcf.exe
2844	Afhohlbj.exe
4812	Ajckij32.exe
4708	Anogiicl.exe
2436	Ambgef32.exe
4772	Aeiofcji.exe
2360	Afjlnk32.exe
3136	Ajfhnjhq.exe
5024	Amddjegd.exe
336	Aeklkchg.exe
1540	Agjhgngj.exe
5036	Afmhck32.exe
4940	Andqdh32.exe
4528	Aeniabfd.exe
4944	Afoeiklb.exe
716	Aadifclh.exe
4840	Agoabn32.exe
348	Bnhjohkb.exe
3388	Bebblb32.exe
3028	Bganhm32.exe
2164	Bnkgeg32.exe
3216	Bchomn32.exe
1212	Bjagjhnc.exe
2084	Bcjlcn32.exe
4432	Bjddphlq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Ocdqjceo.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pflplnlg.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Ojllan32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qgqeappe.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hfligghk.dll	Ncianepl.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Pdkcde32.exe	Pfjcgn32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2932	4424	WerFault.exe	177

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlaegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngbpidjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghngib32.dll"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfhoiaf.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njefqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgllfp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeflhhf.dll"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpfmmm.dll"	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njefqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjegoh32.dll"	Nlaegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddeok32.dll"	Nnlhfn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4740	2128	51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe	82
PID 2128 wrote to memory of 4740	2128	51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe	82
PID 2128 wrote to memory of 4740	2128	51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe	82
PID 4740 wrote to memory of 4260	4740	Ngbpidjh.exe	83
PID 4740 wrote to memory of 4260	4740	Ngbpidjh.exe	83
PID 4740 wrote to memory of 4260	4740	Ngbpidjh.exe	83
PID 4260 wrote to memory of 1140	4260	Nnlhfn32.exe	84
PID 4260 wrote to memory of 1140	4260	Nnlhfn32.exe	84
PID 4260 wrote to memory of 1140	4260	Nnlhfn32.exe	84
PID 1140 wrote to memory of 3080	1140	Ncianepl.exe	85
PID 1140 wrote to memory of 3080	1140	Ncianepl.exe	85
PID 1140 wrote to memory of 3080	1140	Ncianepl.exe	85
PID 3080 wrote to memory of 4536	3080	Nlaegk32.exe	86
PID 3080 wrote to memory of 4536	3080	Nlaegk32.exe	86
PID 3080 wrote to memory of 4536	3080	Nlaegk32.exe	86
PID 4536 wrote to memory of 4656	4536	Ndhmhh32.exe	87
PID 4536 wrote to memory of 4656	4536	Ndhmhh32.exe	87
PID 4536 wrote to memory of 4656	4536	Ndhmhh32.exe	87
PID 4656 wrote to memory of 3620	4656	Njefqo32.exe	88
PID 4656 wrote to memory of 3620	4656	Njefqo32.exe	88
PID 4656 wrote to memory of 3620	4656	Njefqo32.exe	88
PID 3620 wrote to memory of 2820	3620	Odkjng32.exe	89
PID 3620 wrote to memory of 2820	3620	Odkjng32.exe	89
PID 3620 wrote to memory of 2820	3620	Odkjng32.exe	89
PID 2820 wrote to memory of 1132	2820	Oflgep32.exe	90
PID 2820 wrote to memory of 1132	2820	Oflgep32.exe	90
PID 2820 wrote to memory of 1132	2820	Oflgep32.exe	90
PID 1132 wrote to memory of 2364	1132	Olfobjbg.exe	91
PID 1132 wrote to memory of 2364	1132	Olfobjbg.exe	91
PID 1132 wrote to memory of 2364	1132	Olfobjbg.exe	91
PID 2364 wrote to memory of 4808	2364	Ogkcpbam.exe	92
PID 2364 wrote to memory of 4808	2364	Ogkcpbam.exe	92
PID 2364 wrote to memory of 4808	2364	Ogkcpbam.exe	92
PID 4808 wrote to memory of 4396	4808	Olhlhjpd.exe	93
PID 4808 wrote to memory of 4396	4808	Olhlhjpd.exe	93
PID 4808 wrote to memory of 4396	4808	Olhlhjpd.exe	93
PID 4396 wrote to memory of 4084	4396	Ojllan32.exe	94
PID 4396 wrote to memory of 4084	4396	Ojllan32.exe	94
PID 4396 wrote to memory of 4084	4396	Ojllan32.exe	94
PID 4084 wrote to memory of 4788	4084	Olkhmi32.exe	95
PID 4084 wrote to memory of 4788	4084	Olkhmi32.exe	95
PID 4084 wrote to memory of 4788	4084	Olkhmi32.exe	95
PID 4788 wrote to memory of 2320	4788	Ocdqjceo.exe	96
PID 4788 wrote to memory of 2320	4788	Ocdqjceo.exe	96
PID 4788 wrote to memory of 2320	4788	Ocdqjceo.exe	96
PID 2320 wrote to memory of 3180	2320	Ojoign32.exe	97
PID 2320 wrote to memory of 3180	2320	Ojoign32.exe	97
PID 2320 wrote to memory of 3180	2320	Ojoign32.exe	97
PID 3180 wrote to memory of 3504	3180	Ogbipa32.exe	98
PID 3180 wrote to memory of 3504	3180	Ogbipa32.exe	98
PID 3180 wrote to memory of 3504	3180	Ogbipa32.exe	98
PID 3504 wrote to memory of 2824	3504	Pdfjifjo.exe	99
PID 3504 wrote to memory of 2824	3504	Pdfjifjo.exe	99
PID 3504 wrote to memory of 2824	3504	Pdfjifjo.exe	99
PID 2824 wrote to memory of 540	2824	Pnonbk32.exe	100
PID 2824 wrote to memory of 540	2824	Pnonbk32.exe	100
PID 2824 wrote to memory of 540	2824	Pnonbk32.exe	100
PID 540 wrote to memory of 2280	540	Pfjcgn32.exe	101
PID 540 wrote to memory of 2280	540	Pfjcgn32.exe	101
PID 540 wrote to memory of 2280	540	Pfjcgn32.exe	101
PID 2280 wrote to memory of 2660	2280	Pdkcde32.exe	102
PID 2280 wrote to memory of 2660	2280	Pdkcde32.exe	102
PID 2280 wrote to memory of 2660	2280	Pdkcde32.exe	102
PID 2660 wrote to memory of 2336	2660	Pflplnlg.exe	103

C:\Users\Admin\AppData\Local\Temp\51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
"C:\Users\Admin\AppData\Local\Temp\51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\Ngbpidjh.exe
  C:\Windows\system32\Ngbpidjh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\Nnlhfn32.exe
    C:\Windows\system32\Nnlhfn32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\SysWOW64\Ncianepl.exe
      C:\Windows\system32\Ncianepl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\SysWOW64\Nlaegk32.exe
        
        C:\Windows\system32\Nlaegk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Njefqo32.exe
        
        C:\Windows\system32\Njefqo32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Pdkcde32.exe
        
        C:\Windows\system32\Pdkcde32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:852
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        77⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4352
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        86⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1264
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        95⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 220
        98⤵
        Program crash
        
        PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4424 -ip 4424
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agoabn32.exe

Filesize
246KB

MD5
1f7db7982b032dd51e6da023874a017d

SHA1
60c7e6ada53e528267f51fa661fe68c8c7275fe7

SHA256
2ee3f2b749cbb5e8cecbc8ef9ab921230860d211c8619e24ac38ba5f615346a7

SHA512
d8ba028715f2bf933180a1022da4662c98e262dc77410849987242fe7600b7ace0057e2eeae545de119888742cb7d17d2f705d368cfeb1ccd3b2e32e51667612

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
246KB

MD5
22983a77b8a2859ac04cb9a2c92c580a

SHA1
433e2d4a1b287e8e041c29866573765663eb6e4d

SHA256
d0293653a2ffddc42345039b4e6e42f1d71abb463c453e7a4a09ad7b94d273e6

SHA512
ca7b8e3ea2202fec153317dc835c61ba6db4b53d5ff0c88f5beaf2fcbced2c5a15d28c61807b853d0029847de3aebcf68b601c595b55a681f0702b9845faab1d

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
246KB

MD5
169ced54c72a829ed1a0c4d2f0fdba9d

SHA1
0fa3e232de7bdcfe353dfdeb15c0153c1cfc70cb

SHA256
b8bf35d56c1a075c2527defb0491d79b89cce27808da23f61815d99dd3b2baa4

SHA512
9eacca6584ef5895a409c98f90bce28088cd33796906a5acfc2a6b64c3e634e717c0f67dcaa88921c91e40ff44d83e8b6e55577bcd2d3a96bc367e561691e5ee

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
246KB

MD5
4f3bfbb7e16e95010fd88558fb2234ef

SHA1
900311fdf6b0f27bd3432aa1632da63c6f5921b2

SHA256
9546a4350b8188acf096b99877e40ed0f3ce0e147ce8c1804efa21d5c1dd1fda

SHA512
1af6a124a463fd86f7c68eb4078c60f095c9ca683991f3dcf1f540fce8f6a99bf175d43cf2e0e4abf4d1275f0b76f47948c0a8bc6afecd05eb8d48e45f26c1cf

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
246KB

MD5
92d59ad8a388ab0ab9746fcd00e8032e

SHA1
55ce4a48cf907202eee6d8f4571779cfd403008d

SHA256
4ac4462d82f124103f0dae014b095e1e326ab5f94007da5c65be0e21da9eb36f

SHA512
936339598fec48b9b3a12b86e0bdc8d3e0a4547b38e0e12eaf7a7e2b731928858beba647f60ac0e339c9f6b010fb140418abbc88653799d70e0cbde68d355ca8

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
246KB

MD5
6c14ea8f5317e235dbc2e234c42c51db

SHA1
9269386086a15a209acc91799793ccf8fe455910

SHA256
5f5b374565a5d98db644355bcb1af33a5211fc3fd6e69c483574cc1b607bed08

SHA512
2fab7ed18e13d5459855e895825786782a9903d0413d157f56895ecf97345bfe84c024d6d61153183091698740f123669917806b7283e606d381d4e30ba28f6c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
246KB

MD5
f95dc2ed3a36dcc83e3bf54cb46b9bf7

SHA1
3ecb9b1f5a06eb2bd8b8357f0d35451b1f64648f

SHA256
276fac2cd733637c1bf318124b30b74594e5b7047ae09caf752be449ff2e9d7d

SHA512
b26419beea528e5793152d76a313d3acb83c587d4699a7a4b2cd6ff661af1a440828f0edde6c4e995b99a89e45d17c96403942470418c20bf933042b471b1f13

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
246KB

MD5
ec27cf2b5e32b34a188508a92bc1adb4

SHA1
4eec02cf8442d9ee131dcccf9d5e88ec5f4c2ccd

SHA256
275ffac1576da83ca18783fccf4673d23b2be629b8171340e5c31218b8fd9d43

SHA512
7e4f9f5233b253edad6c1bf17fb292e5cc1656ea92a86ed294a0231727c4db3f1f912928cf1f4d6f5798a52f97c7512936b0d09814439ebc1a6f085fee51aadb

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
246KB

MD5
68e2af8ca61315d073264e8251cd0868

SHA1
5c85fe12650474180c5593ebdf824dede603b01e

SHA256
e284c0cf189efa743f851cfc09fa952fa79a713d928aae3b00171ec4b2b7b441

SHA512
d2e6a4c071b7e2e4f221dd07aa024652fabaf28d6f346eb72655b8265baa44950b2d2543153d8256fac01cbc544251667a27508cf30ed0bb4b27c9474e8be383

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
246KB

MD5
fcab5a99209f7bade3071a55a4ef9004

SHA1
3a32d1f858ab9a6358e5cd357f63b50b4ab7e6f6

SHA256
eb3b890174bed39bc256856d029adad5438725bdd251c526e9d27d4d22a35295

SHA512
a2c62bd2ee5cef0c20d9056c978e749b58bcf8e39f7a76695e7745974dc1d5b14a06f9cfc2697f2b9c7971e9a94d70556d683d25691bd0a10a7d0d8f22a1f45f

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
246KB

MD5
813d6bd86dd9917339c47476756b3d19

SHA1
f1d7d668a5a526eeb209c2010f75cd14f7107376

SHA256
2e590b40c2a1d084afa165c02fe30505a68cd48a9f355a70178a741f1de94e0c

SHA512
57b3a557639d0a6d37780dca7de543abeb1f28957aab6188210f29f64d2bcdf631eb2f81f4e9e13462ee076a2c9b7d151eff4d929105c8551f781f08016a667a

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
246KB

MD5
0df3d1c435d8f5aa2206893b57cb06d6

SHA1
1965f5ffc819ce9c1f9cd93ae6b0b066130029f0

SHA256
10d3c38071c3ec5f7318879377cf0c1384a7c44e3a49f7803f75376670732575

SHA512
63542cdf0e0d18e144189d58f0f8dc5954925a0f163c59f6fb44c026a4980e71a000a70cea9bc7ad730005c1c31b15622cc0718dd57a48dee02b67d15ea32233

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
246KB

MD5
659e699563ed3d42a72dae0516d1e0db

SHA1
cf9848bfb2a932755eb8e761d0b15c6df327e976

SHA256
a8ff129639133e4032becfc5b77cc91b9d3bcbfa15454a0aa3fbefae6600f9fe

SHA512
d356495a65bc3145b4d2b03b487e64337a87c46fae92f705b944b01c69c339585431192fe8062e984f6cb0a086b956d204ef917d2a96f499e2b4726ea6a234dd

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
246KB

MD5
03b29f6c7b4b1631da423b742cc53ac0

SHA1
235cbadc0645a98b637dfb5a64ad82a9e03ee6e3

SHA256
1a6823b092a5884d8d2da749a525e0efb5476d93c031601ca0c65be7cafae978

SHA512
b6cfca424948d469d3c84824a522fefe9ff96e26990781f129893f2fcbb05ae33942bd25a8f863b65ea5a5cece612a9f58b490b1af4015a4874f3db5c75bfd40

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
246KB

MD5
af1096d4fc1522e57a1acdd6f9cbdc67

SHA1
1fc9ff5adb65af1780385381e1e34aff17374d21

SHA256
38de736efa99aa62307792590eab95975afe8cea0b4f7cbb823d190ec027c987

SHA512
28dd89a95056d9399c5d6a4e783a0d841da4bacaaee4426e669285a2c95d70294635ded0f85efede1d8cf8afc49672fd546543735cd2dfc023d91843d2f21501

Download Submit
C:\Windows\SysWOW64\Njefqo32.exe

Filesize
246KB

MD5
518becbd08ec98b90b183f0e5046f07a

SHA1
5dd79cadb618b10ced6d5138f5a4f9bbe5d1f5b4

SHA256
7c74648c485d2deb475becc883fca490143e645640dfaa12be6c4e9f88cfc52b

SHA512
332ed653c036a5e720e2c3f09f989cdcbf46be211576a3daf2ef0441fb3b53e629eea382e57c52ed59331b52ac147bce923c02656a9ac1d98d921838ac4665f8

Download Submit
C:\Windows\SysWOW64\Nlaegk32.exe

Filesize
246KB

MD5
c74365d337de7040c786f0a9671b951d

SHA1
a6917a89de227eeb57d472d3aee9f61f1646df28

SHA256
1273c764c5a4408e18d25490e7e1077fac9a99b02205cdf92a1744995141c7cf

SHA512
81d2b882809a166b553cf6bd49b68c035751e2903e06e3a0761e7ae2643bd1f2c92d6092bc2f41ab52aef54f8572f94a807e5aa1f3407d7dc2f0908ebd7c2a1a

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
246KB

MD5
20b4e7c77eeaa975e2bc99c76ec85ba4

SHA1
bcde00d0c37e57317dd3ec4ff275c09b34722d5a

SHA256
f72719bbfc7e11ace0e12641b59981deed0664267860a482f9a3431fbf3d1908

SHA512
4ccf6d3843e000fedf29f85296c95a4a64725bae0a510a51cd8a0e4867459c332abeceb4fb9cb0b199342969e685ab22b1451bafcf9c3b051efdcda9e77531da

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
246KB

MD5
a57a8a4896d6fd61cb94596d828e3ff0

SHA1
b8097e34423af5dda9048ddf3bf9f75a25f087c0

SHA256
04d5030c672e850bf956fa95013053ff7858653ac71567b38f4f630b96ad4935

SHA512
e9ae063a622092653601774561eab57d935bf89789cd40cfc03b651f7bf2b0182bd6f6f4cae86fa41e6d1ebda0cfc9080803817cf5a2ae66e42a2d03efcd4b93

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
128KB

MD5
b448e1829f4072654b83e43ccb38f8ac

SHA1
6e5dd41b4e76f767a60f14069f2d9aa3dbb16203

SHA256
832837616195960215258e08b9ed68a7c7531535108bb03dd2a581c5de61c70e

SHA512
10d2525ac002fb1a7fe957dc1b9e1cee11460ac5ccb8eceed43082d12c889737c09dcb3ba2a42b99e789e277b43f4203668e64370a7a20f0e41f4fb28f0d175b

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
246KB

MD5
bce74ca374ec2f62e80457f1f069af26

SHA1
c5384849758b99adeeadbfc811bdfe427f9bd400

SHA256
7b76a1a34345869f7ed53483bdeac9ef4d93c5f0e7fdf11186cabccea223b0ff

SHA512
fabbdba58cd542df94a04ab3b16c525a0c20759f088d18a86469d5ac76ba3e82e22d62ba602ea4d2d90d9c194867562ad2607ee0b64b946ddeec6efb3db4fab8

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
246KB

MD5
81cc2120f40cc1b508dfbac1d357d1a6

SHA1
a17e73a1eddc558528e1ec4e54c45f2229014507

SHA256
0e9ca8191d03f2ece0bc7ecc062c54e6420f79ca94548be49b36f63d3ffd933c

SHA512
7d31f55680d65fcbfc4b897741fef9902a6fea61078316d8240781321292187816f2069e0a333643a4a41ead14479e29a5ecfbe2ff9ba43cff79b949db83a01e

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
246KB

MD5
a424f2da035f035f67cada28d41fc9b6

SHA1
494651789f7920e55f624fb900f3ed25bcdce491

SHA256
4ca777a06f41bdcf402e88d4e5226eda5bd90eb7c54bc534d3c657b3874845eb

SHA512
802dfb2231e22b192bf0d5fa822ead902d8d2fd28e019e3e85d4ab36d3100a325a88f98efc9752ce2e0aa0da33ed2eec15e48cb9e150dac54d0b6ac5b6534b5f

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
246KB

MD5
b693546487b33613ea7c129a52823e38

SHA1
fd9bdadebe9c284479a9a576c492a749f370f4ee

SHA256
cf513cd8340e02eb33a3d9bec76c1d689834a60e1e243c2a3a37dec8f993d5fa

SHA512
8f1cc84bf3d7a4b80625ad18f1dcb762f09e16c5d9d09b09d09d600a076973aa5162964e6c048b803f22e13517717921bb557720ebfb470cfd27544d6826b1fd

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
246KB

MD5
35765f3773bb25daf6aa570091e2431f

SHA1
c399ef21891f914c9dcd4f9fb34cb649798fa348

SHA256
71e0b451010d65529fdec754b13a3ada61653dbf0dd26ed79623aca3898ff3ea

SHA512
5c3681aa9e134ad31a9666203a9002bc811f59c9b7470a673206419966ba9f59c5e26b597c98738489b9d75879c2536e2d8abe351d017e0ce3ef1d676ca2bd18

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
246KB

MD5
242dc636a71c2ae9e641fabbe13f8326

SHA1
10316a69fc6a60c8dc0b405135bccefb50ae31bf

SHA256
fede333df3dd0cfdd3472e7d3bb8b91f7ec912fb1a1d9d5e69b91aa9a1ffa901

SHA512
8e2dbf393d9424a901a3be09e2141bc288e930f437689a0ef9bff2d7f9b93f964e52bf4483a30a897756e89f8cbf18cd1f795099fc10e03dd385e541811caa99

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
246KB

MD5
4061a9930e2a1f89f493d6784c7407ec

SHA1
cb2d1a0b5f2bf3f56e9cdd446f3843463512a643

SHA256
85d0491491ec20d79ab1347b683ecc796764e06dc1eddfe91d90caf61781b002

SHA512
317802095c24a1727aa7f811f41c5edb9f8c949a53cfe860ba555011b65ee24b88de755394734923759d034d40dee7ae9fe602abd1f571689bc33a3f8e9c335e

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
246KB

MD5
3c750a032e7742f44b324506201d4320

SHA1
f1296c7cf63de733a7823bfbd0d46e83978f892a

SHA256
b37ee604367456d900c2de8240207e30762c09d174c8fea987d451c8126b3b18

SHA512
543da77aaaa0205f097ad219dc878264728fe5ae766689cacfe31fc627fa73cb59a1637513e371e5ee4ec29df51bce2b09300aeb93435a06dec2f8adfb3e20a1

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
246KB

MD5
322d587d0d6d6393c8d66f3b32af1665

SHA1
3ae2350e400de4d2cc0202a79f87397d1d4fdee7

SHA256
26b544b199c744a4feb91f7132d5c23cf88de347930af366048b2f9ba9607f51

SHA512
9f7ef838daf1c470db4d45f787d6e9b7073b3ec069df7175e592eb96f5245a535513e2a487c98e89abaa8f032407afb6d4fdee5ea489c573a09be03dc8674970

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
246KB

MD5
33b1d2906743885005b78827c6d2ea90

SHA1
bda4777cd46fa27d38799f6fb1b663e11b66d960

SHA256
b9bd1a6a47da636086223305b86001040433f60502e7d2a4fdba158b87c3639b

SHA512
4b897d77b50e35d15538dd5abadabf9ab71b4f44d3fcb08824306995b568656a618b1c8393daa904d543364107f9628a914f78da225993a6293871301e20297a

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
246KB

MD5
118334f66cc5f0f7aa137d2b5bd15c3f

SHA1
9ef3559f3b53e31f608c3aebe5d8d3024c609802

SHA256
3c34749c35fedbee20f2ddc3e5c162b02b0e10032b75d685c94fce4104d2a0e1

SHA512
eb63db99f18bb029b4c74efac5070d5e713fc931634292f95e4257b3d2e82bfc9077e58c1cb89ab4760c949a7390d5f4a538485f1a18a86dd47d445311aef0da

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
246KB

MD5
f036ba8bea378110951e3ae863653705

SHA1
af5278cadaf7761802b480e5ebcc966386a6946c

SHA256
c2daf01d6132be2bf13d8ac2c9b39db2548d4cada86b6910640d898d61cc5f8f

SHA512
032ac7f284debfc3a54216fd6e56d0a2368654469078a80934ee1af4e528ee0fd878809f77faf1aa7bfc4a58d4021625c5f920439d73a6a003be462668088f85

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
246KB

MD5
af56bbef96488e6200d9a0878e00dae8

SHA1
dedbe80e5f8b394409e7a1df9e62f33a8bb43d09

SHA256
cdef6599374bc6c728d719a2137a38b5634f2b5fed451e792e6ca0eeca62a112

SHA512
9936d3064584dae3abf18f915df58346d62015f2318ee4152739bf5c89beaefed1803ee6e09f5d8dc9eb64739b8b85c475a9fe9d789c0f813bfbfcca5d0b42f9

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
246KB

MD5
2891cc9daf618d6c3bc35746a1866e2f

SHA1
9b77c1b2a4954053741033db3e413479fa7ec3a3

SHA256
4a76213377d105fead623bd01ff30abefefdd35fd0652dfc7313019932451a8a

SHA512
6ad9025103e4d9aa72c706fee229de7e0cf933314bb02c20b3c9b0228e7a7ee3760133d053ad7b2b4e84631ac671dab30f18328968bb22625cc903670971f95e

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
246KB

MD5
e58174c4123e84883adb338f2e25f624

SHA1
402012f1a70d26ffd0361a45b9588d20a34de699

SHA256
0b8fcbef5955f4900761cbce0bdcbc790b6a547241e06e25d6a976c32db56fff

SHA512
cfe9d65d3d7903700393faeb7c7740f11710014c4bc6754903e25b8bc14997ed0ab3db6014bebe8ea410cd528b03c1c9399195878158bfbbc923144822140eb3

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
246KB

MD5
dfcbcb8d15cbbdebabd039fdcd13eb5f

SHA1
09242fbc828ebffe026c8e69fe84eb3681ec36e5

SHA256
046b2d61958aefa4d3e4d2d0ac2b2c9b68f964247ba51dead1166db3290c4e5e

SHA512
55bf12098e3df3cddb3e8f6cde7d198314a08596fb66c8c4fb7e996ce2d1c00277bc90911b9b1ebc6bc462a4bcf9e3d018a374ac4c490a029bcebcbb3591b4bf

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
246KB

MD5
dbaba347db7846e8e98c83eda6bb34a8

SHA1
b125d8e02d759ec954a9dd7792e82a41f42fe18d

SHA256
b5167f875d930aab365c98c4bf1ff2adf7ad9e9eb0951e75ac38b468acbf6043

SHA512
d63e6090faabd3f0719bf8c0b12f54a4352bf248af0389feacf7cb11a26891a28c8c3b0fc427865d57d8cff732605989b6fe47fe10f79f87a43aefb6ea5a7e47

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
246KB

MD5
64553ce1c53cc66c3b0b265246ac58a7

SHA1
0499c1344a6f997b32afe0fc0c5491b2565f4eb7

SHA256
76ef698d9d92822765cc62a04f52c5f5e3eb6a98a1846ce83726cadbb0733eab

SHA512
1b9070a68ba93f6ef48ddf90363fcbc5308060b616df83331f10d91014fe42e74a2ad0a9d87e90c7799897f4784222230c74d80fa874b39e6fdb56ede0e630e8

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
246KB

MD5
a7282397e92d969579ccbd98d2f5f9d2

SHA1
2fd579a437b8f1896a7d87e51914742f6cc8ffe3

SHA256
f0747cd8d5814f1865323b1e9d7f48a7a0827592ed1362458123e4aeaec23777

SHA512
f9303dc27134d55056a0dbf569d18956856059dfbbece905d6e58a10c714a7e2e8c2efe9e1a91a68c67e8c2e8b585e74d3daa648d5df50883c2303e125a464cf

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
246KB

MD5
96ed5204034512ec6b9bc7cdfea284ec

SHA1
43237c21468fe1e982b5146abb91b73d72b57abc

SHA256
e7c048b09346defe789361b2809ad9bfd2c51c81a060c47ae71829c4455bc553

SHA512
a57e9f0737cd795fd98c9ba3f0ea0908c33e54dafefc8fc5d20ff51f46613e27f6d78f9a58a9fed2199b4f27e0355e74624590e6eef2250c0178471c1fd4e5e1

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
246KB

MD5
db628a8bbf95a5a35de455a9695f941f

SHA1
b7ac436bab9173d73aa23f28a843c92e70bf35e4

SHA256
ca996f1c71d489be3ee60d84fc293da1f551b81ba8a70a2ea14ffcae83f5bb27

SHA512
e015fe19d529c2fe9d9bb2845bca1340bc62918001dc96bdca9320b317fff5c156f8434644f3ec4707352f4bb0ad1f43606a3dfb0202bb3021165336ab78a3fb

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
246KB

MD5
5fc4b894be3f70ea19d752db82417ce6

SHA1
98ff3d3d8be2656f692d6b372d97828ed1afbd52

SHA256
6d1c190ae62b01a7d12acfc9108e1698d1e41d322bf9391d933021f9f3cb2fac

SHA512
81a19ff3dd14671d67d91017db59015d8ff6f822443cff54da6e12ba4fedcda99f12a887b41872f7338d1f351020819f82b1968f8b820cc94ae2516411e53df8

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
246KB

MD5
f314f8389349440a508968225fc7f73f

SHA1
09adaa19060d7d179c4ab999e2631ba3180cac99

SHA256
f002056ba5dc0774a4f8f5c90399f1fab396d8237029fc5464e92fac0ad70482

SHA512
24f835c9b5e151981acb0c44db7913b1fc76c89edfdeaf722c554ba4b50e95ee72cf4b0f912a50227a799996cebe3c2b42e5957cf0128d67337b743a1e6748f7

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
246KB

MD5
bbeda3fb128c612ef7dc9ce4f84131cc

SHA1
3e29267b0a5f32660001f45ad0f7c29e5e6bceb7

SHA256
e21fb94351d4692805b52ea88825da81630d31cde970e6a2b1e7daa54ee5595d

SHA512
5c288508e84bdf960c9912f21572ad13eaaa6a8dcc2f7962da48dc790afb7871d2886e62be08e983dd50ade5f0e171b7ecdbb142f7c703952266840ca647caf4

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
246KB

MD5
a5d2c2a9ccb4ee9afd54c8cbe654e848

SHA1
829deb9008cc84160f8d6ffcb953b568b5a09a6c

SHA256
3f30484ed2e6c0cf515a426162b744d9b0a122fa9c9b3d7e80d73cb78d39dce7

SHA512
cc3089b30a99d74eac2a2d15371aaafc05b925d1d3c9607c72821cc4a431ba070281074e9c39fdd5b73bbefb65773671f8b356eb72d3377d6cdd1e8eb8f9dfee

Download Submit
memory/60-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/336-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/348-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2128-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4536-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4656-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads