berbew | 2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81cc

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81ccN.exe
Size

192KB
MD5

c1683f001d7d62c81a29192c8a6cb330
SHA1

0324863aac4ab425d05390523147e50448c7eb9d
SHA256

2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81cc
SHA512

b185ddaa351ff16c18a5981a96bf66a8ae8f94f24d410f803c9a3ee0d4637795c78dd9d2db63d2049534e3350292630986388e1412896c9dc9e37e2a42d748a2
SSDEEP

3072:XQtCaZ3YsC8h/Nb4qLI8enr4MKy3G7UEqMM6T9pui6yYPaI7DehizrVtNe8ohrQd:XV+lbhi0ndpui6yYPaIGckfruN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoahijl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
3600	Oneklm32.exe
4896	Odocigqg.exe
3224	Ognpebpj.exe
4876	Ojllan32.exe
1100	Ocdqjceo.exe
5020	Ofcmfodb.exe
4516	Onjegled.exe
396	Oqhacgdh.exe
2236	Ogbipa32.exe
1008	Pmoahijl.exe
2772	Pgefeajb.exe
2176	Pjcbbmif.exe
2028	Pmannhhj.exe
4640	Pclgkb32.exe
2212	Pjeoglgc.exe
4484	Pqpgdfnp.exe
1044	Pcncpbmd.exe
4584	Qfcfml32.exe
2944	Qnjnnj32.exe
2288	Qmmnjfnl.exe
1680	Qgcbgo32.exe
4256	Ajanck32.exe
1736	Ampkof32.exe
3984	Acjclpcf.exe
4432	Ajckij32.exe
3928	Aclpap32.exe
2372	Afjlnk32.exe
4884	Ajfhnjhq.exe
2508	Acnlgp32.exe
2896	Ajhddjfn.exe
1756	Aabmqd32.exe
4372	Acqimo32.exe
4564	Ajkaii32.exe
2880	Aminee32.exe
2304	Aepefb32.exe
3624	Agoabn32.exe
5068	Bnhjohkb.exe
4568	Bagflcje.exe
556	Bcebhoii.exe
3640	Bfdodjhm.exe
4720	Bnkgeg32.exe
4912	Bchomn32.exe
1148	Bffkij32.exe
2464	Bnmcjg32.exe
3964	Balpgb32.exe
2552	Beglgani.exe
548	Bfhhoi32.exe
4984	Bjddphlq.exe
888	Banllbdn.exe
4148	Bclhhnca.exe
4120	Bfkedibe.exe
3956	Bnbmefbg.exe
3704	Bapiabak.exe
1240	Bcoenmao.exe
468	Cfmajipb.exe
4624	Cjinkg32.exe
5100	Cmgjgcgo.exe
4428	Cabfga32.exe
3112	Cdabcm32.exe
1164	Cfpnph32.exe
4936	Cjkjpgfi.exe
2124	Cmiflbel.exe
2892	Caebma32.exe
5088	Ceqnmpfo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gqckln32.dll	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Pgefeajb.exe	Pmoahijl.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ognpebpj.exe	Odocigqg.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Onjegled.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Oqhacgdh.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Pmoahijl.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dfdjmlhn.dll	Ognpebpj.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5604	5512	WerFault.exe	193

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoahijl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odocigqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Odocigqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgppolie.dll"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpcoaap.dll"	Onjegled.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgefeajb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81ccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81ccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ognpebpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81ccN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bapiabak.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 3600	4244	2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81ccN.exe	82
PID 4244 wrote to memory of 3600	4244	2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81ccN.exe	82
PID 4244 wrote to memory of 3600	4244	2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81ccN.exe	82
PID 3600 wrote to memory of 4896	3600	Oneklm32.exe	83
PID 3600 wrote to memory of 4896	3600	Oneklm32.exe	83
PID 3600 wrote to memory of 4896	3600	Oneklm32.exe	83
PID 4896 wrote to memory of 3224	4896	Odocigqg.exe	84
PID 4896 wrote to memory of 3224	4896	Odocigqg.exe	84
PID 4896 wrote to memory of 3224	4896	Odocigqg.exe	84
PID 3224 wrote to memory of 4876	3224	Ognpebpj.exe	85
PID 3224 wrote to memory of 4876	3224	Ognpebpj.exe	85
PID 3224 wrote to memory of 4876	3224	Ognpebpj.exe	85
PID 4876 wrote to memory of 1100	4876	Ojllan32.exe	86
PID 4876 wrote to memory of 1100	4876	Ojllan32.exe	86
PID 4876 wrote to memory of 1100	4876	Ojllan32.exe	86
PID 1100 wrote to memory of 5020	1100	Ocdqjceo.exe	87
PID 1100 wrote to memory of 5020	1100	Ocdqjceo.exe	87
PID 1100 wrote to memory of 5020	1100	Ocdqjceo.exe	87
PID 5020 wrote to memory of 4516	5020	Ofcmfodb.exe	88
PID 5020 wrote to memory of 4516	5020	Ofcmfodb.exe	88
PID 5020 wrote to memory of 4516	5020	Ofcmfodb.exe	88
PID 4516 wrote to memory of 396	4516	Onjegled.exe	89
PID 4516 wrote to memory of 396	4516	Onjegled.exe	89
PID 4516 wrote to memory of 396	4516	Onjegled.exe	89
PID 396 wrote to memory of 2236	396	Oqhacgdh.exe	90
PID 396 wrote to memory of 2236	396	Oqhacgdh.exe	90
PID 396 wrote to memory of 2236	396	Oqhacgdh.exe	90
PID 2236 wrote to memory of 1008	2236	Ogbipa32.exe	91
PID 2236 wrote to memory of 1008	2236	Ogbipa32.exe	91
PID 2236 wrote to memory of 1008	2236	Ogbipa32.exe	91
PID 1008 wrote to memory of 2772	1008	Pmoahijl.exe	92
PID 1008 wrote to memory of 2772	1008	Pmoahijl.exe	92
PID 1008 wrote to memory of 2772	1008	Pmoahijl.exe	92
PID 2772 wrote to memory of 2176	2772	Pgefeajb.exe	93
PID 2772 wrote to memory of 2176	2772	Pgefeajb.exe	93
PID 2772 wrote to memory of 2176	2772	Pgefeajb.exe	93
PID 2176 wrote to memory of 2028	2176	Pjcbbmif.exe	94
PID 2176 wrote to memory of 2028	2176	Pjcbbmif.exe	94
PID 2176 wrote to memory of 2028	2176	Pjcbbmif.exe	94
PID 2028 wrote to memory of 4640	2028	Pmannhhj.exe	95
PID 2028 wrote to memory of 4640	2028	Pmannhhj.exe	95
PID 2028 wrote to memory of 4640	2028	Pmannhhj.exe	95
PID 4640 wrote to memory of 2212	4640	Pclgkb32.exe	96
PID 4640 wrote to memory of 2212	4640	Pclgkb32.exe	96
PID 4640 wrote to memory of 2212	4640	Pclgkb32.exe	96
PID 2212 wrote to memory of 4484	2212	Pjeoglgc.exe	97
PID 2212 wrote to memory of 4484	2212	Pjeoglgc.exe	97
PID 2212 wrote to memory of 4484	2212	Pjeoglgc.exe	97
PID 4484 wrote to memory of 1044	4484	Pqpgdfnp.exe	98
PID 4484 wrote to memory of 1044	4484	Pqpgdfnp.exe	98
PID 4484 wrote to memory of 1044	4484	Pqpgdfnp.exe	98
PID 1044 wrote to memory of 4584	1044	Pcncpbmd.exe	99
PID 1044 wrote to memory of 4584	1044	Pcncpbmd.exe	99
PID 1044 wrote to memory of 4584	1044	Pcncpbmd.exe	99
PID 4584 wrote to memory of 2944	4584	Qfcfml32.exe	100
PID 4584 wrote to memory of 2944	4584	Qfcfml32.exe	100
PID 4584 wrote to memory of 2944	4584	Qfcfml32.exe	100
PID 2944 wrote to memory of 2288	2944	Qnjnnj32.exe	101
PID 2944 wrote to memory of 2288	2944	Qnjnnj32.exe	101
PID 2944 wrote to memory of 2288	2944	Qnjnnj32.exe	101
PID 2288 wrote to memory of 1680	2288	Qmmnjfnl.exe	102
PID 2288 wrote to memory of 1680	2288	Qmmnjfnl.exe	102
PID 2288 wrote to memory of 1680	2288	Qmmnjfnl.exe	102
PID 1680 wrote to memory of 4256	1680	Qgcbgo32.exe	103

C:\Users\Admin\AppData\Local\Temp\2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81ccN.exe
"C:\Users\Admin\AppData\Local\Temp\2de5044932f47cc5677960f62560ee90b6b88ea2e6673b523c97d456f8df81ccN.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\Oneklm32.exe
  C:\Windows\system32\Oneklm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\Odocigqg.exe
    C:\Windows\system32\Odocigqg.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\SysWOW64\Ognpebpj.exe
      C:\Windows\system32\Ognpebpj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Pmoahijl.exe
        
        C:\Windows\system32\Pmoahijl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Pgefeajb.exe
        
        C:\Windows\system32\Pgefeajb.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Pmannhhj.exe
        
        C:\Windows\system32\Pmannhhj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2464
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2892
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        65⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        72⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        74⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        75⤵
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3508
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        86⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        89⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        95⤵
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        105⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        106⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        110⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        113⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 416
        114⤵
        Program crash
        
        PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5512 -ip 5512
1⤵
PID:5576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
192KB

MD5
eeb7d4a8c874628803eb7970e061c50d

SHA1
57c2eb24119ad562ae57716244b378decd0f401d

SHA256
1a9da387bde8238fe8583f9626cec74adbb338986cbbd8a82992d42049265402

SHA512
93455d036270f4095398df0f55d8cc424e7a95f7663ca6b7bd80e4e0d68e00dc9d4a7704e52f780e55b66dda3cf810cc589fbb3a8c6c5c985b63f222696e8f77

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
192KB

MD5
ff923ac10aa72495901592e956e60971

SHA1
3abdbbb07fd21010c9a4fb3846f9e386b2832898

SHA256
078bcbacc0471c31e883447f9da0cc8b7f30600fa0bf349c4677d11898f52864

SHA512
7cbdd9defe8f485244f096908505dd065a1ae0206d76e8804961dc989f69cbaab1d6244905dc75135d5d18eca2c985cb3a7ccfbe0cd233f3683697fbce98fa5e

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
192KB

MD5
7f2fe1d5b7da83f6a680bf834db53948

SHA1
6523e78c672c501f53d465aad3ddfaf6c0739e08

SHA256
d8f35a6697f5295f3e1cb00923f2b237c4072b127e48914242adbda4c5a04de8

SHA512
5f5780eb2bff0d6bc8e60ec8770c00447ddabf01b8174b16cf0c83100de9f2a5bca57b761a3b313ccaaaca266bbea4a3e09b114fc77413e95a5947e6f1f5f3d4

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
192KB

MD5
36905a7f6b6dd3cad90b4a90a7fc3250

SHA1
2a880a16ec37c356685c3663be1c7f8a9dd53e25

SHA256
0d95917fa86a5f9c5a3a83e519f43544125ddabe19f306482d734d5df3fe5f33

SHA512
5aa2ee10685a3320108f624f6edcd7bbc0e89580ff942bd2427ab589c0ae9dac5d43141b4058dffcebf2aff4c20c5914a9ea4b20b8e4ec309242ac34f497a21c

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
192KB

MD5
a8d6067108021c31c2fb1c6a7ac5c93e

SHA1
64eb03adf2f1d55471ffe638d1eea1bbb1791428

SHA256
a1c15b344c1e61ab77e0bdc52dfc16d12faf04bb1350842879162e9c9c566807

SHA512
8e6950522b3472ccb6769f47d3081e314749297bbcc1a483e60009ecc45ddfedade86793c5dff709bf53bcbf522adcf58996b1c9a6f9b7a02810579f44761a93

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
192KB

MD5
035fc40013697b1c2c688a0d386171e9

SHA1
140f636462c114bb9ebd65aab87b2a5fcee8d42d

SHA256
f4d21e11da5df044062c89ed4b5a7d7021771252055a79db33b91ec80a66a3b3

SHA512
1d36634695633111715dd406164408ff8d184b4a66528dfb70a0b49fcae35b7bb5662313f32725a8f8bd670bebf7523cafdcfe72cd345c4783e9df38e0cd579c

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
192KB

MD5
678e4046b8cd1f586f90e2f220af1fb4

SHA1
1a9371ea9f7348d493acd5019b5dd7de9e6f03ae

SHA256
020ea3efe8420c6c48e560e06e394344e9893bfa1227adfc9ff64b08d14228f6

SHA512
97a922714e703d6fed459485e091e8ed422bf49241289541bd955c09cd3de083def04ed65cf5fa569c2544b757187cad31700e4e1fed5291bda442a6be984e82

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
192KB

MD5
6db84c3612860f91e9d5337744edc579

SHA1
d2851620a05b0af65c67797b40ed3b3a3a3350d3

SHA256
a7f5e99052e0db31dc4978e962b02ee8edf329a909c0c112f4eebdc6fab84ad0

SHA512
f127f4f0d27a5118887a5befdf8f51ccae9ab314ac2ffad638091de01b7c8d6fd886e2f0f56ebad9c19da01ab72eae67cef5feb21ba307baf995004f1a451248

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
192KB

MD5
c45c81ff7cbcf39422df7149e2a95efa

SHA1
7cf510e433e608dbde6040b640a1ca5f5b83be18

SHA256
1ccf2fd0b2625cac451e87a21cf937ccbb01fd33e34d28b9c08b62fb2c178d15

SHA512
9680048c60599b15f87699bdd02bc913b74ef70df188515c1365680fc845bfba612cd92f5f823e6e8b093334d70b25b46e16266d0bfae0a34667787c8b95394d

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
192KB

MD5
0e9e18a90cac57b8a19da1b1c30d679d

SHA1
043c60376015c2ffcd3e5fecb85959ace03c4437

SHA256
e88bb98ea6584d2b099df1c56b84157dc5bf4a66aaab1c30db9e4bd77731934e

SHA512
40b6e5d9883a0615dfaed5748129b31d1ae2b759a05e61302c839294e864d5f8509d79e264990b33261266674a93a21bfd6e84065dd3ddd464da64ed9a19e5a3

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
192KB

MD5
38eb70b2a3961d15dbcd7e3f5aa0a702

SHA1
db3c4d02582c9e4febd23e4effb2d35662326520

SHA256
2edd1522ab37f2fcbd77119bb5eb4898856b5547409c7de6ccdcbae6061d895c

SHA512
ba7d51348901a223048cc6769cf7f6cdba760c368f4dc8f0f2bd7b755f1a87ccd44ae5eecd0f137a58b6a107b758e85e94910bd3a43599aa8e98b419978e4269

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
192KB

MD5
602d1794e3c14d7df6494d4f66437e48

SHA1
17cafb45857bc4225b4aa01599a289074f6a87cd

SHA256
cf47e274c953f7a6e7c56e4b10dc9cc132c29cfa7b82b8d7a1c981166c63acf6

SHA512
32f673239ad9ee843f46cca13d0301d38529b41c0c5b33f86900929e44af8669091d66ab4d3c2d3656f4091b353a5ed3add54fc8ef0cd3440c4c1ad5f1b307c4

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
192KB

MD5
19fdcfc9bfd35e4db2a453cf56b18859

SHA1
186169064fd2f2c8565cfe3e16c0caa8deb83fbe

SHA256
8a999fbbda657b3b263f315fa091828a237f755d6326bb7861979e2b37dd8673

SHA512
9c192d725d04d4b377d7420825289e842a06aa21ff7e847982d967b7b226163c831b051514855fe9034960237421a974db37b53af912637ebe208988fbbbb935

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
192KB

MD5
f553067db4b6b22b8d6011cc3a3588a8

SHA1
9992ce04a50f510cedba49ed4c95c3c254e7ea7c

SHA256
f7117c10b15c0c8b597775eb839b3ec9a5acc0d5de510be6e505601532a23d94

SHA512
c0485defe8224d42388e60055ff0eabdeaa928e0eb0aa9d99bdc355c06027121c43237647ea7d93f8ab9913d26f7727fb6af0f1d195d08f5378b7128fdd9c0f3

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
192KB

MD5
eb7cf2fed7a46aa1850aa64cd7e6fc59

SHA1
c91b6b49cf7bcff2147b2dd97a63c09814026774

SHA256
1bc84d00aca08a37a1f070c991c11c117567bb2d3124ba5cdf9929e48ebaa5d3

SHA512
40fedda3ad009fea28a682ec8240d86015a2e7d88e361b2435887003dd6d5163c0908e63ceb09f1d578b2b195d5b1f407ea1131413f945484d6ed6a7a1b8981b

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
192KB

MD5
0eb72cdbf5267f964f7400af2d352d06

SHA1
c84e62fc32669d9bba16020af78e992b70cc263e

SHA256
27d841bd65de3bb75697d6225ab7fc1bf39c8fadfe3bd02d38bb74b2a804097c

SHA512
54f4d612ff02bb290821d46586b52231378a4b603a76f6cb9d5db490738072120b9ebba502da8b35f49c2a963189a901c1afaf8f9cd1dc1de0c5dbeb00c2a448

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
192KB

MD5
0f8d97c032916a158ca61fde50207fad

SHA1
c1901264d8a8e6610920faac582667b01e4d5549

SHA256
3704748ef0f33e315c9cdad51fe21bccaca2cd77e9cec77018399f1095c0e128

SHA512
bf7ce5c6ad74d23c58c616758da67a55a8547277c89e75d57b048601432d36ee96aaea15b844d124ad0c99d8156c974094b4f9b635e88e492147b7464c3886ca

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
192KB

MD5
5ccd2591e1458b9f17063be1a6d5ba17

SHA1
3ffd7ef06c6240da1d854797ee0e44cb64151e00

SHA256
abcf324e6de82127303bd20a16278ebcde77eedfcbd64c7103d28365e801d691

SHA512
12411486e0eb0f8b7b7aee6828db91d50626b3d6d7ecc7244f2a4f48c05eaef8d37246091eb76ff301eac64f4724bc42ad81c86f628d9129feb2e8e9375c57a8

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
192KB

MD5
0e9f0007e4e8653d9cb6fe83a5f421a1

SHA1
75811acf90fcebab65584c1c07640212a6bbc2ee

SHA256
6a8c3f435e22e7edee481a49738fa69c03f7379560b05a217a80eb6e537a1d91

SHA512
699777e68e11de71a43a145b3e5da9806ae1e9f90ca667a7457bfb81a0669be3321c8907ffffc6cc2ba72b08e7b7f66cfd54d34f8318c1c1dd494c48a6695951

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
192KB

MD5
77aa28047ee4c7258e27af14c313862a

SHA1
8a95ca1c9c8621caa96d6d5c3600653fce958f7d

SHA256
d7f7562fd68ee2be3ec6b577142845f4dfe05934bd44e53acc4440e7cd652f20

SHA512
f5ea7cfc8624c791c1ec6751195f926c852c69dfb2aa00129912f7a049dd693c9d3df17563ee4089d056821940f4942032ec32be485fa40a87d1ad27d72b60b8

Download Submit
C:\Windows\SysWOW64\Dmgabj32.dll

Filesize
7KB

MD5
79e17ef9cf06edec7ddd600ef2f8489c

SHA1
e58ea8435b5d5f18542c47b6ce0c7b5d986af569

SHA256
52b4733a5a56fada16c6666bd4875401a05b6ab5a04cda879ab9ce2a9451a655

SHA512
48256c9b996eb8409c1ca11df940a0c0efe7d9035516567b1fc9272fea1780761294533a0aa337333c097360019ee4435073e41bf7b21f096b851f33b60b06f9

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
192KB

MD5
c47bb8bd3a9323d014d98c6763c0ff81

SHA1
99d98a24320a4d669e274a1164322ca0e0097af9

SHA256
ecd161af41b3da93cda7fe7f312bcfb1c3723cbbbabcf4138e242d23b5d09f44

SHA512
1b52eab64cecd0270b4d25e32170155cbad9451710ea29323808268abdef57b3ce7494007f4178680312b88bf12cc88f7bb1316f41f55bec794af7bc37b80395

Download Submit
C:\Windows\SysWOW64\Odocigqg.exe

Filesize
192KB

MD5
e9e76c4f38326e13634ba77041e1c7c0

SHA1
6f544c46033d9e12dead8ed5d46b5207756a5f55

SHA256
ea70f26a8d61d223f9ef636e41f84df957467c2a17b0f409c191df1e974489ad

SHA512
0fa18a02491315f8f23a598c967e56f5e854e9f408fbf0083b8d5afccfffa6c2d902281b105a0d29ab6f032d18725356976710019bc0fb0077931672a52b1e9f

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
192KB

MD5
d48d74ec0306e1b76f1c4c8cb8ba8d94

SHA1
021839b142339b372cb52787a8962929288047b6

SHA256
97c8dee8ec1cf06feeab12f5365f317fa8dbeed946d43d6c08bca942f761af36

SHA512
bfdf537648370b58ef0cfd8cc6535b3a4d4e255df29eabf2240c673a09d801c9aff65af4cddbd277963ec01e93c70079f6f1ac051442a259914608b26a3b9a19

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
192KB

MD5
eb288aae8d1e43f8ac9a0d20aa9538e2

SHA1
6585e69ec2efe1eb1e2efadf81a6f72b3d6c6348

SHA256
d3a27075c7130efcbfc402fd0b2fdfe84703b19fc033d03167f0c2a19c400a90

SHA512
5e4e12fa7f1e474f1c5333690e06f8006a9a3e37628c3cba7053f24d0a4a47c63d82831311fa6f8a803a2446afccc0c867b0c31f9a0cd33b06da83c30c21da6d

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
192KB

MD5
d78e7ca953ee73137b77675de668a1a5

SHA1
1d12477c3728f9f4f1c7d7cf6ccd84ddb75ddc8b

SHA256
a366309ea79cde1385331851767969e260a3231911b140a91c08fdca7d5d785f

SHA512
5d275169140a0625cbc4e078d89a4b6bca886f8a1475376ba791c9d1b58d9d142bd453d78cb97ff5e3dbc682ef3224a7df934e8390328844607a8a8a388d4a63

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
192KB

MD5
5473c7338ab335ef68ad680004e8a4cc

SHA1
14258ac555d09886e156b098e3b352dc87481fad

SHA256
65a73ec51f64354e4e1730ad61fc3f516a24d405d4f1c2c597e50e23163a5d1c

SHA512
99c284d61e654deccc8c36d61a8f89b40887885aeba9c6160ed143133aef82aba6c52e71508ac8e52d6a6764270d2ae1d5a9e8e0fd58e1cf1f709fd4f13cf45e

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
192KB

MD5
54ac8eaa97e0ac9745e0b17443bb7b11

SHA1
65adc6c0b44fc4c782eef7cf28c16250f3829465

SHA256
6c9143ddc63b7904dfff4fda4a185857c195a1831fe2bf62284f9bad5999175d

SHA512
ef0b77a2275c527ef1bac235a71eabb6aaa2ca633abf53348a74af65536e7b0cf681c7052cba8c8a2cfe602223e21caa2e76a6749ec2b30409a28fe5177a73fd

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
192KB

MD5
0d833474a1c0eabe02ef48a7e3d5faf5

SHA1
fc0fb1510c9b45a043437ffd23547577422164c5

SHA256
6d7cc76b8be5985e1c0a92c0596c04a5d788a8442de29adfe2dd682d56a934de

SHA512
2a7ac9d3b553beee901baed428cfcdfc6c6f14103d1b461f9fb02b12bc91c0570a9808f88cbcf687d439922d92d12ce8d4bfcc217462d7e191e33577d8dcdb64

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
192KB

MD5
b7d6b86d27588eca0215c31f8725e690

SHA1
d0ffc87163a0e0b70cbe6d0ac92efb33474ffe1e

SHA256
208005325b30c7839bdcd4b030c61ac8972bdedd9f4ced2f4cde6768109b74f7

SHA512
84b63ef8bfda5fb7498e0612c1b432fd4f17d176ff9a33ddb6eb4dc601c9bc9e6aad6e27ea8f50fba0ec864397d1b9eeb523bf321535dfdbbe1de57a1a39fdb4

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
192KB

MD5
2966c7c976a3d6f2a0f35ec123125410

SHA1
a7c2679bbe68ac6d375be041984daad6f2d54494

SHA256
93750dd1f9be841000fdccc38e3f42ab0dee987bed00388af7dbd02a441d7317

SHA512
52652cfcaf48419d76e920b8869acfefdfd7f678d9e8ade3bb28a86231d3cc5ee5a9486739b141b9ab4ea7653432c7b89a48e320affc45961f898402e576e892

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
192KB

MD5
5934a99ee292404febe6e846d4a0b894

SHA1
ad861973fd7ee798a9539b3a49c6bf9885c1b7e7

SHA256
6347864447d2ec4d48ef0b34a2ac61a19f0ad8e90acfb6e15ca13bf08959a705

SHA512
d73b4ca4f45fe178f8d172f2fc9ae909ae52e576a9bee57f4e6a49a369d943b3f9209c235655b56cfd17b7120eff297278950a2a3eabf7f69b82f1a0ae497a3c

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
192KB

MD5
f960cf02b4dc7512f856f2a358ca6d1c

SHA1
5443f2370b79afe58e6baf36f001c59d9afa1fb9

SHA256
34671447cd7a0df31b971c7538e0c24b26f63736c982fa9a5de75701096e5fa5

SHA512
aa56e62a85cded9fef63e78653f7fe0c0bd867a586a185c0740b82568de3a90846f4f09e585e30b2536c8ba6349f703c98e6629bee381a807a2c67e3fd740902

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
192KB

MD5
e926f5c36e3f639a39bf639e5bbd1af8

SHA1
277c82a7669f7c39da2f30fdb10c1c8ff86ada86

SHA256
1c5f515d5f544b2381ed9cbde2f0230ddee2bcf049247e71a41ab08d578aa2b1

SHA512
c49cc414059845e9b38406d94fe02cf26a752cfc8692efe5daca8f7e911afea9f49c40bc6d5d2396accd5dd8289d2f31742eab127e2b4f2f71908b33bd4548c4

Download Submit
C:\Windows\SysWOW64\Pgefeajb.exe

Filesize
192KB

MD5
564fd7c5556f01d3ce8f14d4efb21261

SHA1
ef1cbfafb62a4952be318b49a5e338e8f31d7d53

SHA256
88ed47e680d7605df911c241c93dd5480e63892896b7ccb656ef4917fbdd12a4

SHA512
317ae164b71379e389cab005ae08d84ba6e02e61be5458051909230db83eee745437d152e7d197424a3773e0ffceaa27d3740ce85c24f4cf507c91369703b8d4

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
192KB

MD5
a35446cdd8e5bf0f1018977b5921fed2

SHA1
e011f8f4f4351b28afac5da42690d0f68eee8dc5

SHA256
fb0221c5fe4f8844d46898cb14fd57d77253f3c6ec559ee8300ac2767c0defd6

SHA512
e356b21ea5ab0de8b9435d17102e6c8ea073ba95264f1ab87a10f544fbf949f22b44213860e7c033e5a1dd30dd7bebe121703023a7dd1c4879ae57eec4d0b3ce

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
192KB

MD5
bdc88d3cb02690305802f5098b0217a2

SHA1
f98b287a128191b0742285303178cda3d2ac3416

SHA256
7e8a05e59c6991216d69860824f45beb9baedb5ae0a1bfaf3da8732614c8e927

SHA512
f7e32419e96a217e09ea05bfde453eaabf151d011da4c92fd450b88d1838b38cbfc76c838f075e0ab5625b238adf183e5ec7e9edb670f548f17c81500345f59f

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
192KB

MD5
6507d73d4dbecea80ba7b086fad60db7

SHA1
04b4c367f5a039d80f09ccae9db6ae4ab55cdf86

SHA256
72a3bad51e2e36ed25c87baadd89c139e12201f84eb1649eb0004b6921e3aee0

SHA512
b3a736caacbe3a7980c6e3efb185f022481c33fcd8280de4ce15d1ee1d55b95dd624370951b574519178560d036af952f108023d8b2f3ea9ab709df4e6fd556b

Download Submit
C:\Windows\SysWOW64\Pmoahijl.exe

Filesize
192KB

MD5
b3ad62ad846b13bcba9387e18ee0e33b

SHA1
fab35d79b579a745724ceb516e36c7b4af109de7

SHA256
ab1c5469d6e7a46cd0499d5c7f1f2a666d17c904c1383612110107bef23909a0

SHA512
b0c4eaff6618fb024a0e4e1e4f40224dcdbc463e0376652938356f63e3f142b13d9c0b50752361318f4b22a63fcf5c850d798fb6a6373cf055f4d1a26689a8b2

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
192KB

MD5
e75a4b297e4332a531c5c5358c98d8e3

SHA1
608d8412a7b55c3a827bd1b2ddbde83d86a77ddb

SHA256
605da7b36d49ebc011c3f478352e02d56e8909967e0d7f3301bad88244c06fdd

SHA512
29ff2d3ae53164ae4be95fb8143e5dbfc4e8707b3767ec4717193f4a2aa6bbe2e52336ac18642d06f7cb6c06b37f0d5fea76528c32568ebdacf7c23fe7fda5e3

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
192KB

MD5
1fb228a82bdf4b6c02cf5dc21cff058b

SHA1
e9e123cc50160770abc2d3f269c15d24da400b27

SHA256
73fe404b40c965569b36f306dfa4a40fecb3fa32242f7d250d144278d0be7733

SHA512
74103fd39abffb9e127d5372bf21cd9926b8bfafa381b3996b19f264cae3b9e0d734626f14ab3d117ba5286239be49ba094c7b8f231c80dee28380582ddbf65a

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
192KB

MD5
46f7005b322e7dffd9b93f02143aec8d

SHA1
fba67c78ac5b522c008de256067bd7e6c05b38d6

SHA256
6a6ab3e5189db9d85563ad4296f2d2af25d170418c24c090384bf165932f30bb

SHA512
b8eb53289c57f66bb9948cdbb40cc7f18024b52d4886784bae9b8fd08493726f9110f8f93b1cb9b63465ef19d842d6d1949e9a4b28a07eed77ced1ee21e2aa47

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
192KB

MD5
218caaafd770c3b537fef9132eed1c49

SHA1
10ca943dfcd42168ef2578ce38783dcf4cc737c2

SHA256
06e72cd9a89594ae4b314a8224061bb2fc2fbfe90601dff730d7688413396fb2

SHA512
6d59811df6f7123a77c1e3dc4913da7770bd3ebf3790802069e8d46248efc3e907affec70d25fab8f15c0e6384bb63829b111f4df51decaa01c2e9a398086cb6

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
192KB

MD5
eb49ad022bc91ea128e296f341775b0e

SHA1
429e0821bbff6c4bb62264ddf096bf50c5288e4f

SHA256
72f152c15d74f4d517b8c732c0de391f885815a29dad3327fed14e42456932ab

SHA512
eb1d7d56644660c4f2c2dc360f0e1a3fab1961e99ae162986fa2534c325d426df1098649262d74e0dce2991d2650c1f3c9829fe2f1ed6cf8ce3f35f0aa507a71

Download Submit
memory/396-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/396-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/548-384-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/556-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/888-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1008-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1008-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1044-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1100-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1100-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-359-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1736-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1736-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1756-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1756-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2028-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2176-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2176-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2212-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2212-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2236-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-259-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2288-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2304-300-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2372-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2372-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2464-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2508-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2552-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-178-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2896-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2896-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-162-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-250-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3224-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3600-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3600-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3624-307-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3624-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3640-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3640-404-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3928-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3928-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3956-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3964-373-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3984-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3984-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4120-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4256-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4372-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4432-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-134-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4516-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4568-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4568-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4584-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4720-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4720-342-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4984-391-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5020-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5020-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads