berbew | fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38

Analysis

max time kernel
93s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
Size

896KB
MD5

a55039bc965187f5c1027fdc702fce93
SHA1

d7c433256e2654a3062c34099ef77787aa78ea48
SHA256

fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38
SHA512

86edebadeb821ce7aa1776ff7c3af450022c2ccfcefbebe4cb7a7009429418ce2e0dcf291f82778b43745a926088b6547e7992b791d6b271e9f43d2aa9107618
SSDEEP

3072:+yOFUwCcBGcte8tY9YSaLRFh48/cuxGzt68pXBnPiU14:yF1xte8+YlFiWFAECXdPih

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 26 IoCs

pid	Process
1524	Ojjolnaq.exe
4624	Onhhamgg.exe
3224	Onjegled.exe
4876	Ocgmpccl.exe
1588	Ofeilobp.exe
1208	Pgioqq32.exe
516	Qqfmde32.exe
2240	Qgcbgo32.exe
1236	Adgbpc32.exe
2772	Aeiofcji.exe
4720	Amddjegd.exe
2572	Aabmqd32.exe
1384	Aminee32.exe
1612	Bjmnoi32.exe
3148	Beeoaapl.exe
3420	Bjagjhnc.exe
3040	Bfkedibe.exe
4104	Cfmajipb.exe
1896	Cfbkeh32.exe
3572	Cfdhkhjj.exe
3688	Cjbpaf32.exe
668	Dopigd32.exe
1640	Dmefhako.exe
3596	Daconoae.exe
3064	Daekdooc.exe
4616	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Clbcapmm.dll	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
File opened for modification	C:\Windows\SysWOW64\Onhhamgg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Hppdbdbc.dll	Onhhamgg.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jfpbkoql.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Onjegled.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Onjegled.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ojjolnaq.exe
File created	C:\Windows\SysWOW64\Mmcdaagm.dll	Ocgmpccl.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Ohjdgn32.dll	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4004	4616	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcdaagm.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbcapmm.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojjolnaq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1524	1204	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe	82
PID 1204 wrote to memory of 1524	1204	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe	82
PID 1204 wrote to memory of 1524	1204	fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe	82
PID 1524 wrote to memory of 4624	1524	Ojjolnaq.exe	83
PID 1524 wrote to memory of 4624	1524	Ojjolnaq.exe	83
PID 1524 wrote to memory of 4624	1524	Ojjolnaq.exe	83
PID 4624 wrote to memory of 3224	4624	Onhhamgg.exe	84
PID 4624 wrote to memory of 3224	4624	Onhhamgg.exe	84
PID 4624 wrote to memory of 3224	4624	Onhhamgg.exe	84
PID 3224 wrote to memory of 4876	3224	Onjegled.exe	85
PID 3224 wrote to memory of 4876	3224	Onjegled.exe	85
PID 3224 wrote to memory of 4876	3224	Onjegled.exe	85
PID 4876 wrote to memory of 1588	4876	Ocgmpccl.exe	86
PID 4876 wrote to memory of 1588	4876	Ocgmpccl.exe	86
PID 4876 wrote to memory of 1588	4876	Ocgmpccl.exe	86
PID 1588 wrote to memory of 1208	1588	Ofeilobp.exe	87
PID 1588 wrote to memory of 1208	1588	Ofeilobp.exe	87
PID 1588 wrote to memory of 1208	1588	Ofeilobp.exe	87
PID 1208 wrote to memory of 516	1208	Pgioqq32.exe	88
PID 1208 wrote to memory of 516	1208	Pgioqq32.exe	88
PID 1208 wrote to memory of 516	1208	Pgioqq32.exe	88
PID 516 wrote to memory of 2240	516	Qqfmde32.exe	89
PID 516 wrote to memory of 2240	516	Qqfmde32.exe	89
PID 516 wrote to memory of 2240	516	Qqfmde32.exe	89
PID 2240 wrote to memory of 1236	2240	Qgcbgo32.exe	90
PID 2240 wrote to memory of 1236	2240	Qgcbgo32.exe	90
PID 2240 wrote to memory of 1236	2240	Qgcbgo32.exe	90
PID 1236 wrote to memory of 2772	1236	Adgbpc32.exe	91
PID 1236 wrote to memory of 2772	1236	Adgbpc32.exe	91
PID 1236 wrote to memory of 2772	1236	Adgbpc32.exe	91
PID 2772 wrote to memory of 4720	2772	Aeiofcji.exe	92
PID 2772 wrote to memory of 4720	2772	Aeiofcji.exe	92
PID 2772 wrote to memory of 4720	2772	Aeiofcji.exe	92
PID 4720 wrote to memory of 2572	4720	Amddjegd.exe	93
PID 4720 wrote to memory of 2572	4720	Amddjegd.exe	93
PID 4720 wrote to memory of 2572	4720	Amddjegd.exe	93
PID 2572 wrote to memory of 1384	2572	Aabmqd32.exe	94
PID 2572 wrote to memory of 1384	2572	Aabmqd32.exe	94
PID 2572 wrote to memory of 1384	2572	Aabmqd32.exe	94
PID 1384 wrote to memory of 1612	1384	Aminee32.exe	95
PID 1384 wrote to memory of 1612	1384	Aminee32.exe	95
PID 1384 wrote to memory of 1612	1384	Aminee32.exe	95
PID 1612 wrote to memory of 3148	1612	Bjmnoi32.exe	96
PID 1612 wrote to memory of 3148	1612	Bjmnoi32.exe	96
PID 1612 wrote to memory of 3148	1612	Bjmnoi32.exe	96
PID 3148 wrote to memory of 3420	3148	Beeoaapl.exe	97
PID 3148 wrote to memory of 3420	3148	Beeoaapl.exe	97
PID 3148 wrote to memory of 3420	3148	Beeoaapl.exe	97
PID 3420 wrote to memory of 3040	3420	Bjagjhnc.exe	98
PID 3420 wrote to memory of 3040	3420	Bjagjhnc.exe	98
PID 3420 wrote to memory of 3040	3420	Bjagjhnc.exe	98
PID 3040 wrote to memory of 4104	3040	Bfkedibe.exe	99
PID 3040 wrote to memory of 4104	3040	Bfkedibe.exe	99
PID 3040 wrote to memory of 4104	3040	Bfkedibe.exe	99
PID 4104 wrote to memory of 1896	4104	Cfmajipb.exe	100
PID 4104 wrote to memory of 1896	4104	Cfmajipb.exe	100
PID 4104 wrote to memory of 1896	4104	Cfmajipb.exe	100
PID 1896 wrote to memory of 3572	1896	Cfbkeh32.exe	101
PID 1896 wrote to memory of 3572	1896	Cfbkeh32.exe	101
PID 1896 wrote to memory of 3572	1896	Cfbkeh32.exe	101
PID 3572 wrote to memory of 3688	3572	Cfdhkhjj.exe	102
PID 3572 wrote to memory of 3688	3572	Cfdhkhjj.exe	102
PID 3572 wrote to memory of 3688	3572	Cfdhkhjj.exe	102
PID 3688 wrote to memory of 668	3688	Cjbpaf32.exe	103

C:\Users\Admin\AppData\Local\Temp\fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe
"C:\Users\Admin\AppData\Local\Temp\fdea7bf3cbc0807e1d91fc73f5250900b776d03fdd2fd904fc23837274109f38.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\SysWOW64\Ojjolnaq.exe
  C:\Windows\system32\Ojjolnaq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\Onhhamgg.exe
    C:\Windows\system32\Onhhamgg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\Onjegled.exe
      C:\Windows\system32\Onjegled.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 408
        28⤵
        Program crash
        
        PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4616 -ip 4616
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
896KB

MD5
a6542b110027a23b995a4dbd69ea35c8

SHA1
f0a1ef81fa92b051be009ef953415a078b20bd9c

SHA256
aa883d3c8a77e1f8a7804f86b1dd620f5ce69d2ec621edc19285e69cad8e6daa

SHA512
e2a6ccad1b4db7eb8c03f88569ac072a1534d3e0aa885924627e9a7b54c8914f2bd1ad9702b83613e3c553106b355f9af7517361eb9ec3a1f2d8ab146a46d089

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
896KB

MD5
0e9489ec027704bbceeb874ccc35e64b

SHA1
9eb6d6f87480eb06736eafd8eb5663dbad6c83de

SHA256
33076ee7fb363ff470c0bb86d82b4a6787de59190c764e3d0fe719aa6c83f608

SHA512
01c5b572070fd119745dcce3ae8313e3ec3e68228aa4c2fe0f91d733f6478cebf55cb7065bd30e39f4d841a010c56894bc74e4e69971e20522fd11c2f9750203

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
896KB

MD5
4ec7af45c86d64d28005abe054f8cc6c

SHA1
769e3ed60dbcf6fc886811d305e8701502b5aa70

SHA256
679bfc28a2f5114fd91eee95515ad8944dd6f6d04c0a26f7d94ff3864bb190b3

SHA512
df277768dbd2c764b51a4444ff32b5896ce8d5ec9d069f1f5b1ab9107248e4e186903837bb9d770b88fbf52b3a1fe18b6168b13c835443ebb303d7d248aff1e2

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
896KB

MD5
8d6f8210e681584cd44310e0bc043241

SHA1
02b023eac8243a3e97c4c316037bd05a45c03f9a

SHA256
db5ded15db976f5dca97428e6af210a6bfcde33fa3945b1992a37099ede74edb

SHA512
45144aead2dc1cb214f456d792fe610a4857b1665376a437099fbc68064d21218266baea9831c368e3efbfd6df0f33c2aa2bc5bded5b8f18382d966c8001304d

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
896KB

MD5
5a21288b28998bad2be5f28ccc403819

SHA1
21ac9f525cbffb3aed00e23fb7dfce067d537274

SHA256
6eba91c2c0ab49c42310cd1b0e9940f4b733a4b570de9bdbf4db08280b506a5a

SHA512
c804e7dbb408172071ca1a86470085cfe845b7be0b4a666dc03d5f6f3028c279d10ae82fc2c7bda1f4815059f6ac352153283ffeae80b46e30c7fb0c29894341

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
896KB

MD5
24c9a2f4d7f057ea4f01c52fa73acc10

SHA1
580067cb8a651c57878ca6ebf6244c44b8106b29

SHA256
c1c8bb6305623bdfc1da853389fb7df8266db270cc78e6cf39bd18221ed72121

SHA512
022e6e3f465c87fadf898b4ba4d8f5ffedaeb56f3b94220abfc50d5524590eb262b47c4d7dbaa746787fcdccf45d886d278a90b8a5536cefd5832ab76c2b9b5a

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
896KB

MD5
87620fdbd565d0d6627c161be99a06e9

SHA1
0bcf0ffb9af4b2038e4d7108e543e94ba84889fb

SHA256
be28046c3dec1e427c0836a4656693eaed7d04af28e0112fbc48d69bee2b5db4

SHA512
d28a519917d16fef821f28d948b53e275ef8f15ca150c0d4c9f89928a525aa06e2bcc73b7925262ea1dba9f3a23fe275e00030fe829028cc07ad1846c905f9f3

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
896KB

MD5
707e80e1b39819e7de7cc2aa986ac8ce

SHA1
345378e52d71fe938bcbe6fae0e97415e59a8b5a

SHA256
958d80e4aea862c91a5342796ec47f7fb6fe2637f00ca2f0f37bf6772c5f4c6e

SHA512
4f706490048f89ebc07c38cda41c8f1bd0645a0483fe051c15ac1b85ed13aed5479f905969d4d0c821738c3092216d3a69b5e6a6d4af30e8186c2c1bbe17069b

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
896KB

MD5
a232cecefa4022f7ce246081d47ff5d2

SHA1
e193c301dde3cc8e1b798d6b6a59c92e09a73aff

SHA256
72d3e77c9678634654b9ccd15c1203c3ebc0e938563c9dbd6c1f0ea78b915a38

SHA512
fe883ef42bf07a110098230bed22d550ae473aa9bde515380c5833e9d9b62b12f729732554b50e1f40ac62aafb108f5bb8696a4b7f28403b6e73a81d2e921807

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
896KB

MD5
9c75e5d10db66dcdb8e819691e57adb0

SHA1
08661ac845fb35b830e24bb145f0ea0b0feacc11

SHA256
44dcb4bfdbaca9a6d81c1ad9fe89f9e4f840db685c64a932c1c6bd2a3a2de7fe

SHA512
562488fe8a85266a2334cc55ca32b4bae57225d1838c3ce078c38ddac927ca0b605e251a97d22c0c6087c2443cc515332eead66595208cc1bc556361d0698007

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
704KB

MD5
5b89ecafb77d5d95995d616766de56b0

SHA1
dd826cf9fd23a99e812349868931a6783fa86e3b

SHA256
2a8c883557e539214976ea2e377cda4e6f41f4d13bc1994bc066fbd46ec8ad23

SHA512
e1aba6db7d7b4b13fd1a163cfa0e0dd3d6fe1dc8d8e111c82b33c84676789d14731ae7ceb45a5aa8699221e527d0665742db350b12d2114d51f6d2cfcd65dc10

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
896KB

MD5
1246264d3d46065b66ac15d008d0f22d

SHA1
9310e43d0f56f23ca6997197ded2d3dbf5fafcd2

SHA256
027e6303e7405ff6b6ea07e8e7bc5dd8c828e68667d5d2c28d5908ce3b990720

SHA512
306e86af7442cf7e04f3436cfe2de0c3cc0d0a0b85b2d213119b73598c3605093c8e019c83a3db47918191a60153ebf0b638748c8ce94adadb514d2e09c0095e

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
896KB

MD5
ab889853d5ce49ab2d0dd88d1c485ad1

SHA1
63959049082ed233d2770bd693873ed5372e2462

SHA256
859a5785db3e3fe8977b9e5f996546cec8465940d9bbccbcc55eb12ecf0e4edd

SHA512
8a6d0f3ed34c8af5157a888e8f9afcaea8f5ae66f11c8a1bac46d33661fb1064e873ca0ec5344a9f1150411a0b087763df5722d7edff9c471ef7610a87fb6d80

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
896KB

MD5
04545fc1b42fa25fa921acddcdb4af5c

SHA1
47318abe032e47046c6d003148afa6f6ecb2def4

SHA256
dedc3b067d5d3306c8fcb200dbbe66da3ba6b4c65bbeb83dcace9bb53f1def1c

SHA512
7eff59aaa7979c367fe6df539e5bb3b1a80dfa3fa537601c41efa9a99a152c03a69598853ca11ee9c789f8859b37b043032e39b66c75e26a604aee733a382861

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
896KB

MD5
e763862b689137b708beaf33b5596f00

SHA1
b3e7d0721858b0d15e95f70ecd1adc655a3ff9ab

SHA256
c186086d2bc54d7b7ddf216ef173a36b912d73f8ff1bb21b9bf98b9c9ecca273

SHA512
7a1c466cffda2314334ec78f150e964eff3ceca08b7835ec01a778b859aec5aacf755d8c7a5e99849d90e67bf0e5ff73ed31d201c291a17f089fb26e5222e379

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
896KB

MD5
f09c7ac79398250d63de435a82b4e751

SHA1
b5b0251eed658d9488e8c7dc980aea0fc70cb7f6

SHA256
cdc8fd39c9feebab5ad05a18ad27edfd77115a982764a661dec2e45e551181b9

SHA512
29cd3870d9369335dd89ea18384bafebe78ac20a934a6c08f1ed1f12a5cb0fa797c87c1c43ec6fe42390d441d639f0b5aae86e5de181641f76d5436e17effb95

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
896KB

MD5
c517139f37448c2a414bfe67f223cd06

SHA1
ab230de8324e40589e3ef3cbbb9a6c9b5ca2b6ed

SHA256
5acb8151b7fbdec1531354fe487489ffa88d4f111745e8926ef49e759590ac7a

SHA512
abf099619cf348bbd64fd47755a01df1692f44fc47b35080323a9260dbccd14323fa7be701bd9d8dc8030970f82f326af49ec1f73786c04c428e0b47c96d7308

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
896KB

MD5
004c7d2faba378544a8a847327db8fd0

SHA1
7019e69698615d17b8e04c4a18692d26802a593e

SHA256
7be18009b37e13830e745123d1a22480aa718c371820e27b4b33ab413d352860

SHA512
25b5115101c3fec1690fb761f9ac8cebf37c69f2ce58b878cc184a0dfd61733b4bc79dd5b8015915f09bd7a44043982e0940d5c56dc8f5136c171f07e3d9eb9a

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
896KB

MD5
e08b27ad531688a1bc34042923142720

SHA1
55004f9bf9eef76dddc83ffdc5ebd70ce3857757

SHA256
d72b752a22e15d8dc14351c9805a67fd5be865bf15eb10968c940d218c6b1f97

SHA512
0387a84fe2d9103a415b6a4608d45fa949b401e57872485bb45f9283b2447ea4809c5249abb757df1a547c30bbe7ccd83a7b89a096758aaf04576f565a38cac5

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
896KB

MD5
0df41f0729b0f1de134cd51381e63927

SHA1
aea1a154dddbc0c38eeeb2218adf9ce6477d6076

SHA256
996a811aa52622b9a147e176b4bf93d453553e8294a7b6d61b651e26bea4a21a

SHA512
f2ee144d0326318299606b57437e62de26dbbf199df27de13b3adcc3b87bf7d76927434997e5bca102927d73c835d53cdcc9e5a40e52440702e439d573d0ba17

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
896KB

MD5
425c5f6d3d6aaa6a50da47e4f034e046

SHA1
3e70ee955c1c58e8af90965f76c3d7ad23df6ac0

SHA256
eb52bfcf3048e03c0f0a7f2024a521d76bbc5b0a9910a9008e7505e0b7b5055b

SHA512
e66e304924dba6ab15aa4d2fc64d7dbe4acbb2061927c2969985b1027ff68cb3fe5ff512d089cdb540ddc41036b69db843f38f348cf2a2070600c140abb5bf73

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
896KB

MD5
09fa28b0287440c167b31e4da0209952

SHA1
6042b45c906ed693d1369159ecd8a07ac768a70a

SHA256
6183b1966c1e4cfa9ca89e989082447f43b4fae619c2a133a8d51399b8cbae94

SHA512
0170f9197d6213cfb04b0874e7271223799c230c2a856a9440fad9bb8d100feccbff3e2fee649b413e9999166519d660169c4910dc74cb88d50e87cb733e981b

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
896KB

MD5
9c7dbea43c05ca4e9fb9bfc609c2e2e8

SHA1
fb8bd0804f50eba854bed2f91aa1b36952e7beea

SHA256
b182681eb5c731be6e2bfcc8202e736dd5791c3f3c0c877c8d1c4a4ce763346a

SHA512
6a4733bf90bba34a000af38611425b08b5ea10e4c1790596f6e36c5886164a6d0a1a7d6fa5d13881329496c7a5316754ba29497d19beac2c237a3211dcb92760

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
896KB

MD5
8edda9a4f5dfbdedcb0860bdaaec36d6

SHA1
ee6be444a2c396336631305b8823d09596442008

SHA256
2fdd561b85c9e722d2e55566365254ca2cd386ecea32e5c0cc7bfbe59e286ff4

SHA512
67d3a3b39ad8a389060b2a2c2e094fb61d11995564ef9adbf9e1f261ee39e862e89289afa985fcc59257df4a3da7d865abec802936448df52308ca56e6081eb9

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
896KB

MD5
ef28a67779f34bb257cacf097f752eb3

SHA1
69d501b260e547777260ce43624c6c30a0f4ae7b

SHA256
5928abaee2660f68f77d09ff33ad8abf3d7a2470195e6dcbdc560d87bb0b1baa

SHA512
59a2d933feeae92a412f3317048391d9fe6e58e97adcda7de5c171c03693a1a8343ff35533de2e196e8b5a9c7ddf9b417c19aed8d8c4a29516c415667886c8a8

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
896KB

MD5
b595541dbc5ef960a971683e71e73010

SHA1
78f69ff9ee15aef23e839a032b7be60974637a89

SHA256
9e2696ee11eeb21de9e9c8140856fb3545b830f6f8a9f040fd95c5c86382a231

SHA512
45ea6076e93add78d3e6e2ef2340073212948d4d8fbea4f492a3b4dd865f4ae84d469bfd5c6a95e8b0fc7213b63b94b151ed737a9c369294a276575580acb89f

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
896KB

MD5
2db08c68492cc5e869010fcb4fc68bae

SHA1
5163b5dd8c368ad2696e01add82c3e282bd20e91

SHA256
f424aa2200508739f3f6d0cb04c7c34940efac0ec1683454fbbaa91e28ff69c0

SHA512
036c1dd103dcaf5042784c140725fee62639f9e8fa722480429db92a4f01da597db0093f66b1fd62d582f0b65668476682a183772be9a633d5e083cb923f8ca6

Download Submit
memory/516-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/516-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/668-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/668-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1204-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1204-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1204-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1236-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1236-227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1384-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1384-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-235-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1524-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1588-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1588-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1640-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1640-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-228-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2572-101-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-226-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3040-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-211-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3148-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3148-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3420-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3420-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3572-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3596-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3688-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3688-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4104-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4104-218-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4624-234-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4624-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4720-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4720-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads