berbew | c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe
Size

96KB
MD5

f33eb3b3d904b078d61b8859e548146d
SHA1

005f9182a50e9872dcf0c1647e3a7d789212bedb
SHA256

c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c
SHA512

095dcd8aab9280b0cdbde7a9ed90c18575011d4bed62164e0a0d435e970f64ab88896f282064d3edf2236166482932f0906438d4f6ca20a98625ede177343dcc
SSDEEP

1536:CEDkiB3CfgIVqJ0E/8zWa1JCzwF9u6B19lL0EinuW+jGjrW+/BOmuCMy0QiLiizd:CpiBSfgIVQ/t6JYf6B19lAIW+j9+5Omc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogifjcdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oncofm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojaelm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
3288	Ogifjcdp.exe
3560	Oncofm32.exe
2440	Opakbi32.exe
3724	Ogkcpbam.exe
1264	Ojjolnaq.exe
1188	Ocbddc32.exe
4188	Ofqpqo32.exe
3956	Onhhamgg.exe
2036	Odapnf32.exe
3888	Ofcmfodb.exe
3912	Oqhacgdh.exe
1864	Ojaelm32.exe
1104	Pdfjifjo.exe
3584	Pfhfan32.exe
2984	Pdifoehl.exe
4676	Pfjcgn32.exe
3004	Pqpgdfnp.exe
872	Pgioqq32.exe
64	Pmfhig32.exe
3008	Pfolbmje.exe
2404	Pdpmpdbd.exe
2092	Pcbmka32.exe
4320	Qmkadgpo.exe
1516	Qgqeappe.exe
1792	Qmmnjfnl.exe
4116	Qcgffqei.exe
4264	Qffbbldm.exe
3308	Adgbpc32.exe
4348	Afhohlbj.exe
3456	Aeiofcji.exe
2252	Aclpap32.exe
3796	Ajfhnjhq.exe
3644	Aeklkchg.exe
3184	Acnlgp32.exe
3076	Afmhck32.exe
1560	Andqdh32.exe
1744	Aabmqd32.exe
4948	Aadifclh.exe
3996	Bfabnjjp.exe
4068	Bmkjkd32.exe
3464	Bcebhoii.exe
60	Bfdodjhm.exe
4856	Bmngqdpj.exe
3348	Bchomn32.exe
1480	Bnmcjg32.exe
408	Bmpcfdmg.exe
2012	Bcjlcn32.exe
2308	Bfhhoi32.exe
2516	Bmbplc32.exe
3708	Bhhdil32.exe
1600	Bmemac32.exe
1224	Bcoenmao.exe
4296	Cmgjgcgo.exe
3228	Cenahpha.exe
2264	Chmndlge.exe
4824	Cmiflbel.exe
4956	Ceqnmpfo.exe
2548	Chokikeb.exe
2956	Cjmgfgdf.exe
1988	Cnicfe32.exe
2248	Cagobalc.exe
224	Cdfkolkf.exe
2068	Cfdhkhjj.exe
2060	Cnkplejl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oncofm32.exe	Ogifjcdp.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Onhhamgg.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Odapnf32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ojjolnaq.exe	Ogkcpbam.exe
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Kkbljp32.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Ogifjcdp.exe	c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Djoeni32.dll	c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe
File created	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Oqhacgdh.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oncofm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Onhhamgg.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Acpcoaap.dll	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Pdfjifjo.exe	Ojaelm32.exe
File opened for modification	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Oncofm32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfjcgn32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Pdifoehl.exe	Pfhfan32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5240	3352	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oncofm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogifjcdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhacgdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfjcgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 3288	1044	c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe	83
PID 1044 wrote to memory of 3288	1044	c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe	83
PID 1044 wrote to memory of 3288	1044	c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe	83
PID 3288 wrote to memory of 3560	3288	Ogifjcdp.exe	84
PID 3288 wrote to memory of 3560	3288	Ogifjcdp.exe	84
PID 3288 wrote to memory of 3560	3288	Ogifjcdp.exe	84
PID 3560 wrote to memory of 2440	3560	Oncofm32.exe	85
PID 3560 wrote to memory of 2440	3560	Oncofm32.exe	85
PID 3560 wrote to memory of 2440	3560	Oncofm32.exe	85
PID 2440 wrote to memory of 3724	2440	Opakbi32.exe	86
PID 2440 wrote to memory of 3724	2440	Opakbi32.exe	86
PID 2440 wrote to memory of 3724	2440	Opakbi32.exe	86
PID 3724 wrote to memory of 1264	3724	Ogkcpbam.exe	87
PID 3724 wrote to memory of 1264	3724	Ogkcpbam.exe	87
PID 3724 wrote to memory of 1264	3724	Ogkcpbam.exe	87
PID 1264 wrote to memory of 1188	1264	Ojjolnaq.exe	88
PID 1264 wrote to memory of 1188	1264	Ojjolnaq.exe	88
PID 1264 wrote to memory of 1188	1264	Ojjolnaq.exe	88
PID 1188 wrote to memory of 4188	1188	Ocbddc32.exe	89
PID 1188 wrote to memory of 4188	1188	Ocbddc32.exe	89
PID 1188 wrote to memory of 4188	1188	Ocbddc32.exe	89
PID 4188 wrote to memory of 3956	4188	Ofqpqo32.exe	90
PID 4188 wrote to memory of 3956	4188	Ofqpqo32.exe	90
PID 4188 wrote to memory of 3956	4188	Ofqpqo32.exe	90
PID 3956 wrote to memory of 2036	3956	Onhhamgg.exe	91
PID 3956 wrote to memory of 2036	3956	Onhhamgg.exe	91
PID 3956 wrote to memory of 2036	3956	Onhhamgg.exe	91
PID 2036 wrote to memory of 3888	2036	Odapnf32.exe	93
PID 2036 wrote to memory of 3888	2036	Odapnf32.exe	93
PID 2036 wrote to memory of 3888	2036	Odapnf32.exe	93
PID 3888 wrote to memory of 3912	3888	Ofcmfodb.exe	94
PID 3888 wrote to memory of 3912	3888	Ofcmfodb.exe	94
PID 3888 wrote to memory of 3912	3888	Ofcmfodb.exe	94
PID 3912 wrote to memory of 1864	3912	Oqhacgdh.exe	95
PID 3912 wrote to memory of 1864	3912	Oqhacgdh.exe	95
PID 3912 wrote to memory of 1864	3912	Oqhacgdh.exe	95
PID 1864 wrote to memory of 1104	1864	Ojaelm32.exe	96
PID 1864 wrote to memory of 1104	1864	Ojaelm32.exe	96
PID 1864 wrote to memory of 1104	1864	Ojaelm32.exe	96
PID 1104 wrote to memory of 3584	1104	Pdfjifjo.exe	97
PID 1104 wrote to memory of 3584	1104	Pdfjifjo.exe	97
PID 1104 wrote to memory of 3584	1104	Pdfjifjo.exe	97
PID 3584 wrote to memory of 2984	3584	Pfhfan32.exe	99
PID 3584 wrote to memory of 2984	3584	Pfhfan32.exe	99
PID 3584 wrote to memory of 2984	3584	Pfhfan32.exe	99
PID 2984 wrote to memory of 4676	2984	Pdifoehl.exe	100
PID 2984 wrote to memory of 4676	2984	Pdifoehl.exe	100
PID 2984 wrote to memory of 4676	2984	Pdifoehl.exe	100
PID 4676 wrote to memory of 3004	4676	Pfjcgn32.exe	101
PID 4676 wrote to memory of 3004	4676	Pfjcgn32.exe	101
PID 4676 wrote to memory of 3004	4676	Pfjcgn32.exe	101
PID 3004 wrote to memory of 872	3004	Pqpgdfnp.exe	102
PID 3004 wrote to memory of 872	3004	Pqpgdfnp.exe	102
PID 3004 wrote to memory of 872	3004	Pqpgdfnp.exe	102
PID 872 wrote to memory of 64	872	Pgioqq32.exe	103
PID 872 wrote to memory of 64	872	Pgioqq32.exe	103
PID 872 wrote to memory of 64	872	Pgioqq32.exe	103
PID 64 wrote to memory of 3008	64	Pmfhig32.exe	105
PID 64 wrote to memory of 3008	64	Pmfhig32.exe	105
PID 64 wrote to memory of 3008	64	Pmfhig32.exe	105
PID 3008 wrote to memory of 2404	3008	Pfolbmje.exe	106
PID 3008 wrote to memory of 2404	3008	Pfolbmje.exe	106
PID 3008 wrote to memory of 2404	3008	Pfolbmje.exe	106
PID 2404 wrote to memory of 2092	2404	Pdpmpdbd.exe	107

C:\Users\Admin\AppData\Local\Temp\c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe
"C:\Users\Admin\AppData\Local\Temp\c3cabea0a399305e8557a2cad033d120e397bbb59b2a63de22379fbe1939a55c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\Ogifjcdp.exe
  C:\Windows\system32\Ogifjcdp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\SysWOW64\Oncofm32.exe
    C:\Windows\system32\Oncofm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\SysWOW64\Opakbi32.exe
      C:\Windows\system32\Opakbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3724
      - C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4264
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        40⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        70⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        76⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3232
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 420
        87⤵
        Program crash
        
        PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3352 -ip 3352
1⤵
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
96KB

MD5
a8798b9c22d212df3313e6462d21254a

SHA1
9673f3eb393666faf87f05876832f41cbacc65b0

SHA256
4a834b662a240e2e2b00b9f793bc6c4bb36e12ad53237e8ae9b31a9e196b70c1

SHA512
87d5e38660ba820da635469392fc30a70886249ab2affac462ae881d99387a053024d71fabb9a74d46dde57db54e272bd46746b9de526da98105f0b768503815

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
96KB

MD5
56de9467f0f379a957417ef9aea8c8a6

SHA1
7041944311b3c15d4050905424fb8137d959ae30

SHA256
72d94c95e8ad0f4d9d8d8044c2d0824bb83a1141dccf9e9319acca9072df0073

SHA512
ec20e701073ad8671ddfb42c9f2d9f52af21ac3ef18413fff4ba56b51da0171a91e3ca2b9b6623444ba749f8f0854e03c5c37eb7d91c9f5814525eb991311be5

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
ca1f5cb03ffd8b67443ed8da3a0b401f

SHA1
f1566e7e3fbe156d9b8ed21fbb70ad3dd0a254d1

SHA256
8a7141de6f4bedcc5d7740de72afe229b1d230e9f6ac677c57475d913ad6538f

SHA512
608ff1f20260e6316769f4560418d8ec07df68013896bd5f9d831add341cfcbd7619f99b7a95ee7741802d527d1a196a1ad1b3202f660e86da3cc140b77ffdcb

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
96KB

MD5
ef901b2b25f745169b0b883222c1033c

SHA1
53c896214eab0b9faeda62dded4b60f25adc1033

SHA256
dc522ca14ac663855ace6147b2306fd073898db26760d71e8e44d9120a212ffe

SHA512
ecc442b642541efd52a0e44a5101d974174c6ced30f1c7c2205b2e50fc866dadf760127a5a330f12718e4698b60d01b66091064531f1040a80bea9f59b516b8d

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
96KB

MD5
367217ec79eda5731325ab8da1824fb3

SHA1
aaac604be5821eab8029a06fb5c48bc904fc655d

SHA256
77bd67b2a9f6ab225f572059dfb3f80f5bca19382db8ac7da6767cc31dc5f525

SHA512
60c21d5cfeef513d83e70a67d42ebdcaad996ff44d31afa2d1f35c25f87d2d35e1d33ca69fb826d838dc78fd1b2057089856f132cd0df4f23e91026af0af296d

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
773a9cf3507b6e68207a155cd7e87d7c

SHA1
fde05831f834ae0bc6768d2a2de3aa50f04d3e5a

SHA256
032784a5a9a918cd6a6cafb6adf53df48ae720e1f320f54a26621ea8318ad927

SHA512
c514bb17dea2197d053b8e9010a64912ffaea14cc1ef025a46b74954f184c0a9b9327c07c631645a581f12b79c203be3adf887bdb174edfa0a86c7fe27ac1923

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
eb0833a6c8fc9db9e289e27b6eec8f72

SHA1
a76a4e8c5967988f96a5f06dc4cdc6baf5707426

SHA256
57cfc8b310ad3fa5d7f39205363426ccbf2ec014af7799fe3ca20bbcbadb1b02

SHA512
ffbf27e662bf5f78a021c960d8085b68b6ae3f1adddeca08ef5ea5c28228e2fb27324b28595c9e52d278156eedddc7d5a48f3c962e93990f62a67645666e8bba

Download Submit
C:\Windows\SysWOW64\Cnicfe32.exe

Filesize
64KB

MD5
e50dfd42febf16455e0737ebeea27ec4

SHA1
f9598f906e0f7d5196d56f6ec63e2e34c4a2026f

SHA256
00176f303974d014a9cb7347e9dd4939e3e904a17dbc6a0a988dd3168e0ee27e

SHA512
68393b28340221d1da3b9133868b5a0e85e86ab9017176c58254e7b32d88de7016e6af99fd5d8bcaef508bb131ef1d6d346e45f87b5ad3d4c89efcbe6e495b43

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
96KB

MD5
a8c925e3718522e65fb38b773f239b74

SHA1
45f966b3ce9f024268aaa8c07e93ac6aa1dbe5c5

SHA256
7ca180462028571c8f6b77316cf6e6a7d664701bde97c789850934b056619f3e

SHA512
4de3dcbd457b9f98fe3e2061b4fc2eab2b339d2b1da2dd24fc97be5e6f3ba2bb9dab2e7eb9806456b5c0171571d3d13b6e4b7f8ec60d948e06ff7775124baebc

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
96KB

MD5
707d9c971a1c3c01f98bc9864044d3e8

SHA1
98db311b857e2435d0526c128e00631627669f66

SHA256
74cfea9abaad8dda8373efa57f4e4298a616c2c3582a1291028e247b37637d34

SHA512
fac1528fca04788163e0af9fa10738a8c47ced3f2dd51e98089de9a7ffde489ed17dd430539ea1bbdc3c451e25e326a3800c7703c786f4cd56316da7645197fb

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
96KB

MD5
215128fda59c48295be8a382643d435e

SHA1
c6302729cfc324227150097b55b4df0532d615ef

SHA256
86aad7c84727b1dfcbb67369c923dcd58ccded70255f6a2826309b07b54f84d7

SHA512
a1c66f65d071d62c814ad6caaccd0b64d64545d3345d43c666e08b1a569b23e1c5688e33941649c41227883b91335547fd5fe26d1731b69686283e8eca85726d

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
96KB

MD5
85aee95c1d1df31e4cac206bc58ed019

SHA1
05c032ecc53ff329952055d1984f075c8c386c25

SHA256
19b1afa329be0bc98eceae567980928ae9c5233c048492cceddb25fb1a7263ae

SHA512
349dc3a8329c4624ba91bf7cccf25bf121667ce46087c6fbb9caad022025eb1c34fd1900031e7a2b1cd99f303bb9c3a1b6db31b902422f5affcedc562a175169

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
96KB

MD5
c1073d91821dbcd6077c15810d0a4700

SHA1
1ea9baeb244a6610ffd0354e0394ca1ac3c50a74

SHA256
14cbc1ac5b2d7e5fca193ef19bb22f7ba9403af38c9608ac8713565addc893a9

SHA512
b62275802459047a2bc2225ac8399fb46436bf2aee811a99e52e1557b929c1c37f36e2f695a1243f57b9d48686f412ddea25419b2e92140cf9b106380e7e57b4

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
d1437cfd5bf22eb1379e904291e22ade

SHA1
6ae80cb8ffc88e73b54520253310217f763823e8

SHA256
bac2728788a521290aa0f204df008f0de3225136009495b50d5f37633fbec5d9

SHA512
afa92e31fe58345eefb973529743cf7fede16d919c62aa18038df4386108a857c5ab142f416e5274fcf6e515fc5af8744fa0dd64532485f9f0d3e6a8dc54d1d1

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
96KB

MD5
92b3507b859865add20c842f80c9a153

SHA1
66651b28fddcda5a2aae458086072090fdf257d5

SHA256
fe33fc647ff45f80bce9184d934a5fbd62865cf2e5b23660701cd8a8f7796ced

SHA512
8417b9b9a9c326d86abef40e5b1b6dd9519e0f0329f2be6bab1bb115b960faf9c322f7306fff2c7ceb87aa24cf20d8a362e4ed7a8b10dec8479a2ba5753dec11

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
96KB

MD5
398aaad9248e073f5a08ea4ab20360b1

SHA1
8ec2ec5ea6f9e51becd729451cc780992dc00600

SHA256
508a01d651cbaf85f8712e49aef841250e88827363a47dda6c0474c6b75c213a

SHA512
ff6837fa471e758ecb5550a1440777b5fbfc9221a061939c45253636f356bfda22eb0ec5f195400524a67d508a09b51cefeb384aad61fa428af2b688f370c94b

Download Submit
C:\Windows\SysWOW64\Ogifjcdp.exe

Filesize
96KB

MD5
fa0c547b4e8efda5543a94bc53801a22

SHA1
fd30dcfe08eabfda4529a818db59d75b41516989

SHA256
4ea4a7d19b560aab6efc26f3ef52e9ecee50895db1e8c7e855bd6a74ac5efc03

SHA512
eda99dcf1f08075bb04519a6476e40f06fc6dc191842b19e4d4dac8ea199df23dbdad7476c3a602e1ccd6a4eb65fe6d6d9dd1f8be67ee2120b593158efe63d81

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
96KB

MD5
210725fa56e78fa4901a13f0be13ff76

SHA1
d015d5b44fb405274653c8bd0c9e2d5188839aed

SHA256
0562832a375875be4f0826ae697d7da8a03e914b0e11b1af2e0f2879f684aba4

SHA512
ea03c3117eac56ad8f22fb5f86e49d3bf1a25e34c67a4dfd4d282f8b6542dea0c07554a5c3d1a7f3b7309d095f80924940d0b38c566370dbe7a68680492778d6

Download Submit
C:\Windows\SysWOW64\Ohjdgn32.dll

Filesize
7KB

MD5
18567cba1d30480f1f6c577231068164

SHA1
2fcb8228857b381614f780dba7837dac5c7c0ad5

SHA256
90e373b8f33972c266b4aa9fd81ac98c70a9341610c2573c2978b389b082671d

SHA512
6c5f939e6425c2fdce5448a73832fd798d7f9d68121d9dda6e9dc9a468e5315d12d63dc3b065f597bf7e39035676afcb56a1f264115cd1e71fa0d35d62c6ab21

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
96KB

MD5
2ee8e0930304fbd3af57392ca794a1b8

SHA1
4db263e32f12408e3e23e5672ef69950055af082

SHA256
c15651e48d6478ecf06c799864a18a99adb9293ed8747593760d26d8a87001a8

SHA512
de89a2773f44202b5a7b10cf83f0e0b7b3859f663efba1b1422b35c9efa0ab6307396ee2d518fe3c224a02941c348bb579b64a444e55fe2734165c63ea8bdcaf

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
96KB

MD5
05e8263c6c940511aaa587b64205b3e1

SHA1
4b577df2f6b21323a49ec60e30502d2deb2d2dd3

SHA256
c2e7734f4eb1c9b772561985f817c88e0bd0672cdfc6ea8787163d0116de0a7b

SHA512
2538dfa48edfc7be165e4dc1c52f7f3f658c4b5138c8159ad8019203c38a8e4bf255a80bbcb280ec4376c9475c5bfe436f0932d879457c58656a1fcfadc724ec

Download Submit
C:\Windows\SysWOW64\Oncofm32.exe

Filesize
96KB

MD5
4ee6b54701a8f3218cba1219a5e9ab98

SHA1
5b7f0ba13d47d864d729ceb291629f076fee68c7

SHA256
39bd649eb9b7618d511304c0a16ead9b02cc185f3e6cb45a969a4ba39cc3869e

SHA512
6fe1feafd90f7c38449a7096fec3022343db78bf19a249c3e51e22a94daec0d61564a034845004aecb74df7ac970e875dcab2b2372db2096bf26d9e61039d341

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
96KB

MD5
4d6c655205da0c4c94776564ebd83738

SHA1
f1a4679f4619cf417ce13495051dd7ef0e2b6279

SHA256
bb520c39dd7f75792f651ca3eceff67d629bf5e530af6c8e2f2caaf2c7ab526a

SHA512
af46edfd4a3fdb2d983846f9cae341bd4eba693acfc9d93be4d37d2008f2c934a97c1257e34febfdd4a941c80e16928a2112f210590a7c59eab209b10445f00e

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
96KB

MD5
50d578cc33081cbcc0993c2a1746cf63

SHA1
c47855966819164f322d93560913a5748ec60cd1

SHA256
b0a86382297cf807e30c2c312f8a80585de7c882aa5b95de7e9f215033a26d13

SHA512
37d02fa355088846f540341ad5e4763deb920f4f5557868e6a71500340bd4637b50344ec42c44f936c638e03d49dac9dd17befedc85365f9fb792a2576760e07

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
96KB

MD5
d47653c10838c2585b8ea0fa20227c90

SHA1
7c5fd5ec72aff89847645e5255081907dcd7d074

SHA256
28d897e79e4aafa627741cc6169a58497147e5fe4c2c8b00d3dd72e8615c82d0

SHA512
1c91a52ae80338435c9130dacf6e17b054856c35a5d3dcc929322f3746c7356d877ab20f4b56ff4c8aac58ee2c0417774047523ef1a81f5d50581b3aa5e74f0b

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
96KB

MD5
fb80b127b65734ca4cbfe25a0098ea3c

SHA1
34ec81290eb70c16b1f31814c62c2c2efbd0c4de

SHA256
d9b8564a25930d9984dd15950fa5f7e790666d0e6166c8fec8341d8c1d1bd75c

SHA512
fdbc03cd2440175e5ba894e3ce38ed4b0c3c8f1219cf0ef2d247cdee15a08e2914e3d2300f6984bd19e2c76748688756bb476cf55555ea197dea6a8e16394929

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
96KB

MD5
d286e452381c2f8f78e9c578d002c864

SHA1
c9132d9c0257e86dc0bf10b3da9bde299fde9f9b

SHA256
9fc09e2ae6191290bde70e0ca409a6d1b6382792cca2388e62f4d261cac09fb1

SHA512
cd0f4746a87c31e5494e4c1f81b377737884c466289637ceb550da4f32648915e6cf06fb06a4bdf1896b15050a0368780c63c11ccd3657d6820d9b037d29dfad

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
77cf756e91cb3f740517547b7e4d59ca

SHA1
df8894bd56f31cd9827d72e8be732cb398882a9f

SHA256
cd7591fb9b14478a028ab43ee7bb00addb72e8a97d4071a6a3577ad0bd5a62ff

SHA512
506742ec189cc6663c0a25f1f2d05b463df03910682b2b0d275bcd0f658fa7fc46092bdee809ffbb5dbf6d2ebe6beb1c87db06bdd72930f5d4acea27a1957879

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
96KB

MD5
9000923e8a3130ea664c6efb6747fdbc

SHA1
cb1fdfd1041c737fa151208534576f5c765489e5

SHA256
3586838c527b780288784de93385f5d06a6f84c7b119dd96dd8dddc4c44d18a1

SHA512
adbe7e1fdcffd0cead45d04da64ddaefa0a81ae26649921841994ca18db2414f5877b7c7ca86decefbbdc488cedb2bf47aec11f69d7da917c8935832f61dd890

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
96KB

MD5
3d7cc1bada526ea0f5bc1ee7f0c81337

SHA1
fe363c316e38d6d281c67ea89ba9de927c49952c

SHA256
187d86aa1ba0b08f84244a8a3d90864e49491108dadd86c7054cbd1806a57cc7

SHA512
bfd29b529e6404d8c83cc633007d070d8385ec38e7120ea8fec1e4287b9366c57a7ecd4a7d6ca3cc02728edddd149ac5d26f879fc1c559ced318209f1435ccd5

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
96KB

MD5
567e7f5adcf6d5e8f338271466bfdb12

SHA1
04f88d195ce317302a9dd3924778d49f4c8aa24a

SHA256
3ef5ce0dbf1803d897626345b81d674b1d995b6e7ae8fe47eba9919d0d1fc755

SHA512
2656f0029aadeddf269081d87ceb77a4686f8fe4244e33b7630eadf5dea8ddde36be923afcae81b487ee769c685a70b23543e69c40ba4b9ae25b76cd4ad2f76d

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
96KB

MD5
7cad701900a41c3540e03faf858ec87e

SHA1
aeb87817f21d0b0c38f42832d4631032bbe08e63

SHA256
4446fd0d4597f5ee207e12f891a1116b7036dcc64120d5b38070752145125948

SHA512
bc93b5642199fde58160931d8636843ed016d34bdf31eb18721d84586f4b5c96e4612649ab6030788430880bc0262049ac1fced55fd3acfce847ac8ca589bf48

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
96KB

MD5
c5510a85175df1f28357c8ac51fd0766

SHA1
5d5e9e92691803d69cbe98b65e5fb617658fb160

SHA256
810739ebcbadd470b23c97d7ee7e555221f8d24d0fb529208f602d9191ec28cc

SHA512
b0fd6747f694bd8bbbfbb98ce99a549f68ded3dc05a6365c9243faa0f1b51c6931e72d473ae3bffc0177a64caff2b979a068ebc454dea10ff5b1227a7e79feb1

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
96KB

MD5
ca49e55a38c3a08fb5ef364e2d86b418

SHA1
ba169cec5a547bd19572dad56b4fab34e5e55304

SHA256
2a44a3e06e12334ae580728c5d26ee4332089ac2ff7118618e67df70e2fc402c

SHA512
cbead288146520d39e999cf304b38763f2cbc493578e2701feefe26095feccbcc6c1937d13b712dc7a35a9e02ae3cca3ec839c57564d9039dbd2a968c7275cb3

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
96KB

MD5
a9134abd9f7025ead90d0706665f9b36

SHA1
010a1140a028f4a2acc2a490924ead1e15604a5e

SHA256
8c8fa91ff4148845f446961913337aa5ba1acaa4561260c0b527f175bffdb2b5

SHA512
f68f080bbdba68160028755b6f654c7f1f6fefde01d153190a70de676297d5103ba18abe5ec3b3df4714b4526d040318402b3e1f0489e592fbd00f9d3022c28d

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
96KB

MD5
fc8be1067701caa95504c6acad25c79b

SHA1
723b5b415778bfb03c85be3d9f7e4820ce06eb8a

SHA256
5085fed56066728a912be5c6000053875023956abf25859421c28718510187b1

SHA512
ab37c3d202aca699c6663ccff29a17d553cf45959860d79348ca0537b660c88eb04478f4fe869f2b9636fb511e0de72118376a4556a26ebd4a5dbaa4420cf5d1

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
96KB

MD5
0c50bb0c80f9b2029e134ce9a30c2077

SHA1
23dc7b86e12026f16b7a2f21e4bd4f7ef323aff2

SHA256
327735092a604ec0eb67631b461bc07c63b36090b32b5eda7361c4c2b66c1cd6

SHA512
020b706ee821bf074a1b10827b462dbdeefaaa999c75729d704db17212005e0e62bb9b3401985e9e19cc50cc67446eefe6f7601ea97d94ccdc12aaac5fa85d14

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
96KB

MD5
89a175cbc641ecdf03cf06aabd1b4389

SHA1
2cb60f6181b9eaf22ddfa52e453cbe9b9103da72

SHA256
c0b0a296d429f2ddf44b892cd6305154148602b4bb01a4dada2be94838ed92cc

SHA512
a0d94cf6f61feb952be8e46dbce623bd454547371e3620721be5c46332b322eaf1cc6a40cbb2026982bfa782c09aabe161b1babfb582530cb1cff2fa2c6b7b8e

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
96KB

MD5
1cf370d0e5da3bd59b3bb00949896318

SHA1
b44467d59f6b21e345b11304e778b11b54a17f64

SHA256
d1d83cee90acdbf80ea669a9fdcf9c0377766e01c5f903d273423e8b2325421f

SHA512
a279d1a396618a5b8ba68f95ae4bbe2fa6a1ca9c159e71dbaeac139b00b19cefeefb0d00657ab065ae40c5e10f16edd7eef148897d213e25a44421f19cc0cbb2

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
96KB

MD5
8a8a6a98e809d74919fe768124456140

SHA1
18aa2a3c5592b433db0256aa45016f4112615704

SHA256
7db305a793e56e98114beb385ed0869933bce22db4b7352e3571405ce3c36173

SHA512
6ed09f36a010434a1ab51d0e479934526cdc23e53c9eb4c1f98645ef76a4d61b6b9f9b1c7d44629fd46a00c7c6b570dcf7c81be772031b3e4ecdf62201695346

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
96KB

MD5
afa0cd85943c5d6bf6c225d86a003236

SHA1
f1a8b0ecdf56a34f04ba53ca86918785de514a66

SHA256
a5bec56b38362ac9e3314d76643733a94d6efa07acf50faa27b45b73b9fdc199

SHA512
e2bb225a01e37d8470f060dd4c2417bc2d1b9dd14956ff02fbe42b15e7ad8d90520409ca3007b1468ff60004134042acbcf7a1fd8aba50f834f69337ccf7e05d

Download Submit
memory/60-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/60-410-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/64-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/64-162-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/408-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/872-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1044-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1044-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1104-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1104-108-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1188-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1188-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1224-411-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1264-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1264-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1480-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1516-206-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1560-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1600-404-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1744-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1792-220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-98-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2012-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2036-160-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2092-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2252-275-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2264-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2308-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2404-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2404-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2440-106-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2516-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2984-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2984-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3004-233-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-264-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3008-170-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3076-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3184-297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3228-425-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3288-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3288-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3308-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3348-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3348-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3456-265-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3464-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3464-403-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3584-205-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3644-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3708-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3724-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3724-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3796-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3796-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3888-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3888-169-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3912-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3912-178-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3956-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3956-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-389-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-142-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4264-234-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4296-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-289-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4348-252-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4348-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4676-228-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4824-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-417-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4856-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads