berbew | 4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08.exe
Size

481KB
MD5

fdd372e8a15a5b81d5ee9102b86af5bb
SHA1

e0a2548e4db7fe5d8deff2d910a0dfd6a0e5610b
SHA256

4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08
SHA512

f1d080b31bf059a6931e6c3108011b5e5d1a441348bcbf2604dddf1fa76fa5e8bcb8b64403a99b6062dff0234e06caef4600aab5496a3d70c786d96c53fb8d71
SSDEEP

6144:N/9TQ00KbQZVUVYmHbBuz34lKm3mo8Yvi4KsLTFM6234lKm3+ry+dBQ:DFFVem7BuD4lwR45FB24l4++dBQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhmhh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhmhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1652	Ndhmhh32.exe
3140	Nnqbanmo.exe
1544	Oncofm32.exe
4040	Olhlhjpd.exe
2372	Odocigqg.exe
1780	Ognpebpj.exe
1728	Ojllan32.exe
4512	Olkhmi32.exe
5000	Pnakhkol.exe
4816	Pflplnlg.exe
3804	Pdmpje32.exe
3272	Pfolbmje.exe
1716	Qnhahj32.exe
1096	Qqfmde32.exe
408	Aqkgpedc.exe
5048	Ageolo32.exe
1720	Aqncedbp.exe
4176	Anadoi32.exe
1344	Amddjegd.exe
1208	Agjhgngj.exe
3552	Aeniabfd.exe
4536	Acqimo32.exe
2516	Afoeiklb.exe
3012	Ajkaii32.exe
1888	Aminee32.exe
4656	Aadifclh.exe
2380	Accfbokl.exe
2596	Agoabn32.exe
64	Bjmnoi32.exe
1856	Bnhjohkb.exe
544	Bagflcje.exe
4452	Bcebhoii.exe
976	Bganhm32.exe
3156	Bfdodjhm.exe
1404	Bnkgeg32.exe
440	Baicac32.exe
4408	Bchomn32.exe
4396	Bgcknmop.exe
4732	Bjagjhnc.exe
1880	Bmpcfdmg.exe
3952	Balpgb32.exe
4292	Bcjlcn32.exe
5108	Bgehcmmm.exe
1424	Bjddphlq.exe
2096	Bmbplc32.exe
4300	Banllbdn.exe
3036	Bclhhnca.exe
3548	Bfkedibe.exe
2872	Bnbmefbg.exe
1688	Bmemac32.exe
4152	Belebq32.exe
4516	Chjaol32.exe
3704	Cfmajipb.exe
1412	Cndikf32.exe
5072	Cenahpha.exe
4540	Chmndlge.exe
1648	Cjkjpgfi.exe
1148	Cmiflbel.exe
4580	Ceqnmpfo.exe
4476	Cdcoim32.exe
1560	Cjmgfgdf.exe
2348	Cnicfe32.exe
4496	Cagobalc.exe
2548	Cdfkolkf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pflplnlg.exe	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Gbmhofmq.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Olhlhjpd.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Jbaqqh32.dll	Olhlhjpd.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Pnakhkol.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe

Program crash 1 IoCs

pid	pid_target	Process
5964	5876	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ognpebpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnqbanmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhofmq.dll"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciopbjik.dll"	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfoif32.dll"	Nnqbanmo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 1652	4944	4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08.exe	83
PID 4944 wrote to memory of 1652	4944	4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08.exe	83
PID 4944 wrote to memory of 1652	4944	4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08.exe	83
PID 1652 wrote to memory of 3140	1652	Ndhmhh32.exe	84
PID 1652 wrote to memory of 3140	1652	Ndhmhh32.exe	84
PID 1652 wrote to memory of 3140	1652	Ndhmhh32.exe	84
PID 3140 wrote to memory of 1544	3140	Nnqbanmo.exe	85
PID 3140 wrote to memory of 1544	3140	Nnqbanmo.exe	85
PID 3140 wrote to memory of 1544	3140	Nnqbanmo.exe	85
PID 1544 wrote to memory of 4040	1544	Oncofm32.exe	86
PID 1544 wrote to memory of 4040	1544	Oncofm32.exe	86
PID 1544 wrote to memory of 4040	1544	Oncofm32.exe	86
PID 4040 wrote to memory of 2372	4040	Olhlhjpd.exe	87
PID 4040 wrote to memory of 2372	4040	Olhlhjpd.exe	87
PID 4040 wrote to memory of 2372	4040	Olhlhjpd.exe	87
PID 2372 wrote to memory of 1780	2372	Odocigqg.exe	88
PID 2372 wrote to memory of 1780	2372	Odocigqg.exe	88
PID 2372 wrote to memory of 1780	2372	Odocigqg.exe	88
PID 1780 wrote to memory of 1728	1780	Ognpebpj.exe	89
PID 1780 wrote to memory of 1728	1780	Ognpebpj.exe	89
PID 1780 wrote to memory of 1728	1780	Ognpebpj.exe	89
PID 1728 wrote to memory of 4512	1728	Ojllan32.exe	90
PID 1728 wrote to memory of 4512	1728	Ojllan32.exe	90
PID 1728 wrote to memory of 4512	1728	Ojllan32.exe	90
PID 4512 wrote to memory of 5000	4512	Olkhmi32.exe	91
PID 4512 wrote to memory of 5000	4512	Olkhmi32.exe	91
PID 4512 wrote to memory of 5000	4512	Olkhmi32.exe	91
PID 5000 wrote to memory of 4816	5000	Pnakhkol.exe	92
PID 5000 wrote to memory of 4816	5000	Pnakhkol.exe	92
PID 5000 wrote to memory of 4816	5000	Pnakhkol.exe	92
PID 4816 wrote to memory of 3804	4816	Pflplnlg.exe	93
PID 4816 wrote to memory of 3804	4816	Pflplnlg.exe	93
PID 4816 wrote to memory of 3804	4816	Pflplnlg.exe	93
PID 3804 wrote to memory of 3272	3804	Pdmpje32.exe	94
PID 3804 wrote to memory of 3272	3804	Pdmpje32.exe	94
PID 3804 wrote to memory of 3272	3804	Pdmpje32.exe	94
PID 3272 wrote to memory of 1716	3272	Pfolbmje.exe	95
PID 3272 wrote to memory of 1716	3272	Pfolbmje.exe	95
PID 3272 wrote to memory of 1716	3272	Pfolbmje.exe	95
PID 1716 wrote to memory of 1096	1716	Qnhahj32.exe	96
PID 1716 wrote to memory of 1096	1716	Qnhahj32.exe	96
PID 1716 wrote to memory of 1096	1716	Qnhahj32.exe	96
PID 1096 wrote to memory of 408	1096	Qqfmde32.exe	97
PID 1096 wrote to memory of 408	1096	Qqfmde32.exe	97
PID 1096 wrote to memory of 408	1096	Qqfmde32.exe	97
PID 408 wrote to memory of 5048	408	Aqkgpedc.exe	98
PID 408 wrote to memory of 5048	408	Aqkgpedc.exe	98
PID 408 wrote to memory of 5048	408	Aqkgpedc.exe	98
PID 5048 wrote to memory of 1720	5048	Ageolo32.exe	99
PID 5048 wrote to memory of 1720	5048	Ageolo32.exe	99
PID 5048 wrote to memory of 1720	5048	Ageolo32.exe	99
PID 1720 wrote to memory of 4176	1720	Aqncedbp.exe	100
PID 1720 wrote to memory of 4176	1720	Aqncedbp.exe	100
PID 1720 wrote to memory of 4176	1720	Aqncedbp.exe	100
PID 4176 wrote to memory of 1344	4176	Anadoi32.exe	101
PID 4176 wrote to memory of 1344	4176	Anadoi32.exe	101
PID 4176 wrote to memory of 1344	4176	Anadoi32.exe	101
PID 1344 wrote to memory of 1208	1344	Amddjegd.exe	102
PID 1344 wrote to memory of 1208	1344	Amddjegd.exe	102
PID 1344 wrote to memory of 1208	1344	Amddjegd.exe	102
PID 1208 wrote to memory of 3552	1208	Agjhgngj.exe	103
PID 1208 wrote to memory of 3552	1208	Agjhgngj.exe	103
PID 1208 wrote to memory of 3552	1208	Agjhgngj.exe	103
PID 3552 wrote to memory of 4536	3552	Aeniabfd.exe	104

C:\Users\Admin\AppData\Local\Temp\4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08.exe
"C:\Users\Admin\AppData\Local\Temp\4b9468ed928defbd6eab3b82a1cbffb913982615212bccee62eed91b6136bd08.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\Ndhmhh32.exe
  C:\Windows\system32\Ndhmhh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Nnqbanmo.exe
    C:\Windows\system32\Nnqbanmo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\SysWOW64\Oncofm32.exe
      C:\Windows\system32\Oncofm32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\Odocigqg.exe
        
        C:\Windows\system32\Odocigqg.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1856
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        60⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        66⤵
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        69⤵
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        77⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        80⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        85⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5764
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 408
        94⤵
        Program crash
        
        PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5876 -ip 5876
1⤵
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
481KB

MD5
6b318968349da96c7075bbcc2aa3c047

SHA1
a0e16e54fd21e1a2127737e3eeaa34ab1956ebfd

SHA256
f1601d9c96a71964f7655253acec550ece04faa06beed7163fc362365f73e5ec

SHA512
589b36d2aabebaca9702438a956a05a722b58eb2716e7f11c9eb026f52cd6773f09443d3d6fcc073b930a1754781586fa21baae50d35433ecbc4ff18603b4e5d

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
481KB

MD5
8758afd94d1494a808e0438035541f11

SHA1
615509e1a812acdce92a648d309608896f81d44e

SHA256
1ec5217dedb66a37a1e46a696490eed3428faf21209056d7526955036a73b71e

SHA512
0e4ec38eba9b930684bf5711caed4263b46a28ef79c72a9ff7a568c807a03ba35e20c28df354c5265d5ec41757c62f7f94194c3da5088bb01ba55965fcee8728

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
481KB

MD5
3d450b2d3b5b2682ceb6ea497bc9da4f

SHA1
6686bcb06af2eba5682c24fdc5534aabfc8d56b4

SHA256
46df49961740fc46a1e19336b5b4db909657bf284a0de653dcc4143052ef10e8

SHA512
df870b57e58280e57283d06250d65da3f8220e4f53da60e70c1a5c3a462511757568199035da86bf0ae7b23fe070ea9b240790d5fe3482adb54d9665630bd187

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
481KB

MD5
10b0733f56fa64d68e8f52c158f02b6e

SHA1
ea7192236c12ed2b3f1c0dc950d1c5fbaeb5abdb

SHA256
c027e0b0785a24f0161a5bb2d4f50cb0e084907e138331729028a0b624094323

SHA512
2292e099fa9e39d4e764d365445802a757aa6992e380cb3c53d26e0edf868abc7df10742d2d67860bdc8df37fcee50cb10e0e7f0f68e82ec863ded4e5a0ed19d

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
481KB

MD5
384f4da3ff5d8f2980da9808f55cb36b

SHA1
a5a9a7ec12733d09e360b62b2f72dab7516518d8

SHA256
7e60de274e2645203182fe319f8e02db0d02d3f21a73b924d7b56df0dfa631aa

SHA512
68fb82c7324dbc480a6f8f8d83c9b53fd7fe2c475b06e9c78b2db16427993bacc2ad15de1ec1e819f36bca3cc1da10672f638730c0a9f16189a4d7d25252bf8f

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
481KB

MD5
12264d52790c07d10d0bb89b9283f4cd

SHA1
5cc1b924723c7f71457561696c10c3767823e531

SHA256
7b9f49537733bd7ae3ea46a1920da134d5e2d452a7f37c6823d98189f2498fb3

SHA512
eaa71655ff13452fe68f056b4b3c04d9df429dc819cee8deeb36499bc3aba35250acb2ae291684e1771f78e17519d08f6507353e3f10e117b2bcef4987adf435

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
481KB

MD5
4446e499f5acb20add563d71c073b382

SHA1
19188bde291b4de16fcd39a4300263723085dd02

SHA256
c139fc0fe75783f333c070ea130f8b31ec0c7d55f88d512498f0afd4e2555678

SHA512
a276d004f6857396aa22e9620ee01823f53f34ffb64f05fbe9effb635b80ffbef9826d9483a3c19d23d7c36edcf83bde1914c17c0cd2fb0673ddee6ca40c90ad

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
481KB

MD5
475dedaf110fe6632ad0b8fe8707823e

SHA1
eaa4aab6f7d55829db23dbe6ab736268a6ecbbca

SHA256
74ae7de309fe01d929dfd488ab41e691c256384971e1bb48f42c529d5cad89b4

SHA512
2184d5d9e8a8eddec94884b22d8bf28b760206bc820f34a1b5d53bb55d6f238e86ffa92ed98b1892dd4faae6ffdfdc4de6e32461e3e151fbb68802f1a8ad067c

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
481KB

MD5
cdf0771d93ca7b3ea164b79d3bbe491c

SHA1
9bde1af77ad094c94553a378ac68e7e665dd2f2e

SHA256
dc49d16b49c6f1e463a7e7e2783e44fbbfda134f4ef2a82b4109198b4e160572

SHA512
aa02640436c272656258c9570df3d03933a5ee1e0cff45b57a6dde7e9f4db50d80bf92324c6b009980f9538e8de107ef5d30235b3c018313f7a04413b8b54175

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
481KB

MD5
27e7a6f3c27e1ac02f63a76f996c626b

SHA1
5e1557ff6f3622bacdc4b367d754db3c3410e1f6

SHA256
45c3178504a4cee4d0cf7b7470a1d6b842b7fab70116530fea46763e60ffb37f

SHA512
9e7f6253aa0f59a633edf6ceaa8425a4722e5589c2ab5007ed265bb0082e38497c2e1f89f9d2998cad1446b981186bba5d57fb0008e165d1593cc07684c2e586

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
481KB

MD5
4f45004365148d79fdac0056cbbb8839

SHA1
1cb71b070b0db67d34b2f32c621521cc4f686f7a

SHA256
128a7ca0b0c7eb66adfb17d99c24cf71069fd865ea1be4e4bdce9f966b67c1bf

SHA512
af6e4a401de25e51c0dbc775e795ae5732ccb1f277b6160ce6ffa5a1dbfc93021a2961c7da13107f69d74d7c31f25044d342e7be7d434b58059bcd92340e9b35

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
481KB

MD5
f9ec3a6f6a2a2aeed39681dd131287e9

SHA1
b2190962edfb0e843f7b949a982226683b92f6f7

SHA256
60f17bb25f1f191a663c365eb2870cd521b8a116ef64076c65b22b8a01b7ef3f

SHA512
d65e2d92f68b47de853d3edd2c3d029943eacd878f596965fa6970efe8e415259e3eeb2e29f962f2fea3192914ece81a2324c363030c2c8d1bf18e502d40a817

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
481KB

MD5
856620ec44db60d60bf3de742d686c2d

SHA1
84e494c57bd1c67a94a3f532570b52bb72795a00

SHA256
d7249ac096f8a63a6169c3116dd7c4c2bbce49bdbed352ece75a5d0fd0759afa

SHA512
5a802907c004d1122255092f95b3bbc5f9c146bc918ac8d8ba624c58acf906ac265c33738574ff8946f3f68d8201e09b374f0bbfa84e28234bd9a77925c84128

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
481KB

MD5
632a084a6af9dd6b2a48782b117a50c8

SHA1
b6bcd5adf694c2670cd004fc83027564029ae4b7

SHA256
89579c7870e9417ddff281748a2660c6e745735ad10bb7853af6092452a4cfc0

SHA512
6425db616b1f93d007d6fb0e85653e87b2ff558fdc095d811e51cbcc48a1dab9b9559272c5727149536c7e104e7ab959a37d4fe582d01f12307c9d91a6a61ae1

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
481KB

MD5
0e1f3c89c6649d6f1838c22c8cf65fb7

SHA1
37eebd5407734fee0b06f306e725b47b24935619

SHA256
9bb2f062bd716c0e8c9b27e94c19279558782976cbe8903863f10e163609f4d9

SHA512
ad5a48dcb2be5ece0a7d5f8b0b24324e7ff2f8c06cf5cea02dfa0d9a09d2219bf27c4d1f73d1bcc1e398fc80c35caa0c4150e258dc28f381807daa69f54a42f4

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
481KB

MD5
6405d50c8870fb1da39ea78ad7b6d3e9

SHA1
7a92e4e9f2936ea428dd0bbc791a8e8c9ff000f5

SHA256
73c8effaa59a5fa9aca92c37dfbe4c1662e0aa1e57fc6ef043af5983678493df

SHA512
406966c152b153b3337cc82788437dd296f288c02936be3c39820d55ccdd6caf90e5e06034aa6f99d731937873d4288562dcad656adea7fa4d4ad8fb66796095

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
481KB

MD5
5fcb387488905d86cb76e13574249a13

SHA1
d29b922544b185852151e67d8590ca1ae62a1343

SHA256
670751e7cac53b8fc4cfce0a89d7d35a4056be7ecb3e5e80ed2e6dcc30c0c6c1

SHA512
7b21322dd5c0adfb885ff2cfbd1e90b58f2abafa29e50563360636ec2a9f9206f7154d4de9620933e7ed7d26684f868d9e8143fd925ed330924502d6152ecd02

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
481KB

MD5
4e4520e9bf19eb2218cdbd3f3a792c14

SHA1
f4dd9b4aa7b48144d5ee1afc24444282d7475844

SHA256
dbf1acb5546f113d29ac6e02c1ccf051b9d71beecaf26856c9ffeeb7cbce7c75

SHA512
d1812beba87123dcde9816c0182af56a849303551d3223f7decd66eb000b2b733797b3b9e4111a465900723a32762ee2e6ae8e6c08a2fb986fda174ed85c4ad4

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
481KB

MD5
b85c1f95e7292d81d9d3844ff89ef6bb

SHA1
7867cb2c6960e8b0b5127c2ca976f503ca795faf

SHA256
03ead8c345e3e8d1480da9866b002aa6c1fe863c442d29b5265ebc023e61f0d1

SHA512
48dfdb018a7e26f7cc04906688af89c2f412f7eac27abf04b1a214376b5e24dd500e8aadf88ad00012bfd87610de940d671bb9749f19971816f7ccf5c2a135f3

Download Submit
C:\Windows\SysWOW64\Jbaqqh32.dll

Filesize
7KB

MD5
b6432211abe4e47fda0db2d773bf964c

SHA1
d360ac1396a10f8e76944da34edd3928e94a00b6

SHA256
4fe155d835e2f1ef997cb1c824c4435c97d01d4503813c5e0ea9e437adc54638

SHA512
bfec2c09eb7e3d1640de01c91db717efb69bccf85d54a77f613c9ea3ca86b8ab77eac869bbd0e27e393452fd995eadbce79d0dd2ec22bef991dd84f71334e54f

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
481KB

MD5
124f19f171eb18d3de2e0c0b54e7dbd6

SHA1
fd63fbdfc51fba494888056696c8821421a4305c

SHA256
282fef50a17cff857c7c79356e348cfcc20a2ec188d1459d05d86550c5aa9d03

SHA512
3ecf4845fbb35d9fc7b6bc90ad0df6a85ecefabb37a55fa8020226688feb1e7ccd94f9226e2e86240e2c46b30626f7f465064a4011d0ac0f05ae0baf6f50e009

Download Submit
C:\Windows\SysWOW64\Nnqbanmo.exe

Filesize
481KB

MD5
0fa753a1064bdc8eaf15f38e3d096bb0

SHA1
b25d808a8d03546499c70576efe5f9c8c2b7c97e

SHA256
350e66eea31c482f1b4101c3090c9e461cb14f72696878a319a53f48c1aae431

SHA512
daff67c115e6760ba469578d7353fbc1510277fa3d23e1f2bf9f519a0dffb1a621979443eaeaef766ed6d6af1f5bd958cc58393dbeedcce9335a38482c155731

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
481KB

MD5
8ab580eb065c41531fed03c2a6cdeb17

SHA1
f76583dda858097051147fbc7210022d234f7a81

SHA256
f3fcd95f991d4b0bde446e99e755146f309fdd4f118988d0c699a47fd12b6089

SHA512
48f28ac372147bb664b6fa657868ae60afbd44e2d237f0c5df206ae082f1d1c1da66d2c989d4e909dd8d431e7b3c3035d4203c7f2945d88b8af173330c611492

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
481KB

MD5
d85e14b2120de50af00784204de381bd

SHA1
93b3144d1ebb27191884f2a61accddb0c0c9b02f

SHA256
96d6e16f2661eff8cbc439ef51f93d0effbca49df86f3a60d1db764d61923973

SHA512
f2d7beaa2aa880615492474bc4914f281fb280d73bca7c23753d74008e930aa59453c26dd2bff45407429e2940391df0c685b6d2308bb8c18c04fc3d3e50389d

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
481KB

MD5
34d44bfe162cbd5e1cd8c557858424d9

SHA1
500b402cd8837a8ac46d5ced353cdb72be1b6470

SHA256
a4051f9bdc378bc1a81d461a72c0fc6252b13774a81cb8a43f7bf8520f164411

SHA512
58c6932262608201896bd5d3f8c93fcf37e815c0ea8a02ff59a6f9fde942bcbb46b7b13c8e04b4d638eaf70ee1cab2d3fd57593e913903fef463369cda85cec4

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
481KB

MD5
014520ab6877c95f5dc7224fa04fef3c

SHA1
dd106e9a066f0ec6310f1568bbefc5ce5342d4be

SHA256
1a2a44c523057c53b748fdf4db4fea727b0b3744f78b772610c4fba7a12a4f45

SHA512
4ffd5420ef82f72ee3eb1017537ff1c3aad669bb93115b70f02e7a43f0ffb08194bbd90c4b7acc07b6b159f7c83a92bc89a7ff7b00cbd2078b653a0bea63ee9a

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
481KB

MD5
af96a937b0e481e298b94dacfd02879a

SHA1
f399522d2dc1fabd9829d2e7a6d3e45dd9067834

SHA256
0d79b48919bebbb8cbb697c48d24159e136ff2eb9d253815cc134bdda6a24b65

SHA512
fda7c0527ad8719a1cd066d625869593e851f4f1998cfaea612b07157c74930cb92a781f8656309d9b9640d52eea3f2c93ec8c60b9c0f446a7d1dd550b3b60e7

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
481KB

MD5
f15a9b3020e5c2636ce38a68f4afa3d7

SHA1
8f92021508e962043df179d9b6bed15c94473610

SHA256
2272cadb21a905dbf5ff8a00e8f43b29ac9910a70af723d1f4871342d106a927

SHA512
2d2a46ea879729b28c8f6dab6c634841e9c2903af0aa7cf7ab05645e99392595564d69f66392d4b0f9ceebdd54fefa451d524a9a687e9f5286acfab78ad52409

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
481KB

MD5
ac5fecfb4c31f3480baf114990a93172

SHA1
42da21266253a96058b660cee2bca3f0b4df81d8

SHA256
04e951de81d5fa7bef899f3e94c3b3772325a2d5d9544c69db2349286a026f75

SHA512
941bfb456e845fdca8e30726f3c3823d6e598b0a37b8c6e91339e0110412c539722ef6d5586a7efcbbe466eedf2e400e29d093d8866d9861771732c6245afb91

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
481KB

MD5
263b5ca2d5bcee5be623f6191aa3612f

SHA1
7483b51f0d026673ebd2ae4e814a716d892de458

SHA256
1993149fd265f10c26bce78e475e6b74cf10197f8188911764d4eb80b74952a0

SHA512
c3cd9f8b4f56f89e2606e4bb731a8f5985591d47ebb19e9b33ef1f07b00cb308cf7409d2a004c1cd8094e78b5049939d5fd767ba7fe155a4fbe4c076d2554355

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
481KB

MD5
74194af889ee75b84464d5f4a2a0a1c3

SHA1
b167dcbfa50ed3ce7765e670a5461d67b57e7aa6

SHA256
8163d79c7df6509e36103ea0877acf08ac323c6219a4b274f2ab72bcf36a05b4

SHA512
36757fb5cbfcab5c50f3c8c2caa608d371b00e54a82875941bf7c592e6e1a04304c8c17be040bf93a7e1250d533f0455c23c3db4d99dc9b6c21d9b586c2c7211

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
481KB

MD5
fc7535cc9a7600e0c09d3414f2dc9f1a

SHA1
993968abb03088a5faf2eacdbc9b85dbb161f7e5

SHA256
2011c5557987a0ce0062e63cabe97c605a52f8481d940667f36eb674715a5fc8

SHA512
3bc9f25b747d79c3010cc1e1c979d896849596799a183f438dd50251288f0dce25f14bf192601489c9a0602bf6ee1c7396acf56261ce6f882ba0d69e9cde625d

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
481KB

MD5
41c764380b145adeb9743419849b0bef

SHA1
b3cb52f0c7b980d40b56764114856f65ef0c8675

SHA256
f14c14a838e6dc024a01abacb92515a2ae8893534d66d3050aa9a464b009fe98

SHA512
c08310f7fb15e87eb332657c29a36b7e7e774e311a4c88f0e33a963594c6798ae499c6665667fc0c3db284958c8c57d1e6a9c8511d0c3d788b03048820cafa8f

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
481KB

MD5
b4ee808a43810ee04101f1793846d8c8

SHA1
22bfb74474e5abcf12ef7475a32ce471a7449e70

SHA256
9eb7671799156cb163afeb24c9e9ead6cabfbb3896dd7e9bbbdbbba7d8e834f5

SHA512
7d40888107c23407459b9fb46e128d7035c16fee303b15740851baa3f8549867eabe92e4d63af24cd31090e1926dea43472c169d57f03e9e78cb6e85d8db7d36

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
481KB

MD5
ebd5201aa83b86640c269c3ac79e1f39

SHA1
1bf6074af41a5975062360c1dc08bce8e80f4266

SHA256
a04cad5f8ed15c5596fbabae95b23509719e41f771cbfc84b8d8003f48774574

SHA512
de0787c1fdc696790121db6b0623b4cd518dc8dfede1aea134027a3686540edd58008188f87a69a03c443eac7dee7a817567c70c7d93d4735ce68c7c67d11380

Download Submit
memory/64-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/440-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/544-269-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/976-283-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1096-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1096-208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1148-433-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1208-174-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1332-487-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1344-166-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1404-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1412-409-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1424-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1544-111-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1560-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1648-427-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1716-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1720-235-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1720-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1728-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1728-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1780-52-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1856-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1880-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1888-218-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2096-355-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2348-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2516-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2548-470-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2596-245-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-475-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-379-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3012-210-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3036-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3140-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3156-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3216-493-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3272-99-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3272-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3548-373-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-184-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3704-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3804-90-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3804-182-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3904-482-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3952-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4040-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4040-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4076-506-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4152-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4176-244-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4176-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4292-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4300-361-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4452-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4476-445-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4496-463-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4512-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4516-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-421-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4580-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4656-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4668-500-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4696-511-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4732-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-173-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5000-165-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5040-518-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-226-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5048-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5068-523-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-415-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5164-530-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5196-535-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5244-541-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5284-547-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5324-553-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads