berbew | 53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6.exe
Size

74KB
MD5

a9c782c74a8c934d0dbd5b0f590ee15a
SHA1

440205c350c64ade1f17b24f8cbab593e9b2fcc0
SHA256

53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6
SHA512

038ec19db9f57975c90330885d630e0e2ebd4ac2422d0c34c21893ebef432865b69b6b75bfb325323bbc6e7653be94e25e3142f40850f8d15c584332df30f49e
SSDEEP

1536:/KSXKdwHQ67N4tXJwn2oisV8Asrfb3pHGebRNVg2dTeI:y1J67N4N62Eybb3pmebRNVgceI

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olcbmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olcbmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhacgdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojgbfocc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
720	Olcbmj32.exe
1912	Odkjng32.exe
3912	Oflgep32.exe
2432	Ojgbfocc.exe
2876	Opakbi32.exe
1584	Ofnckp32.exe
3640	Oneklm32.exe
4460	Opdghh32.exe
4768	Ocbddc32.exe
3788	Ojllan32.exe
4444	Olkhmi32.exe
2976	Odapnf32.exe
2132	Ogpmjb32.exe
372	Onjegled.exe
4936	Oqhacgdh.exe
4816	Ofeilobp.exe
3456	Pqknig32.exe
4772	Pjcbbmif.exe
3728	Pclgkb32.exe
4624	Pjeoglgc.exe
4776	Pqpgdfnp.exe
620	Pgioqq32.exe
4456	Pjhlml32.exe
1608	Pqbdjfln.exe
4684	Pcppfaka.exe
780	Pjjhbl32.exe
956	Pqdqof32.exe
2180	Pgnilpah.exe
3736	Qnhahj32.exe
2708	Qqfmde32.exe
1224	Qgqeappe.exe
4024	Qnjnnj32.exe
3712	Qddfkd32.exe
1320	Qgcbgo32.exe
4680	Anmjcieo.exe
4700	Ampkof32.exe
4788	Afhohlbj.exe
1392	Anogiicl.exe
4864	Aeiofcji.exe
1808	Agglboim.exe
408	Ajfhnjhq.exe
3172	Aqppkd32.exe
2576	Acnlgp32.exe
4432	Ajhddjfn.exe
3596	Amgapeea.exe
2324	Aeniabfd.exe
1772	Afoeiklb.exe
5104	Anfmjhmd.exe
892	Aepefb32.exe
3532	Agoabn32.exe
1832	Bfabnjjp.exe
880	Bnhjohkb.exe
5068	Bebblb32.exe
2336	Bcebhoii.exe
3872	Bfdodjhm.exe
2372	Bnkgeg32.exe
5076	Bmngqdpj.exe
1332	Beeoaapl.exe
1644	Bffkij32.exe
4984	Bnmcjg32.exe
2236	Beglgani.exe
3760	Bjddphlq.exe
2676	Bjfaeh32.exe
2756	Bmemac32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pjjhbl32.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Ladjgikj.dll	Ofnckp32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Pqdqof32.exe	Pjjhbl32.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Oqhacgdh.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Opakbi32.exe	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Pjcbbmif.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ehaaclak.dll	Pqpgdfnp.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File created	C:\Windows\SysWOW64\Mnodjf32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Ojgbfocc.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Ifoihl32.dll	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ofnckp32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ojgbfocc.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	Ofeilobp.exe
File created	C:\Windows\SysWOW64\Pgioqq32.exe	Pqpgdfnp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1932	2856	WerFault.exe	179

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olcbmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogpmjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcppfaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgioqq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofnckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmglb32.dll"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehaaclak.dll"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladjgikj.dll"	Ofnckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogpmjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojgbfocc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hppdbdbc.dll"	Ogpmjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 720	2844	53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6.exe	82
PID 2844 wrote to memory of 720	2844	53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6.exe	82
PID 2844 wrote to memory of 720	2844	53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6.exe	82
PID 720 wrote to memory of 1912	720	Olcbmj32.exe	83
PID 720 wrote to memory of 1912	720	Olcbmj32.exe	83
PID 720 wrote to memory of 1912	720	Olcbmj32.exe	83
PID 1912 wrote to memory of 3912	1912	Odkjng32.exe	84
PID 1912 wrote to memory of 3912	1912	Odkjng32.exe	84
PID 1912 wrote to memory of 3912	1912	Odkjng32.exe	84
PID 3912 wrote to memory of 2432	3912	Oflgep32.exe	85
PID 3912 wrote to memory of 2432	3912	Oflgep32.exe	85
PID 3912 wrote to memory of 2432	3912	Oflgep32.exe	85
PID 2432 wrote to memory of 2876	2432	Ojgbfocc.exe	86
PID 2432 wrote to memory of 2876	2432	Ojgbfocc.exe	86
PID 2432 wrote to memory of 2876	2432	Ojgbfocc.exe	86
PID 2876 wrote to memory of 1584	2876	Opakbi32.exe	87
PID 2876 wrote to memory of 1584	2876	Opakbi32.exe	87
PID 2876 wrote to memory of 1584	2876	Opakbi32.exe	87
PID 1584 wrote to memory of 3640	1584	Ofnckp32.exe	88
PID 1584 wrote to memory of 3640	1584	Ofnckp32.exe	88
PID 1584 wrote to memory of 3640	1584	Ofnckp32.exe	88
PID 3640 wrote to memory of 4460	3640	Oneklm32.exe	89
PID 3640 wrote to memory of 4460	3640	Oneklm32.exe	89
PID 3640 wrote to memory of 4460	3640	Oneklm32.exe	89
PID 4460 wrote to memory of 4768	4460	Opdghh32.exe	90
PID 4460 wrote to memory of 4768	4460	Opdghh32.exe	90
PID 4460 wrote to memory of 4768	4460	Opdghh32.exe	90
PID 4768 wrote to memory of 3788	4768	Ocbddc32.exe	91
PID 4768 wrote to memory of 3788	4768	Ocbddc32.exe	91
PID 4768 wrote to memory of 3788	4768	Ocbddc32.exe	91
PID 3788 wrote to memory of 4444	3788	Ojllan32.exe	92
PID 3788 wrote to memory of 4444	3788	Ojllan32.exe	92
PID 3788 wrote to memory of 4444	3788	Ojllan32.exe	92
PID 4444 wrote to memory of 2976	4444	Olkhmi32.exe	93
PID 4444 wrote to memory of 2976	4444	Olkhmi32.exe	93
PID 4444 wrote to memory of 2976	4444	Olkhmi32.exe	93
PID 2976 wrote to memory of 2132	2976	Odapnf32.exe	94
PID 2976 wrote to memory of 2132	2976	Odapnf32.exe	94
PID 2976 wrote to memory of 2132	2976	Odapnf32.exe	94
PID 2132 wrote to memory of 372	2132	Ogpmjb32.exe	95
PID 2132 wrote to memory of 372	2132	Ogpmjb32.exe	95
PID 2132 wrote to memory of 372	2132	Ogpmjb32.exe	95
PID 372 wrote to memory of 4936	372	Onjegled.exe	96
PID 372 wrote to memory of 4936	372	Onjegled.exe	96
PID 372 wrote to memory of 4936	372	Onjegled.exe	96
PID 4936 wrote to memory of 4816	4936	Oqhacgdh.exe	97
PID 4936 wrote to memory of 4816	4936	Oqhacgdh.exe	97
PID 4936 wrote to memory of 4816	4936	Oqhacgdh.exe	97
PID 4816 wrote to memory of 3456	4816	Ofeilobp.exe	98
PID 4816 wrote to memory of 3456	4816	Ofeilobp.exe	98
PID 4816 wrote to memory of 3456	4816	Ofeilobp.exe	98
PID 3456 wrote to memory of 4772	3456	Pqknig32.exe	99
PID 3456 wrote to memory of 4772	3456	Pqknig32.exe	99
PID 3456 wrote to memory of 4772	3456	Pqknig32.exe	99
PID 4772 wrote to memory of 3728	4772	Pjcbbmif.exe	100
PID 4772 wrote to memory of 3728	4772	Pjcbbmif.exe	100
PID 4772 wrote to memory of 3728	4772	Pjcbbmif.exe	100
PID 3728 wrote to memory of 4624	3728	Pclgkb32.exe	101
PID 3728 wrote to memory of 4624	3728	Pclgkb32.exe	101
PID 3728 wrote to memory of 4624	3728	Pclgkb32.exe	101
PID 4624 wrote to memory of 4776	4624	Pjeoglgc.exe	102
PID 4624 wrote to memory of 4776	4624	Pjeoglgc.exe	102
PID 4624 wrote to memory of 4776	4624	Pjeoglgc.exe	102
PID 4776 wrote to memory of 620	4776	Pqpgdfnp.exe	103

C:\Users\Admin\AppData\Local\Temp\53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6.exe
"C:\Users\Admin\AppData\Local\Temp\53081f7e1dcce5fc63cfe56517fba9376207386eaa6e4e1b12a733461cdf68e6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\Olcbmj32.exe
  C:\Windows\system32\Olcbmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Windows\SysWOW64\Odkjng32.exe
    C:\Windows\system32\Odkjng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\Oflgep32.exe
      C:\Windows\system32\Oflgep32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Windows\SysWOW64\Ojgbfocc.exe
        
        C:\Windows\system32\Ojgbfocc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
      - C:\Windows\SysWOW64\Opakbi32.exe
        
        C:\Windows\system32\Opakbi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Ogpmjb32.exe
        
        C:\Windows\system32\Ogpmjb32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Oqhacgdh.exe
        
        C:\Windows\system32\Oqhacgdh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        38⤵
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        39⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        53⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        68⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2908
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        75⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        79⤵
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        80⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        90⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        91⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        92⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1052
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        98⤵
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 416
        100⤵
        Program crash
        
        PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2856 -ip 2856
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agglboim.exe

Filesize
74KB

MD5
1a03dc30635cbb474689aae33755ec95

SHA1
6d880a722546d5570455bb7b42ceeaa436ff9b56

SHA256
6b898d68276751d47797729c6f787c94f575d847e76a8b9ffae2c73eba94f64b

SHA512
f322b2c681567b16133ee332d8230d0961fbeeb41acd59b9554390df8b03b230bdcddc0515751159a193c5550ed8cc09288d23ddc54f4061d197577485e6cf73

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
74KB

MD5
88e9cd4d5fa36ac9021c9aa650ef3452

SHA1
c9f50e5bdac6a46343407d5325ca768703d7cf92

SHA256
58c50e213c9b06eea6abc24219ce831672256549ab6228893b27907f1ac83c49

SHA512
42bb66c7b7f0ed97387d34847444b184cf48441726fd1ea248425fba4d688e8a2230034afa29cf44f51944f138fa56863a1b36ab78dc13473e47fe17c4c2e267

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
74KB

MD5
1127468db80677aef06f6820a3c20368

SHA1
6ab50be0cc76885d96dd9583406b71a1fde2074c

SHA256
9214a924e03ca6e40b1506419c144ea6978ab30d9823e1ec8b7ce3130d12bf95

SHA512
e0c67cd9b42fe8e53b8e69256d04ec2389631eebf7ea5ea1852e66d522645ebd6d181fde5111f9fc02fdacf66b1559ed1c6deac41c9eb05a7d5a929c1263230c

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
74KB

MD5
5e95978b1d7c6ede2cf242ee5420e09e

SHA1
00e27e8bc456f1951e10ff8bee0e7d80297eebb9

SHA256
fb1c5c46103dd19cf2d4c7aba08f2e67c273f5661cc73ab1bc7084da0471f6fd

SHA512
8df39d7ad6c30b1a9d9780d9dc56f34f56ba008bb8aea4440660a7fa9492671ec5bfea324614840236e25c8e5015fb196ae2e54da0e08ae3737e126611e02979

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
74KB

MD5
bbedacd102780d0aca7ec08781102096

SHA1
058c237967d6af092da0e8fe0c93efc6655170d8

SHA256
3412c56096376f17f82c9599a8c5ce1b3015172659fe68b0b0ebf3158fb325db

SHA512
4fa181e7df012c386852da8616dfe3001254598c6f7ba3690da2ddf1c9e48163ff260415d27d0b4e96109f36413b0e6b18e663c16b9b04f41cac42dc8b149bdf

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
74KB

MD5
4c610f9ce175823f6c9db0b04c45c40e

SHA1
8ed1da216f4e55463eab90d0dbbe02dc9272f1b0

SHA256
53e2146d7a31d397c4830962fbf3aa248c75a26e0b7c5180d4bfa54713d33d00

SHA512
df9082585f936b770d23cbf038ae7b496da31c1bef60cd4dbdc69fc96c4ca6ce59073df64180a3e016d54a49383b3542dd416bf93d86e8d16651f1908112d777

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
74KB

MD5
2c88b5fa7cc91f7ae84a0423a92d2362

SHA1
d3fcb88be87b377c68b7c49007564e69a0c1c219

SHA256
286f909c548d344d6e55b7c397d804ef42a688396c08596b5c705551763428b8

SHA512
587c0f8ef16c15ad7ed4b1bb76436f98a308348e66effdeef794bb7384f48ae755ada7c5047c5e92ecbc8876b7a4a61b5b3dd6f5d2b7bb05b0e6861ee8288834

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
74KB

MD5
f17c932b5e940b68986fcb1e09ddcce0

SHA1
a36155ecb67131469a1ada59ca2b336d6bffa701

SHA256
d2f226d7098f07f9db872224ab77b72755ae383fe05070ddbedbe698fd727dfe

SHA512
2752c7dc6718ee3e1817c47d7dcc7eafe1dade87e637a871d6e7a1f87602f21fb939c62528c1db16d6e039f1c17868dd9f9d228c0296293fa653d08c1a18eb32

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
74KB

MD5
74cac0d124f57313a6bba85b76d5b76f

SHA1
7c74b8879ea7049889109efd7c36dd2144e0250a

SHA256
83e133c1c5cafb014eab170f5d3147282dfcaa2b3526a8e0ab10c5c3b41db0ec

SHA512
9638c38d87bd4bd0ef659cf5387681f1e187790e304701e0e6b77926fa162c147d0d93c9ad7eed79673728327616f132180dab0aa51b8fb1b0a50ed05b4b5040

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
74KB

MD5
6eadf492d6fe1e782e2c46912f6efdf4

SHA1
5a851717759cd8bbce59672fe1087231a710e18c

SHA256
08c8cce41b1759fd66519b20f69be19cea0c781ca2e78498948ae8cdd6592e61

SHA512
38c33808531e88917380063032b69e5943202cca0a5075f6a8c60c47e9ede8c8ae0cb83552775b1b86c8b7e14054c6ce639cb2507115f7a0ab7a8a86a4356751

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
64KB

MD5
6033c0f9799b51018f45fb4d6765c60e

SHA1
463badb0d17b78485ce39536a476793c824c0af0

SHA256
13896a0436015bc698c383aeca653ad7a36fd899c995b1dad06dabbaa20d69d3

SHA512
c51bfd3978ae6bf02800a5f3daef3e92d5acbb63d3840727d01b57c788caf272f6bb1651f9132875f201172eb619020d1f44ac5d48462f8dbd40af30fb7a99bc

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
74KB

MD5
b31af45dc69dc4f09a630eec47e7dc15

SHA1
9be0013e4244055b461751a150ef558cc391fc8a

SHA256
bae192af6abcd617bc8342164ebf2d3e6d991bbe2c985e2336ccc06b81d6953b

SHA512
13b67ac70fd070fee9ff5afa4c3869ecf03af044127542796ede47cf92f59215b26c2e5a8378ac753a8f2b4d00327a9f3206904dcfcd8d58e0f89b9e82c0570f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
74KB

MD5
29e7be98150927f32d4658b01965d45d

SHA1
d2a2c7b5fdd2aaa47f9569655b99f29f01598efb

SHA256
833637520350d0e68d663144e942c8d07b327a92f37f995787891a832c25f24e

SHA512
b8d95442f07a8e1078ade340021ebaba4394122df2253c08d1ae512ca267054ad7fcd598a1dc963467696ab27893fc6547cdbf1e268104b3506dde966d3a0882

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
74KB

MD5
79ec33a2ec9ece33c411525d042c2ec5

SHA1
71b49cb8f2740b58f2207cd80549c0eeea2854e2

SHA256
91f8896512cccb11a681179575fe6eb8393a40d7d85c17905146390b64c69703

SHA512
c2d5b9464b667de59da3980f548bd8ad6502ce16b1df943dc47e0fb05336ff193bae7a5af764612d4a6a40fda63c562019e030525baf52ddc8384ecb8d618254

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
ba9eeedbe44b83b93238df9d3aa4d65d

SHA1
784a1f60e713964dc89c37957bc81c792dda50aa

SHA256
0624c8bccf9b640fb062cfec03fa409260469febf618aa563987958647730259

SHA512
c90453b8d7269469fb465560204a78a6fbe298f2a926f28bba2d54af9e8cd0b9753cdbb9e4271c21fe4b4d8f622e14df1809b3d1ae044cae272d387b6aad8f74

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
74KB

MD5
480a1f8f9ba190feb79c7706a14ea479

SHA1
4f00d2ea9231e17b30a537a7275a980065f5095f

SHA256
686fe7017d3a6638a27e0693c47441bfbf1cb9729a623e51e8f8f0e1d6c3d966

SHA512
29bcfdf7512c2aec5bf3adbef5069a41b47152b4315d6afc66e619933f9207dda30a6405d876ce5e0d2cf4ef8a6ba9e1f22c0231cc21937f458a308a7c513919

Download Submit
C:\Windows\SysWOW64\Oadacmff.dll

Filesize
7KB

MD5
f39bf3e09c106c3f5405e0a4c96e4473

SHA1
cc34dc67e67c46d2e802e9de5fb2438658933db7

SHA256
d679379857eb064e4f4481fe33402104125a06d48b4794aafecac6f83f93c264

SHA512
ace945a930f354f14f9261352b5189549b48ae77b8761d8ec16279cb2409c5376e5edb7f2afd337452f3c1b3707d89a193d86dd9f67b8f074649ee9a63ab4b32

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
74KB

MD5
1af7b08d6252b25195416fcd6cb96a56

SHA1
19ce7d14edf87a6da565cf084c3b309dca3ed62f

SHA256
a32e7f28d4f08bcc048d9ab08005f96d407ac00e0e1492b1e50ec00519a294dc

SHA512
17c5d216e2d04adf2b4207b8e670f12ab97fda2d4a2ed947e1e3da8074682beff53eda544836c2a8d1dba753c55f4dceac011b9c3e7199525c139497b51b4b71

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
74KB

MD5
04117bdef81d1091ccc76a4d6cc53963

SHA1
9e30cac788e86320524de6fc2b45f14e338193c5

SHA256
6ffbfebb53d9319e1f8ed3b9946c6443a90dfbaf0251fe2292756924973852c0

SHA512
e509f695bad2fd0e48c37295948a01a56098608376adde9759a1ede515988389cc5819a9bc0f08e32c7ccea00432aeb1a35fec7d9f58108cdd58fdf82f28a015

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
74KB

MD5
66e04f196a8e3162fad85d2dd33e39a0

SHA1
435b3b1a757c6b4d0b15dad1071d0dcbe05ba3cd

SHA256
5a2e3687536d1935d07cef1c1225646604a2305bcecf87699277ef6f3081bac8

SHA512
55b04827f077cdce7ff1ca6d70a9780a1e4e86b2ba988b410ff12d51bfa2a88e031b62670677b0a4ccd44f7fb4e03035dd6031b94e500875e2bbdf6a770d4be2

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
74KB

MD5
13100f257743680a17654342c4c1196e

SHA1
57b984e074490931d5de6e3bda2995bc339b1f3f

SHA256
60b753334987f43a0f4c8b6be75447732b21aee27d5809b6a014da72afe334c9

SHA512
0dddd021c17f3c03293492b7c16d72a9cf4dd49da9f047728bfb64599bf154f59061652fd7d5b03990992be536f04de2877012eceb61e3d1fc1143bcdca90528

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
74KB

MD5
d00312eca350dfbb78f3d43f455a1064

SHA1
69f714e2fd68ea9ad36248a70f5f8f7c063b0aa2

SHA256
b3ac48a5808c235ef778aa273c677826cbe882e305f21ea46ff974e962aa19f2

SHA512
9370e72813cdaa28c9aa16e25a92af2241973eb3192d56fb6b0f82176d261644a310c5237e96906e8ab5083d3762d376b97d3e7e90953ac83fdc8c0ce79c0109

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
74KB

MD5
2096b36616f86db415cf7f74b554b94b

SHA1
c556658d56d8788c4b65cc1356fe1c279c9d7393

SHA256
59a3290ffa5cd15c286466d167afd3b9f77e2ebf943d1f39ebb52861489ffcf0

SHA512
2c977e442d41ed6ece85e1f69e9579e214666679f9a312d366c6841627ae9e6cdf9334518ec1d83feb624cb1c1134c72cccba5c9ac197f0d9dc63b04b565b79a

Download Submit
C:\Windows\SysWOW64\Ogpmjb32.exe

Filesize
74KB

MD5
e68ec27ed60bce09b13b3ca4a01f2e93

SHA1
e4c5695b80c35b245c0042818eff2f2cb91e6157

SHA256
44e0769af2dc76af9cfafcce5e40b37970f8ed9f12715f80e350af9fbf135309

SHA512
df4e589bc00a1d25327eeb72adbf2cc132449a4341de1ab086f9894a50942ff0d32cd09d08262d18e03683122aaf0c554d5cf7c2a0946e030e1725a0587ddb9f

Download Submit
C:\Windows\SysWOW64\Ojgbfocc.exe

Filesize
74KB

MD5
479ce0967e2762e03c067a5ef9bc2d37

SHA1
744e12a0ed714ff5684de5ebc0e52c7b1cc31a7c

SHA256
bfe524849f6a4948ea182085870758ea2a5fc579e6694dd7f0bf70a9f1fd4ca1

SHA512
959d3ec0fdd969e088367ce780d08c46ade172d0fe81f11bfa1248babde3a4b9ef2179c95ae913a3d1799da9595d0db9f0f3b4effab79ca86a7a9e25c34b1620

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
74KB

MD5
6332bf0729d985929afa5078fd7e13a8

SHA1
1f2abcf3462d8ae7daf8972fd0b3581d4acd03df

SHA256
a40061ea3eb624f458dd6ff6a5f635b2c11f45b7f4f8585da58ee2688ea04561

SHA512
7d7d5f370186e9e3ff975617e091611112a9964dce91a9bbf88a3d0ff5ba64e4ba46d6f2f5a23c53451d1f8d91aef3e6c56a93238a752dedf7ae45c854f18c72

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
74KB

MD5
6ecc1d1171fb4dce63a57ace42c69797

SHA1
3e94adc1506675ed568c9d135ba0b3d68e8c18a7

SHA256
89a7adad587703abbbe442c4609b56f36e46be68fe0d34046071d8117ae55bfe

SHA512
09497431468e2cc43508ff69594141684602c1b1e674fa3eae3abc86a6e3e5f5b1bff430b7a89a3b7699fe5f63922c54f9e5299dadc5ba9bd541bc41980ca7ae

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
74KB

MD5
4ef1c98f16f7918fef47d82229c5f7ad

SHA1
7ce2d96f0ba0984de420ddfb5cf42ce60b33a025

SHA256
a77544dbec12d2b12cc71e90537cc520c4f61c31f0eaa31f05c6fd906bd01311

SHA512
4628d70fe39ea4c6242f0ae70dbdf8f26192624dd163d82302af7de438c49907b8a1c4eed9f656a590cc88bbd402af99a9a68eb5df68fb767f8530f5655c5b61

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
74KB

MD5
b47f4c45c6540a6964ee2535d889a51a

SHA1
66f1d543c8b84ff21909b7290bf32c1a96789a84

SHA256
471984019c7e02aceef71177b798fe11d1c795089245cdd367c4424b7e296387

SHA512
8b76d3cb7f9f1f751a7139f8c488ddb2fcbc4129b376bed355cf1d0e392fc3c776c70bac21ba16464306774b5963a5e8a892aee473717d530fbd77d66e0a17a1

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
74KB

MD5
379fdb9bc81ae90fb36ec7d24af585db

SHA1
ac044f1eb678f7d0a2031f169cf81a91370eb77e

SHA256
7b7edcfff4613f95340121cdcd4513ea0213d87f246b1e5b0b1db4aff1a2be9b

SHA512
6b27128bc08844173e2a5f497118e5f7446d7a3844b949ccfe4d26d7b4c58be835108396d0fc402a982ce6fdf41e40e53d3454e6ea932348729ecba3e559735b

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
74KB

MD5
823dd27e2cfbc77e47d4bcd26362fb31

SHA1
2552c83cba7501c0aa591918beb8125325cc8714

SHA256
df38cc5d678f844624d40b5731b26fa7665128ed87de10896484cbc35ee69dde

SHA512
e44f885bebce4b4c8239ada7681908461630ed1a5c5fa1ebe670866400030413250f8d14b18d96e16532467b3794a8e73d8ac4bbb37e8b916d3cadf852bdf6fb

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
74KB

MD5
d082f78fbc73048fb03f78f1b9469e77

SHA1
985b3ce67225378b258cfd9a30b45ce0abc8fb15

SHA256
29066d9003e29494c664bcfae183cf68318a098efb663f46204047f8eb46693b

SHA512
d522073491d3a528bab6d834a907b6e679db4f8696325f400a6e329b31f453e98000907c9eab72749fb18878153c7e9400fabf47b90d724d22f6124900d8b7dc

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
74KB

MD5
e681f12e508c11c2c994353f3e355365

SHA1
7449632063a6e7ac966e49f3e0afcf817c7ad939

SHA256
683fcfee749c6bf7d1ee231e8283140f970485ca752ed00f7b1b90c40c9ecff6

SHA512
c5718866703d34bb15abc1657b35290d0623784fab4e51e6caacf13eec0a1f83e18bbe02f1aeaf4931e454d78d331b2f0063390d585cad69e8615d0d1ee71f4f

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
74KB

MD5
246ce2faae9de6924b0d6e2b6fcba351

SHA1
75809a7c1aa9dd0c09d0101477bb68fe92f0c4d5

SHA256
8b85997cf94193dbf06a337a06659e01adb8153b05cf310eeb3d5263f24b8c38

SHA512
3c63808277c8b12a1821d7bac76359505bc130249c65d126d935f26b622a0de32dafb7e254813874e62a12350a400a385e8332ca57999827b26f55b2666d9f50

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
74KB

MD5
fac1ecd0f422df669746f38bb0c6a997

SHA1
fbeefb655f3b927cf349953663e4339fcb4eb4c2

SHA256
f8c678d8ab7a4dc30c8df2b01fc340a2f118953fad78208cbd6c993875a2ab98

SHA512
3e8793f266eec9b02bf55191fde6a6d7a84411c7d6daaaaafe14d0fb087d18ef664e43518334b891ba101f5c826943b90c0fa5e047de46b57652423dfabf5380

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
74KB

MD5
e292d998ae3e19cbdbf32ea47e9a2197

SHA1
853979217f4ac05799779192b5fd1221949db38d

SHA256
eee2864d4c8453926ca8c270d774225282e8c6bf7d57c0d88631632d9222e5bb

SHA512
4899a74b262ddfa04790e2a19c974ef27700d73b31620d376d0831012b243b477f62eab160a78aa5a761428998eb6dd18444165b73e8462d7ac5d7fa6c964fe6

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
74KB

MD5
c8263c39430f6dddc32cf2e90e17ef2b

SHA1
fd6376e165122cd1921cba907ee999dd4cf420b0

SHA256
07d275763b992ae1c09cb10b46000a63c16817edf695a3d0e28ce534d88006b8

SHA512
781b3263a7db7c4c57d2b5f9bd83cf8cd0823b247d5ffb5a9dcf804e5054bb28fdeae19b9efb19878ea1482302a2082e00a811a02b5da954e1e84c05a1e36b83

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
74KB

MD5
5b1903bd02fa322a5e7c31a66fc11c04

SHA1
42f4eee942d6322bbad75dd6506eb8c2eea567a5

SHA256
a5b9be8ec598eaa316e82985c83057fc4cfb95ee06f1eb06cfca6ffbe2577862

SHA512
7ca02fb91c758b4d1468bb6ad430a009bc5a05cb167eb833ce2db6ea1ed37abf739587b4a43f9864d09e9b554a4c561aac9f6477573c5f3ae9c758de0ee286d7

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
74KB

MD5
db7b392cbd844baf3affbbf0a36724c8

SHA1
9eb256cd6d6b75d02ac9246e5f3db8f5c55b8adf

SHA256
21cec2c9cf756d6c8524b7e48f84fe1b0c0117eb5af7ed98f0414f36d918d0e4

SHA512
2ce1a8527d75ca36cddb1f99732c76b39ca0ec610b9e444ebe396cc4f180f8deca617e93b4651cd11fbf1599db22df5c8c98e4a549c31bf6ee831c9040e5e46f

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
74KB

MD5
2384b71ed23011ebbe3147383a9d50f5

SHA1
560da2e1ec314cf692c49136dd4693131c9ba705

SHA256
94e59306e5939e6b057231bfe84f1820b1dfd51e75ed047ffb830f01c65f7f2e

SHA512
28e60b6cf81bd3a69f9adcc09d5060c67c85ea1c45b225f2725fd8c9448cb9a2db747d62e85a233fbf200aa06db39dc6b0fc9e949dbbf3063ce88b06feca914e

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
74KB

MD5
bd74cb8be44da3d150adc8ed31a58bb8

SHA1
7fe946fc706ef98ff4d94f3026b976db4f958fb0

SHA256
1517c9f7d82674b880cfbc3894c26e0ff4e4d8e4ae045813d7dd48e8356ad49b

SHA512
318d4ee0fddda403bd21d3f0c0a788ec2e676cbef1b160476279874d48fd040b3e88f1c1b6fe57c737e87dd3dc4fef96477cb092ff358493b04472aed08726d0

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
74KB

MD5
50605e87628662e535455194ca022d36

SHA1
8dc1fac830696553b811e9dcbeea2e5bdf72e12d

SHA256
96a0b9c4c1de9cc0c64833e59d733ab9dd2e720de2cdd5c66bd4abedc224bc17

SHA512
ba3ed1b0b80947664c5dd439a786adb927e2437c1b54ff1764dcc7772258bfbe27a24c495efb46c98bc5ca50e5c9112f261bafc78024fab626013dabb92145ab

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
74KB

MD5
3731e2b7c6fa9b682a3abaad1ae592ed

SHA1
a2e8238f5398fbc760376d0c76bc6072845e3567

SHA256
41e196eddfeca261a2372b3e381c01c0069753dc4e6fe3599a97c03e8bd3075c

SHA512
5b4174e890f76c1bf50784ab2d6a7a072e7f13f7285e559158ec8add673d900b8ff745672b4363866acec6f1f416adbb9d7f6fdd7a76c35eef89937fb3a32418

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
74KB

MD5
69ef7ed3309fa2e41df220a086864ee4

SHA1
c85392818c1cf9097f29a6fa43bb60b282e30416

SHA256
fff46331e07b5011c2b3fe22b6ea72b5d421da61d5185bc1aed00fd4a86de3ef

SHA512
7dbf417a723f702ac80893c40fd88f573c2b6670fb3ddb87b783145c4aa2a5c927cdcee1c4a93769acaf7d5d5c42ecba9d0fa1cd5b9cb5b29e3dabac3356029a

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
74KB

MD5
e8ff91f96809b54b06ed23b2c871cdee

SHA1
ccc5c4b41ede2786ed29f006ede30230f1c233db

SHA256
d53ab0bceff02c51d07de99a7cb7cfbabc4273637c5ca9351712cb43ba825975

SHA512
7879924da4bbb626989ffafa86be43a1bf42825ba6dc51196044025b9b3a2a013009078e12cfad6c51bfd1edfc1b781b7949bc4011bc5c29bc58c59b8c979ca8

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
74KB

MD5
f8c3dbb930881a7147cc99a49f27d222

SHA1
149f85f49a333aa4f69e000bf5cc24cdc96d1a4a

SHA256
49d47ac38902fb3ac8ddd72aadb32cb6e34c7bf0a7625ae90ac766654af72a56

SHA512
e4e8050e40384eaeb66409953e1a335791e8f27e400dc08ac603e958a3b8befa0463751c28e958e56a645f6bf61dbc77bd4b6ea7c52cab4bee05da3a8635fe15

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
74KB

MD5
e172e4f24c2858bab4405769d6ed317f

SHA1
c99c6461af450c6e596123102c2025ef5634fde3

SHA256
e0b7a25bf8a7bf458ec437c7df989cf1ed66aec11aa6c1ac05aa6696399b7dad

SHA512
7fd4cee4b8cb880fb074192e0af05a01253faf5f866c129216161b8a9c2aea7aa19a43207f48312430e8864b0db6f6f5e60dacffc3ed3c4b722659bb070e5042

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
74KB

MD5
7c30c20d1838962f9559f787b494f0d0

SHA1
0908f2c216f859a5232927e750ea3f9a9b4b2380

SHA256
2ce77f8b54122f4cc367895b562f1837c5951a5b1d25cefa56e3fab81cc87dd4

SHA512
2d63c39f2b9ae8be4e62f5374d40f3af557161de45f9950ac4e9cd2b06f37caedbfb3eb7b55e0664a44f36f88f56e31b8d8197e64519bfb23c7efcf2eed616d8

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
74KB

MD5
b279697a4dc03b79d16925db96cfe440

SHA1
fe4d44814b42becd3d03e5e5095d9bef5d5f3937

SHA256
8c6eec95ea5c0d2695d03376d47b4644fb67a5b590409a13155323a2ea2196e8

SHA512
6762ebc8e8aebe5700213a803bb00706803a79b943f0e5a30ed3ebb7ecbc7e4c22ac661ebb4777b8824f3914b04d86d38d7624d80e1e19309ec33396a1f149e1

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
74KB

MD5
034f1c7f3e67d0c2777225eb065f387c

SHA1
f37a00aa38b241dd3994390ab2e4a9acbeefbe7e

SHA256
bbc122617310c289c45a3ea52d2987ff731f82782d9b243d665423bfd1fe78bb

SHA512
c6269e5b9ba4f163b6fff7b49017d413ff22da75dd4b06dde1576b1dc580b53856b0f023dd25237e8791bc74b25f9524ef6c9e0695c90b95e32c1a56ec49a501

Download Submit
memory/8-479-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/32-467-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/372-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/376-497-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/408-311-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/576-503-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/620-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/720-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/720-546-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/780-207-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/848-547-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/880-377-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/892-359-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/956-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/960-509-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1088-554-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1224-247-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1268-281-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1320-268-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1332-413-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1392-293-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1584-581-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1584-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1608-191-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1644-419-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1728-593-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1772-347-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1808-305-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1832-371-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1912-553-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1912-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2132-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2180-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2236-431-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2256-561-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2324-341-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2336-389-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2372-401-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2388-455-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2432-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2432-567-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2456-533-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2508-473-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2576-323-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2676-443-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2708-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-449-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-539-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2876-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2876-574-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2908-491-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2976-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3172-317-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3456-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3524-461-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3532-365-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3596-335-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3640-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3640-588-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3692-540-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3712-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3720-515-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3728-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3736-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3756-582-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3760-437-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3788-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3872-395-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3912-560-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3912-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3972-489-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4024-256-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4056-527-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4100-579-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4432-329-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4444-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4456-183-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4460-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4624-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4680-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4684-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4700-724-0x00000000008C0000-0x000000000097F000-memory.dmp

Filesize
764KB

Download
memory/4700-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4768-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4772-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4776-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4788-287-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4816-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4828-568-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4864-299-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4936-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4984-425-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5068-383-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5072-521-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5076-407-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5104-353-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads