berbew | b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879

Analysis

max time kernel
100s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879N.exe
Size

163KB
MD5

4060286f79d00a4a1da56472ba1527b0
SHA1

0a0cc68891aae29f7ddc240e0b70874154b81ee1
SHA256

b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879
SHA512

df68d952cd7f28c3169015e10adc1620a98c6c6d4e44be1a612fc84a6cfbed65143a31012e565847569f2c3da28170bab862210b8d044e1c253a65d493cbbee1
SSDEEP

1536:PkEJ0YF1cgCA8Kmik+f2Zhioeone/zlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:TJsgCA8KTk+fkZe7ltOrWKDBr+yJb

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfjjppmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmdkch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfobjbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oponmilc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1544	Ndhmhh32.exe
4040	Nfjjppmm.exe
1928	Nnqbanmo.exe
2388	Oponmilc.exe
1136	Ogifjcdp.exe
2152	Olfobjbg.exe
1884	Ocpgod32.exe
4916	Ojjolnaq.exe
1312	Odocigqg.exe
3808	Ojllan32.exe
2412	Oqfdnhfk.exe
3980	Ogpmjb32.exe
1028	Ojoign32.exe
8	Oddmdf32.exe
3548	Ojaelm32.exe
3292	Pqknig32.exe
1588	Pfhfan32.exe
2924	Pmannhhj.exe
2824	Pggbkagp.exe
1368	Pmdkch32.exe
5112	Pgioqq32.exe
3216	Pncgmkmj.exe
4448	Pdmpje32.exe
5072	Pfolbmje.exe
1592	Pmidog32.exe
4540	Pdpmpdbd.exe
1340	Pjmehkqk.exe
2468	Qmkadgpo.exe
4564	Qgqeappe.exe
4996	Qnjnnj32.exe
2012	Qddfkd32.exe
4068	Qffbbldm.exe
4684	Ampkof32.exe
1184	Adgbpc32.exe
3348	Ageolo32.exe
3728	Anogiicl.exe
2872	Aqncedbp.exe
4176	Aclpap32.exe
908	Afjlnk32.exe
4812	Anadoi32.exe
4748	Aeklkchg.exe
3356	Agjhgngj.exe
1040	Amgapeea.exe
4460	Aabmqd32.exe
1572	Aglemn32.exe
3104	Anfmjhmd.exe
2276	Aadifclh.exe
2616	Accfbokl.exe
3760	Bmkjkd32.exe
1728	Bcebhoii.exe
3648	Bganhm32.exe
2004	Bnkgeg32.exe
1892	Baicac32.exe
2116	Bgcknmop.exe
2856	Bnmcjg32.exe
3904	Balpgb32.exe
4908	Bfhhoi32.exe
1720	Bmbplc32.exe
2636	Beihma32.exe
4596	Bhhdil32.exe
1056	Bjfaeh32.exe
3964	Bmemac32.exe
1780	Bcoenmao.exe
3472	Cfmajipb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Ndhmhh32.exe	b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879N.exe
File opened for modification	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Oqfdnhfk.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Ogifjcdp.exe	Oponmilc.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	Oponmilc.exe
File opened for modification	C:\Windows\SysWOW64\Qgqeappe.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ojaelm32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Olfobjbg.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Ndhmhh32.exe	b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879N.exe
File created	C:\Windows\SysWOW64\Ogpmjb32.exe	Oqfdnhfk.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Pmdkch32.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Olfobjbg.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5596	5508	WerFault.exe	176

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojoign32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmannhhj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olfobjbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olfobjbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaoidec.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clncadfb.dll"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfilim32.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmannhhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Odocigqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1544	800	b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879N.exe	84
PID 800 wrote to memory of 1544	800	b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879N.exe	84
PID 800 wrote to memory of 1544	800	b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879N.exe	84
PID 1544 wrote to memory of 4040	1544	Ndhmhh32.exe	85
PID 1544 wrote to memory of 4040	1544	Ndhmhh32.exe	85
PID 1544 wrote to memory of 4040	1544	Ndhmhh32.exe	85
PID 4040 wrote to memory of 1928	4040	Nfjjppmm.exe	86
PID 4040 wrote to memory of 1928	4040	Nfjjppmm.exe	86
PID 4040 wrote to memory of 1928	4040	Nfjjppmm.exe	86
PID 1928 wrote to memory of 2388	1928	Nnqbanmo.exe	87
PID 1928 wrote to memory of 2388	1928	Nnqbanmo.exe	87
PID 1928 wrote to memory of 2388	1928	Nnqbanmo.exe	87
PID 2388 wrote to memory of 1136	2388	Oponmilc.exe	88
PID 2388 wrote to memory of 1136	2388	Oponmilc.exe	88
PID 2388 wrote to memory of 1136	2388	Oponmilc.exe	88
PID 1136 wrote to memory of 2152	1136	Ogifjcdp.exe	89
PID 1136 wrote to memory of 2152	1136	Ogifjcdp.exe	89
PID 1136 wrote to memory of 2152	1136	Ogifjcdp.exe	89
PID 2152 wrote to memory of 1884	2152	Olfobjbg.exe	90
PID 2152 wrote to memory of 1884	2152	Olfobjbg.exe	90
PID 2152 wrote to memory of 1884	2152	Olfobjbg.exe	90
PID 1884 wrote to memory of 4916	1884	Ocpgod32.exe	91
PID 1884 wrote to memory of 4916	1884	Ocpgod32.exe	91
PID 1884 wrote to memory of 4916	1884	Ocpgod32.exe	91
PID 4916 wrote to memory of 1312	4916	Ojjolnaq.exe	92
PID 4916 wrote to memory of 1312	4916	Ojjolnaq.exe	92
PID 4916 wrote to memory of 1312	4916	Ojjolnaq.exe	92
PID 1312 wrote to memory of 3808	1312	Odocigqg.exe	93
PID 1312 wrote to memory of 3808	1312	Odocigqg.exe	93
PID 1312 wrote to memory of 3808	1312	Odocigqg.exe	93
PID 3808 wrote to memory of 2412	3808	Ojllan32.exe	95
PID 3808 wrote to memory of 2412	3808	Ojllan32.exe	95
PID 3808 wrote to memory of 2412	3808	Ojllan32.exe	95
PID 2412 wrote to memory of 3980	2412	Oqfdnhfk.exe	96
PID 2412 wrote to memory of 3980	2412	Oqfdnhfk.exe	96
PID 2412 wrote to memory of 3980	2412	Oqfdnhfk.exe	96
PID 3980 wrote to memory of 1028	3980	Ogpmjb32.exe	97
PID 3980 wrote to memory of 1028	3980	Ogpmjb32.exe	97
PID 3980 wrote to memory of 1028	3980	Ogpmjb32.exe	97
PID 1028 wrote to memory of 8	1028	Ojoign32.exe	98
PID 1028 wrote to memory of 8	1028	Ojoign32.exe	98
PID 1028 wrote to memory of 8	1028	Ojoign32.exe	98
PID 8 wrote to memory of 3548	8	Oddmdf32.exe	99
PID 8 wrote to memory of 3548	8	Oddmdf32.exe	99
PID 8 wrote to memory of 3548	8	Oddmdf32.exe	99
PID 3548 wrote to memory of 3292	3548	Ojaelm32.exe	100
PID 3548 wrote to memory of 3292	3548	Ojaelm32.exe	100
PID 3548 wrote to memory of 3292	3548	Ojaelm32.exe	100
PID 3292 wrote to memory of 1588	3292	Pqknig32.exe	102
PID 3292 wrote to memory of 1588	3292	Pqknig32.exe	102
PID 3292 wrote to memory of 1588	3292	Pqknig32.exe	102
PID 1588 wrote to memory of 2924	1588	Pfhfan32.exe	103
PID 1588 wrote to memory of 2924	1588	Pfhfan32.exe	103
PID 1588 wrote to memory of 2924	1588	Pfhfan32.exe	103
PID 2924 wrote to memory of 2824	2924	Pmannhhj.exe	104
PID 2924 wrote to memory of 2824	2924	Pmannhhj.exe	104
PID 2924 wrote to memory of 2824	2924	Pmannhhj.exe	104
PID 2824 wrote to memory of 1368	2824	Pggbkagp.exe	106
PID 2824 wrote to memory of 1368	2824	Pggbkagp.exe	106
PID 2824 wrote to memory of 1368	2824	Pggbkagp.exe	106
PID 1368 wrote to memory of 5112	1368	Pmdkch32.exe	107
PID 1368 wrote to memory of 5112	1368	Pmdkch32.exe	107
PID 1368 wrote to memory of 5112	1368	Pmdkch32.exe	107
PID 5112 wrote to memory of 3216	5112	Pgioqq32.exe	108

C:\Users\Admin\AppData\Local\Temp\b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879N.exe
"C:\Users\Admin\AppData\Local\Temp\b6c6f6bd3f10145660f75a12e9cc86145db01d4b55a407f840ad32d90b228879N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\Ndhmhh32.exe
  C:\Windows\system32\Ndhmhh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\Nfjjppmm.exe
    C:\Windows\system32\Nfjjppmm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\Nnqbanmo.exe
      C:\Windows\system32\Nnqbanmo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\Oponmilc.exe
        
        C:\Windows\system32\Oponmilc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\Ogifjcdp.exe
        
        C:\Windows\system32\Ogifjcdp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Ojoign32.exe
        
        C:\Windows\system32\Ojoign32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        28⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        40⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        53⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        59⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        74⤵
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        88⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:5416
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 396
        92⤵
        Program crash
        
        PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5508 -ip 5508
1⤵
PID:5572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
163KB

MD5
a598f50fe2f0eb44e7f7af9711b7ca1a

SHA1
82e88195f3b64a167edfc9b81cd86a533f60cccf

SHA256
9a18a58cd3f9b76ed3f4c7e91cae37b39cb444c274696965d87234eb74d0d0d4

SHA512
0541d636b66fcc615b2a96536e54fb81f9572e5ec41e259a7f1cea66f926ef18fc7028049635e31fba44eb7938ab57314060025788693f0695a5f56961198885

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
163KB

MD5
232944056ab0ccf9ab295c752b134156

SHA1
e296cd8f98314cf9aa47644e033c5590b18e6e24

SHA256
e261723776c7c451fa52828d34a57c5144c3d6d9e4a140dd22d7b60aae50690d

SHA512
f7e1127de4d752fceaa4767c09518a32a225074c35f9d04e4e7a93795da93258f437ad6b7709646b2f9f8bdfecf30f685b96cd827685baf0cacaa9fb5fafe8c6

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
163KB

MD5
d376e516b86b42101347e216e021a56b

SHA1
8381861c35521e1454abc078246669d4c0757704

SHA256
43e2c8710b8369ac57b53640ae0e557b54ae6c27cfbf5c913928889b9acfe1a6

SHA512
cf8306b50828f4718ae3627f0cb128b758df37c13bdef7bfc64e64f4ded7ba68a210274805abf96b76342ca1d7a4c411e0bde3b5a7b332d67ee39110cb205640

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
163KB

MD5
e155ae4461d6ac23e130010bf6df8a45

SHA1
9113d2ba713fd4f05efc2d70f6eebac3e0b46d77

SHA256
3d4de1bb10d85ad22fda73336781ab130b6cb4e46408e2d819c016483e44a248

SHA512
5f9374dabbdc5ca4fcc17d6281e00705fad4dfb72e08d5137b5a98b89b389a3c97ac47241a5af3ed7727f471ad55487b673658afab7f25e9a69f8c0d76d32bc2

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
163KB

MD5
8b8147f6edafedaf3fbb7ca18dce177d

SHA1
001804de76e0d962a9f45e9951e55b383a1b6c98

SHA256
db3d40987db50e0772a930b0038ce2313158b36f1c759f557cf5b58041ad3e5c

SHA512
2fd291abad1c5a20302ec15ce9a0d1707b7642963389c9dfce5831c4828ea9f6cbc45f6f7abc809cb24bf5341575224b0c2d1e1276513ebf880172f79560a3f7

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
163KB

MD5
d9f9cf635f86e9da1c5435db4004f798

SHA1
1147b46144c4f060125152d1d55797cf5dca3c39

SHA256
d87beb6dee6eb9238d097c961ec92a96301e949a00c0540a26cdbc01abd703ad

SHA512
a21d415fb2246ef6cf7a5f32b3f2e148ac7af28467d03592d51a722ba9a7178ef3c0c257e8d96c34fb498ca1c49b8e3bea4a52ceb2a83cc0837fcbd7b5d21e2e

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
163KB

MD5
255ffe06a54fe31c2fe960c346fc1199

SHA1
c5bd477bbb1c1ebbc12210a14d632eebcefda88f

SHA256
b6455afffac88bc86edefc0ff038675bbc03858d3e6eb209a36c864939520510

SHA512
33c281750f2ac2aaf081814c88ca5c4951686c7e8dac30b605aff2b6a6da54e60819d9139f56fea86176709488a75bd2227888aa99f91feb3680b6c39c174f8f

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
163KB

MD5
3cf616a6d47e386cba2728334f15fce9

SHA1
83b6ee86d95aa857423613ca0687ad92ab39666b

SHA256
76db15826724a4fa7b0524e958456fae7229074fc5809d0648f084ad3c44fac4

SHA512
c22b7ceb0a6e225ca5376217ef8206fb74d58322b589f04e423204e79f920077493f114f2e712de26f590479d26935b5d2c339318a3685b5d37fc5e70d5bebce

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
163KB

MD5
5de9fd5da278af15218e65b3f1cdae4e

SHA1
5b8b0b878714760951864c2d908da0a66fb5a6d6

SHA256
d94c069a0e777c42b7f107f99ea69d0ea783b6147a9f7f422d06edabaef6b821

SHA512
938c9a289d82c22346c1780165e68bb1585f5acf48c9b74a14de5041e0c4248935ea3d9afa841924d09d2ea02b3d1007b78d929d428ad462d372cdaf3ec92a82

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
163KB

MD5
0b59a830cfe713d1c759e40068232e6a

SHA1
b283509b3b9645da7bc023746cab02a04e28cdda

SHA256
10d62113647eb27369bc37d8fc8a6f7b0eca5aec8fa228b193e5870b423023ff

SHA512
68de64bda59335244f1b45cf4fbb35624269c2a02d2f47d7c3aa64922a2d01790dcf55e6e6f750db5ed9f6b0e6c8c83547f443d1daaac8a3d48a731de14d8fc7

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
163KB

MD5
432ab5ff127c7932b1d7b48d2b71ed03

SHA1
09463c656239934de0985ce9ca9b2b235016e64e

SHA256
c687cbe4715e832e53cbe736b79bdbfd699afd97df081c45fbacd15aafeda85c

SHA512
06db12c396a5c83ab511640919a22aa316f3896c93a1b7d0a56c0499074d937315ae488f4ce84909ddaf8bdb7bc8b46c057769003012731578b7e1aef2c2088e

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
163KB

MD5
d58768cd6e0ac884934d03a9f833d92c

SHA1
8c3882a96ba9df13dd924a60312e20305c3bf03e

SHA256
e054d36e02a21590b364d9b24dac00dbab613fd917c0e18e8713597dd9a917d9

SHA512
8eb4472c7fb3069bb55be7e032458c17f87d582ae43064ae4118dc634a0292b458d7db7b5e3cc43399c21e7c3807eb49236ba518fa077682966e1f24cf9f3c89

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
163KB

MD5
c6837e293bf4b06abb88f056579abce3

SHA1
28e997ac11f3f5a80ca7876c667df754a2b3b843

SHA256
a2e58eed31e010e599b71217882b5c79ce2545a9e75aa8bc013a5334a8d8bed2

SHA512
7944529a1ee08a41bd2180b56638ff2ecb56b82a364841424d43ceb5de3306471af697eb97c75f12e496a4a62526835e6a94762ce66161cb4fa62225af9c5bb5

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
163KB

MD5
c7f38a68d275c85f76fe15239e3dd209

SHA1
396649039050c274c0da3e1ed07f71e75c8521da

SHA256
16211783da86fddd6184440a0fc133ff84304db307d1224558f93754a6310a88

SHA512
6680adb1c87705107ca2254aa37b941bcb176014db4e38322674b4674e8bcfca26c107915718670739e4f9c2b3b2665a150ba42e39b172b0f4166ec21cc14eda

Download Submit
C:\Windows\SysWOW64\Ojoign32.exe

Filesize
163KB

MD5
56abe1f4be4754dbecc2d98f21339455

SHA1
9e146852958ce961cc4002837747d43817f06279

SHA256
24ace32760e7004d4073731d0119992a0777b4f1837ecbb16569b0f0b1fb9ae6

SHA512
e96d16d0e43f9e9e162922d5c35651175e7723ab9d84f6178510e1b8f70fff798f0181aa223f86e6e208bb4afee4c2616e7612a66a3086079b042efe08a5e3b2

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
163KB

MD5
62253cebad8bea4b02da881fea7dab74

SHA1
7ee58b22ca365f9b88956a1c948d3285427c4e8d

SHA256
9b6a0a7c8c1ae55593cfb007f714fdee7747c4ddc06601367fc00873ae465d35

SHA512
97723cf49d275fd3558ba694cc028ae6a26a4eb8dd1db7943e3e6f532527296c177e6b2909a33b121473693544508f075210fe53a3072008815f71b4f2ca9e61

Download Submit
C:\Windows\SysWOW64\Oponmilc.exe

Filesize
163KB

MD5
429cf599f912ef6853c0f9451b28b6e2

SHA1
639331108d140b21c9cddd5139cad12ebfae7f32

SHA256
ae88c32ac3c9989f9433e81414a77e28384852969a724108c950c884c4d444b1

SHA512
55aa3c0788b3e8ccee63b342400329a7cec647473d379988c5e425fe0e009b152c0f9f7deff0e43249e83a4b5903e05c4578b327e1aefaaeb6eab77d4ed0f6d7

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
163KB

MD5
94d0c3566f88bedb3d4551e1b2a37e2a

SHA1
087f4dd1f6019e796c0b5950d0560b955162b6a4

SHA256
6c96e2d4df1cb24d1aa93da9aee864bf88f8df20d2e98baec71d5dea43144ceb

SHA512
607f7d81d2e1528755d87c9ddb6828df427ae60c6fd5959c0082a7ffe2f7ac4428a0d5ed14a1eff8730e8e55bd63f8de94df62a9ba74291ab973f6049473b0eb

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
163KB

MD5
d3493674a52de61015abfadafe0b50f3

SHA1
f739d1ea6575d417429a0f077d68b51962863468

SHA256
70e92bb2f1f16fa7e6fcbf35226903a2c1b2767bfbb624aa3479c4f7a3829e1c

SHA512
0b67df36233758010c83b8d4a81b5bb79926a1300ec1001070e184a206a7ad802bf2a75a038b67368aa52e8e6e96475ed9fd18bfb63617b410baa79288b20401

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
163KB

MD5
3591273f1caa493a5c209ba0c62f0983

SHA1
1142cec745a457254eadd50ea81d3ff0d8932373

SHA256
c8f5d32cf0054d8b76dfa9578b63014e238db741fcc2a15a79d005e1485fe123

SHA512
61a4ce32aa33f04ff013a379c3777c23142ab7b3ca9bc0d08435e747f40419982aa661418ba3a2db3f3172b152e123a07d0a6a19dc9e6eb43b53c2c7c32b03a5

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
163KB

MD5
d0d5901d9c4146f872f905f94244e0b4

SHA1
14f66e26ee9b14c6465a4b399c4b79a1a26067c6

SHA256
d701565ba4473dc33347b7173aaf96ee5fc72a42f45a783030b06034d0a6ab33

SHA512
429c72a1b6a4974efc4d4279bb1ea6d768a04ae395c43f20889a9747de5e320eb7ad97399f854c8e2534023bfc826bbabb7c378c92e205ea6f20646c55e7f991

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
163KB

MD5
ee68952a4d061219c7bfb4e6d8a40318

SHA1
3b0479b709daeaa11cd08ff3e12e1578c23b5584

SHA256
afec18f09731655a9e11795eb8737a6657f8ce13986a703a6ff872b3f46cb888

SHA512
80083f818e682373630e27d0eb33ea30d8648f74d2a1f9d24e40512be4337dd8bcddf633f5e16c4985aaf430460501f67bcee00a6fd7c5e3583c608641f2d490

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
163KB

MD5
17adc1b9e609b48fa61257f7e5fff237

SHA1
1fbb06f5d13141c89fcdbda99b44ce03e8a5e6ed

SHA256
36ea719b38833b53647b4c69382bc44c10d119a6e65b0e1636a5c942c6f16b3e

SHA512
e145a2e42ed879e84923d55aa3bb8f6248b5837388514121e401e2ff30a18c7ff8659df1220a188907bbd59c8f88875b863fb625af81d69bafd406ada73634f8

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
163KB

MD5
f67024bc00d9c2d6f6b108bbc5c701ff

SHA1
300ca63b6c56ff258206872b47f16dd22b87f6db

SHA256
d3c6d26e1befa96f73996d4fb664eddb82e98e543afbfc4f727af300ffdc9a03

SHA512
ba815d9f492663d7a082b29b57692ac389f93a44449a45cf60b5ac8b1524934795a3de9da3104f274a97e6a8c227fb132803a83f4e3590aae851084b21d2346c

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
163KB

MD5
10beffe340aefe55271632b9e7c2a57f

SHA1
b40c126b5d31b578f66d15358ba69c43e8327bb9

SHA256
7d5cae733336cca5a69db3fe5425539576da10078ed1035deb1cc2ae00d29ea3

SHA512
4b3d093c8b4779270acd8a84e13537c0b95351708da57aaf56f0dd4b9dc28d4529c3ae287aa04c5a9f9f4c9cdcf18b31228820e03fa05b72cbf94389cd0a2c00

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
163KB

MD5
c137634f6f931935fffc5448e99982aa

SHA1
d6aa8b995c488e35ed70c761f107469e1e070b1f

SHA256
4d542e6dd74b3dcffb744b2d650b22978084d6cd13529d703ef2bc7c76081505

SHA512
891f5fbc9e449b679e11695c9d442e0ff7c44980c3d3662f1e315cb37a950b2e5b40c307cbbd4caeb9314bb38a226d7de91bbd1a5c9a6fd167ab27d294e378c1

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
163KB

MD5
96a1cb6866f96f9f758d1a46de5ef37d

SHA1
c126f10811a8faa23cdfaafb3ac28c652fe52cb6

SHA256
dbf170d18d54b5894d8022e2ed3efeeab76c9d6def02a816073dfd4589286970

SHA512
f02bd3b27db3ac386d0a56db3d1f00beb7394d68e5d47609760aa523edeeb2bc592b4b5b637b9d0ab64cde350fd9f4cba21069e45e11c88fc782587e81c6d10d

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
163KB

MD5
c266daaa13caa4baf9302114546e1df5

SHA1
58630066ff209a4fe1518a151f00892d44893f26

SHA256
0a5d67c20ab31f9b4ada9586154e0101a726c1f8d2a4960f0294f87a26afce52

SHA512
8ae824082e46d01f5c6668f63020022f865cb451f2873e40813ada0cc94bd151a839ca0e82d364bca98a5131d91f8164009d523d36e43ccefa7083c1b9bbce39

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
163KB

MD5
8a6cdad0d10063f3a098798453e431cc

SHA1
bd89f342d1c7b223c4d8a7e4d67cdeebe691d911

SHA256
95dac9ef5157f010b5f0bc0131afea943096fafe190adfd68d8ffcc0708dd030

SHA512
ba4ddccd42f0052d74e1dc1cfd44a1850ef8311906cb1f88cc1827a8ba8e3b936a3cfa82f5ebcd978bdc49f4d5ff6b9544f84af1a4049d1f5f697f11f6ff2902

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
163KB

MD5
7973a6ac947c5eef8557bc3b9838c656

SHA1
fe22b6a3dc6aa8dc60a2f56510139d27a81556f2

SHA256
37281535dca8f6b385c956b22e76cce49a59f917eb6f952bf5e2a14646f87677

SHA512
54426bbd3048e863918fa2ab5e9e401fd73ee7271103623b638da79518a1d6a213f06e69ee18793b6542a22a953531b28817facdcbf97b66be4a760fd11b09fa

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
163KB

MD5
4b4df673fb12ed4742e9afbfd2cec3bf

SHA1
916075ea74afaa2daa7a926cd376cd1af82d9753

SHA256
cbe0cdefe0a595da6698cf17ae8ddd25b875cdd9a07d98cc0fe6e7b642c451ea

SHA512
9de810468f53036d980daa45acedfb4fbca8a0b427d7f900c739cd67e7a26efe080e054d597f1025f8f78c21e6bbd652acb7161bc067ae2cae4197f35968bdd9

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
163KB

MD5
4ef4612c4821ce6f8fd2ca350e5528fe

SHA1
ead04788f5b15f197567d80691db1fb22fd1f148

SHA256
007e5635fceba95b84d6a3a4a0fab7b06fa3ca1e42dbe3fe8ac803f53c7ced0e

SHA512
80b26c5c5b0653602180fe675c141c9205782d1d85fa90380ed47cbc5af5c0e8dbbdc4abcccb65f6ac561a8c651fe6ba3771e1b09f06663abf5e1672a066904e

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
163KB

MD5
6f6925bf57b469564603229a5be0680d

SHA1
512b2de7def9d1a804f31d912d139f546dd8e168

SHA256
b604be71d66ba91d67b5304db4c919b5b8fcf73bac80472ef1d74a4482e5edaf

SHA512
5476e3ca8f16ef339c45933535efbe5213f9e15f63587604da134e9a242dce585ee39788dbef024861f277e69339eb84feedbed79151ed32619bf661051a9a5d

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
163KB

MD5
e7706d06bd2811de785fb19fdfb629c5

SHA1
c0fc76065b9677e8634959cc329de2576cf4e351

SHA256
295383c0a5abb32a87cf4d6d81afffd5a7883f1660002c1df15574c2114e86bc

SHA512
412e51d69fd0050ce70d0ed1c04526e5509c28141022a33b71de3231ad106de9f8243d3332f0c61c804d2f1532004f9956747e57e67e053c0950fb9ffa7c7b16

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
163KB

MD5
ed4aea3557728d3d8067e558df75f08d

SHA1
50ebbb7a4483f30761ebcbc62a91a3449e5108f7

SHA256
762695edffa278036fd0c7cd724c27ac14b4abfde8c21051c515b79f723d1203

SHA512
38a647795a3067ca3d61de3232f6bd16664aa857d1fb86536a506797d217e451925dcdfe0fa9e4bc63443f3eacd5773a208d707b537ade7793536616a7ed2c72

Download Submit
memory/8-112-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/800-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/800-533-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/800-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/908-299-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1028-104-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1040-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1056-435-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1136-574-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1136-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1184-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1260-521-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1312-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1340-217-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1368-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1544-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1544-546-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1572-335-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1588-136-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1592-201-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1668-491-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1672-467-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1728-366-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1780-443-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1884-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1884-588-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1892-384-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1928-560-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1928-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1968-540-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2004-378-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2012-248-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2116-390-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2152-581-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2152-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2276-347-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2292-515-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-509-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2388-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2388-567-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2412-89-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2468-224-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2580-534-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2596-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2616-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2636-419-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2824-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-400-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-679-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2872-287-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2924-144-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-455-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3104-341-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3112-461-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3216-176-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3292-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3348-275-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3356-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3472-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3548-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3564-507-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3648-372-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3728-281-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3760-360-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3808-80-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3904-402-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3964-437-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3980-101-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4040-553-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4040-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4068-257-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4176-293-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4208-527-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4360-354-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4360-692-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4424-501-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4448-184-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4460-329-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4508-485-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4540-209-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4560-473-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4564-232-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4596-425-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4684-263-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4748-311-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4776-547-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4812-305-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4908-408-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4916-64-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4996-240-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5072-192-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5112-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5148-554-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5192-561-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5236-568-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5284-575-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5328-582-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5372-589-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads