berbew | 83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81a

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe
Size

96KB
MD5

5de3481a852ca620bc9937d0ad952800
SHA1

885009959317acdc77650e7c92dcc1d54f03ecfa
SHA256

83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81a
SHA512

204359f37b7a9ddf5ae0059013a1261a796e6e9b0f946641a90efc1e8c98e83948a1543f32b0403319e485f3769fd99332829235d2f2051eb8b0a525b893f236
SSDEEP

1536:O7le4N/0EknEWakSrE1Clr2L1W7RZObZUUWaegPYAW:ORGTnEFlFI1WClUUWaeF

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onjegled.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqdqof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odapnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cd2-468.dat	family_bruteratel

Executes dropped EXE 64 IoCs

pid	Process
4964	Opdghh32.exe
1304	Ojllan32.exe
4040	Odapnf32.exe
4796	Ocdqjceo.exe
3784	Onjegled.exe
1332	Ocgmpccl.exe
3296	Ogbipa32.exe
4652	Pnlaml32.exe
2868	Pdfjifjo.exe
2908	Pjcbbmif.exe
2376	Pqmjog32.exe
1416	Pjeoglgc.exe
2576	Pnakhkol.exe
4164	Pcncpbmd.exe
4784	Pjhlml32.exe
1292	Pdmpje32.exe
4464	Pfolbmje.exe
5116	Pqdqof32.exe
2404	Pgnilpah.exe
1708	Pjmehkqk.exe
2288	Qqfmde32.exe
1468	Qceiaa32.exe
4932	Qfcfml32.exe
2472	Qmmnjfnl.exe
3044	Qddfkd32.exe
944	Qgcbgo32.exe
2972	Ampkof32.exe
2180	Adgbpc32.exe
2176	Afhohlbj.exe
1072	Ambgef32.exe
4836	Aclpap32.exe
2200	Anadoi32.exe
2004	Acnlgp32.exe
1124	Afmhck32.exe
4984	Amgapeea.exe
4396	Afoeiklb.exe
1652	Aepefb32.exe
780	Bnhjohkb.exe
116	Bcebhoii.exe
2572	Bjokdipf.exe
384	Baicac32.exe
760	Bchomn32.exe
5072	Bnmcjg32.exe
5052	Bmpcfdmg.exe
3368	Bgehcmmm.exe
3268	Bmbplc32.exe
1028	Bhhdil32.exe
1788	Bnbmefbg.exe
1724	Belebq32.exe
1436	Cfmajipb.exe
3096	Cabfga32.exe
2720	Cfpnph32.exe
1588	Caebma32.exe
4556	Cdcoim32.exe
4260	Cfbkeh32.exe
924	Ceckcp32.exe
3140	Chagok32.exe
4064	Cnkplejl.exe
2236	Cajlhqjp.exe
4204	Cffdpghg.exe
3928	Cjbpaf32.exe
3632	Cegdnopg.exe
3012	Djdmffnn.exe
4432	Dmcibama.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Blfiei32.dll	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pjhlml32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Gjgfjhqm.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bdjinlko.dll	Pnlaml32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pqdqof32.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pqdqof32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pqmjog32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	Onjegled.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pnakhkol.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Pnakhkol.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File opened for modification	C:\Windows\SysWOW64\Qqfmde32.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dkifae32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4540	5064	WerFault.exe	154

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onjegled.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqdqof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdqjceo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opdghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgfjhqm.dll"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdqjceo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmgabj32.dll"	Odapnf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmhoe32.dll"	83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfqmhb.dll"	Pdfjifjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpgii32.dll"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 4964	1064	83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe	83
PID 1064 wrote to memory of 4964	1064	83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe	83
PID 1064 wrote to memory of 4964	1064	83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe	83
PID 4964 wrote to memory of 1304	4964	Opdghh32.exe	84
PID 4964 wrote to memory of 1304	4964	Opdghh32.exe	84
PID 4964 wrote to memory of 1304	4964	Opdghh32.exe	84
PID 1304 wrote to memory of 4040	1304	Ojllan32.exe	85
PID 1304 wrote to memory of 4040	1304	Ojllan32.exe	85
PID 1304 wrote to memory of 4040	1304	Ojllan32.exe	85
PID 4040 wrote to memory of 4796	4040	Odapnf32.exe	86
PID 4040 wrote to memory of 4796	4040	Odapnf32.exe	86
PID 4040 wrote to memory of 4796	4040	Odapnf32.exe	86
PID 4796 wrote to memory of 3784	4796	Ocdqjceo.exe	87
PID 4796 wrote to memory of 3784	4796	Ocdqjceo.exe	87
PID 4796 wrote to memory of 3784	4796	Ocdqjceo.exe	87
PID 3784 wrote to memory of 1332	3784	Onjegled.exe	88
PID 3784 wrote to memory of 1332	3784	Onjegled.exe	88
PID 3784 wrote to memory of 1332	3784	Onjegled.exe	88
PID 1332 wrote to memory of 3296	1332	Ocgmpccl.exe	89
PID 1332 wrote to memory of 3296	1332	Ocgmpccl.exe	89
PID 1332 wrote to memory of 3296	1332	Ocgmpccl.exe	89
PID 3296 wrote to memory of 4652	3296	Ogbipa32.exe	90
PID 3296 wrote to memory of 4652	3296	Ogbipa32.exe	90
PID 3296 wrote to memory of 4652	3296	Ogbipa32.exe	90
PID 4652 wrote to memory of 2868	4652	Pnlaml32.exe	91
PID 4652 wrote to memory of 2868	4652	Pnlaml32.exe	91
PID 4652 wrote to memory of 2868	4652	Pnlaml32.exe	91
PID 2868 wrote to memory of 2908	2868	Pdfjifjo.exe	92
PID 2868 wrote to memory of 2908	2868	Pdfjifjo.exe	92
PID 2868 wrote to memory of 2908	2868	Pdfjifjo.exe	92
PID 2908 wrote to memory of 2376	2908	Pjcbbmif.exe	93
PID 2908 wrote to memory of 2376	2908	Pjcbbmif.exe	93
PID 2908 wrote to memory of 2376	2908	Pjcbbmif.exe	93
PID 2376 wrote to memory of 1416	2376	Pqmjog32.exe	94
PID 2376 wrote to memory of 1416	2376	Pqmjog32.exe	94
PID 2376 wrote to memory of 1416	2376	Pqmjog32.exe	94
PID 1416 wrote to memory of 2576	1416	Pjeoglgc.exe	95
PID 1416 wrote to memory of 2576	1416	Pjeoglgc.exe	95
PID 1416 wrote to memory of 2576	1416	Pjeoglgc.exe	95
PID 2576 wrote to memory of 4164	2576	Pnakhkol.exe	96
PID 2576 wrote to memory of 4164	2576	Pnakhkol.exe	96
PID 2576 wrote to memory of 4164	2576	Pnakhkol.exe	96
PID 4164 wrote to memory of 4784	4164	Pcncpbmd.exe	97
PID 4164 wrote to memory of 4784	4164	Pcncpbmd.exe	97
PID 4164 wrote to memory of 4784	4164	Pcncpbmd.exe	97
PID 4784 wrote to memory of 1292	4784	Pjhlml32.exe	98
PID 4784 wrote to memory of 1292	4784	Pjhlml32.exe	98
PID 4784 wrote to memory of 1292	4784	Pjhlml32.exe	98
PID 1292 wrote to memory of 4464	1292	Pdmpje32.exe	99
PID 1292 wrote to memory of 4464	1292	Pdmpje32.exe	99
PID 1292 wrote to memory of 4464	1292	Pdmpje32.exe	99
PID 4464 wrote to memory of 5116	4464	Pfolbmje.exe	100
PID 4464 wrote to memory of 5116	4464	Pfolbmje.exe	100
PID 4464 wrote to memory of 5116	4464	Pfolbmje.exe	100
PID 5116 wrote to memory of 2404	5116	Pqdqof32.exe	101
PID 5116 wrote to memory of 2404	5116	Pqdqof32.exe	101
PID 5116 wrote to memory of 2404	5116	Pqdqof32.exe	101
PID 2404 wrote to memory of 1708	2404	Pgnilpah.exe	102
PID 2404 wrote to memory of 1708	2404	Pgnilpah.exe	102
PID 2404 wrote to memory of 1708	2404	Pgnilpah.exe	102
PID 1708 wrote to memory of 2288	1708	Pjmehkqk.exe	103
PID 1708 wrote to memory of 2288	1708	Pjmehkqk.exe	103
PID 1708 wrote to memory of 2288	1708	Pjmehkqk.exe	103
PID 2288 wrote to memory of 1468	2288	Qqfmde32.exe	104

C:\Users\Admin\AppData\Local\Temp\83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe
"C:\Users\Admin\AppData\Local\Temp\83ea50c0a2e37bc05972a1901078f30f5cefbd1b0197027299d6333a142df81aN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\Opdghh32.exe
  C:\Windows\system32\Opdghh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\Ojllan32.exe
    C:\Windows\system32\Ojllan32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\Odapnf32.exe
      C:\Windows\system32\Odapnf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
      - C:\Windows\SysWOW64\Onjegled.exe
        
        C:\Windows\system32\Onjegled.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Ogbipa32.exe
        
        C:\Windows\system32\Ogbipa32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Pqdqof32.exe
        
        C:\Windows\system32\Pqdqof32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 396
        74⤵
        Program crash
        
        PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5064 -ip 5064
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
96KB

MD5
7888597e8e047d27d86858aaef9239e8

SHA1
7fa327bd38f3237b38d157cfbd411fd15fe83d75

SHA256
fd875afaf8557cb191bf07f4c8f5581d7781817b558246b6ced275c6440a2f21

SHA512
11c307711eb5833f0c96dfe4d5524d4f697b4bfd6a7801107c1b9c5229a4fce599b669f449ebd13fcf51d17078c9312dfc63526a7b1431ffb2bf7e93aa517b8a

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
96KB

MD5
4555a20ae1266e962cf1693ea88bf300

SHA1
83541a504305957d7089e8f39aa57ec3a75c8246

SHA256
7bce2521cda2f588a19257ac8787c0c6f8d48cf2b498da1a13b46a8dd9d2e7ec

SHA512
710dd3abceb4ea8865025da8b49b1a9b92240d821218ee25eceaa607183b07f4bcd500e1e229af29983fcd84be7a0545aa06ed2a515cf772342fdfb2840a1e60

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
96KB

MD5
8e8a2b9b95dbb4cc24835e683f1ea58c

SHA1
02a1f0b37d113b089fbeafdcfe3fac840e85c6e0

SHA256
df2370604b6b39075d68b70fe65b52688d1d048f16a76237bb52d9ce924f33e1

SHA512
139a5b5d6dbf50c8f3d24e579474a25a007db9d80293efbcbf8925f7f8b8f2bb67f6991cc39cb160c16c15231bb0c8f729719ccb482c6cb8c2eb8cb3c1b6c809

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
96KB

MD5
3000f4bde0241f4d6b0875a20bd053c6

SHA1
a63ba80652f8e2eaf2c238e665e5867c920432c1

SHA256
f0d9fc092dae8ed87845a0954a69aa086fee8a64e0d0b36e8e2c974e60b10a65

SHA512
8ad34181667456400064c1bb67fec1a27f51a46d01285836ec4683ac93f96d5eeef56a07853872d1a0c04e78a2cfb795b49b6a43220ab338abb7db58c3c932d3

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
96KB

MD5
6a3f131bb8db3a9ce2ed4d2c20ad2d93

SHA1
c2308e4784445022dd3ad4dc62e84b4e79c12ef0

SHA256
aedbae91b1e20fea56147bba5691c5cea4c29e543a492085597b2b029351a9ae

SHA512
839b9f390b31f891d169fec2302b3a71b4eb8f564a0daf1e4888c964c8e0c68152d09fc6dd281881b8f0883c6b5802e8b992e26253d98da62c1a0725af8af53a

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
96KB

MD5
3950162e4a2b5faf28862dd94e4519b5

SHA1
2de3ae3c820affa25900bc9caae70b794f2c175f

SHA256
d301c015a0adfa205c0c25d2998edf9e7506ba7b411ea9232f4db61a67f81eab

SHA512
53afeeda81c91007251e0c4326a469c265827a80c2f42318fb57f312dc78d64f35c0061fa243ea1a3d90c54e35fe43d0f37a7ab9bf81187a75a8705aba4c09c9

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
96KB

MD5
a7f4918a0e41ebb0ea20223486053091

SHA1
26da5bd4dca6696262c18282a371e58a5302e43e

SHA256
100520e5c783f43d4ca956d1ca284bf7da173d77069e1918bf1c7369eb704a61

SHA512
add32bd90d75f274b8c278c57a22268b1220c294827d21eed20b1563a912b808fe19ede79c18cf28f0c0ce50790726092185e2bb23f72f8958da2923036c2fab

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
5fcf77e7f5e1834caa89440c7da9615f

SHA1
9a529de619a7d99822d4d4947d971b8c00dd9520

SHA256
c4d331fb4535c76fa9ab6171e79089317c6a687aeb70386a45657cda3edf7085

SHA512
214fabed96a296ceeb79e668367e8968925a09cc7813e7b845e1f62bd1e2df25ced6c2f79f07210340d0b5361ef640f93d3dc90d672620f2bbcf0d7a931d2933

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
96KB

MD5
af96630528b257d77075f420529aaca1

SHA1
4334d916c512889d4297dacef789552aa3a868fe

SHA256
e81e3468d2646fe1121bb50ddacde4f65a41048660a30a21f67cc4480f3b0a62

SHA512
f66d0be03c5b54f5c8798b71a1ea3c3b14e0f91acbf6fe5022b371cab43dcb8a7c76e88d237a7dc41366b1c623f5806b44e5e0e3c76ceba0e845ebbc05ba6c24

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
96KB

MD5
1413a0257b1e9fdba3f77958e8072d5e

SHA1
f5ec403af00c99cfe08bfa705b0b5e333e392185

SHA256
7efccc6106fa97274880312e6057575fab04ee09bc03cc9ec1d91417114fe6ca

SHA512
1699585febdf8304e1cabd302d5256339282405a3c3ff44f77b9784f596490b84742939cf5faac6cb6f80d5b712e2f35bdc5fe286ee32a5e1e30a30efd34fd31

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
96KB

MD5
e79944ae737417ab793a41e65a7c2ba4

SHA1
7806cd270ef0946d7810f9b7ab45ae0bce50a4a5

SHA256
28fc0967a5809d7f5c7ef3b7857c6c526882b55fcac94e3a1b9d035e1f3ed9b4

SHA512
870500f2c00d1db25bcd95e4d670c9b4daca72c687c119ae4240176a9e3fc03ab1dbc5504da0201172b70a8fbed13a92836cd0baa36c3f9759ca31100e4e6b6a

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
96KB

MD5
52bff6d22a140d6ea8f7b69a621e9ef0

SHA1
3e3c9f2f5c2e9244dc0c93471f9c6243b7d2f676

SHA256
12b41bd27e0f1f42bd9ec37c640f0a7cea00378d7eb7c551e87828664b5d269f

SHA512
9de9bedc6c30c368b02bb0d6b4ba23f129836310004e2518ec3cee1bf1b181613e22545ca630be24b78b741582b28ce7ae7c5cb36c6eadc9d0a1dd8856aa5967

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
96KB

MD5
de26f70aed60a752b891bd4b9d4f38df

SHA1
c2773ec6becde6d5886733e1208ee79a0a70fea6

SHA256
dd8a19433dec0f5f0d1a652eae427ad499efc5058685bf767820b21e3bc7a999

SHA512
3ff16f0401f2fed27ecfee85b16206852ac9220a0d541397472871b86a4090539f4f5523ad89b4c9d9daf25cd4a47892b7c4403377bc5cd50c4fbaa3c7b3f9f1

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
b874c8853d3f8c882dce5323da3a6e31

SHA1
e8d41d2107e15af16eb928f9e39e087c8d935913

SHA256
14445a64c0c2cec712722c0f8a92f91b0ac0b0daed6dfa5efdf956e7fe2196f3

SHA512
b4d4fa826ce0ddc6acde6edfe32c7c83f3a77bfec5941a01add962f683522449684877459ba2c9971704cc383ffb637dd85d990dae7f7752e108d62276252ef3

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
96KB

MD5
ba6697e080ef170d925de3d90b008c9d

SHA1
c82bd4ab95c39b6a0b85fc58638b6abf40f87977

SHA256
ee0ef9335bcec2aaace248369a2e810c754b291772e4a93a4c79c636e3cb404b

SHA512
600fcc75eb63f6007b54e3c2efa9ad63a0e69e6db8f2c8362a9ddb82db8848a9d45a99d02bb3e27cce0b2b1da761f4501d59a10723357fc5c13f2ee02d150d3b

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
96KB

MD5
9939ca74f43cb4208b4eb11fcbed0beb

SHA1
1c98ee727ad2c128e97c1e3c6a7022babe94428d

SHA256
b2513a7e6067ebdf9b1a59f3c1ee6d5934d5023b3f1cdc7d6957c301327ac7a9

SHA512
f750cf6f11a53cd3ad93b050b93d09f3c876605df1215ff9a6d89c9355263bf86e379a636dd0d7260fe53315884a47f3a4a38ff365ddf3b8332fe7fb757d5b9b

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
96KB

MD5
5c833b7a533ba7caece378e4cdc12e19

SHA1
c94e798ac1f24a47805f8f2a54890cb8fecc3256

SHA256
bcc546a9107295a2c351b11b6d95a520e3745b176291cde0c2d15234a713eb65

SHA512
6ed4c9c2ecf21c9eef4ecd31cea3d915e928a0a4a07e14d8f7144192b98aacea8ce0b54d41c46b729c80c768ecaa9a9608c049274a3a72041439c15c74dd7c12

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
96KB

MD5
d9958b3e64f5647bbb90e53c11b73d22

SHA1
2882d569085f4e87e15a4878423d7260f8691946

SHA256
0d3e44eaa716d0d82a46d170bf3aea47fb4f50c87910f54022ca42fdfef987de

SHA512
e795d3ca3238164f632fb0528da4bb2cee69a24c8253693f7f165a8aa294516abc27628870d9d6cc51de297a0e9cff12e815a6515e08b2151719ba54f1a0dcd5

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
96KB

MD5
2e358585963aa7f6ae6b55920acecccf

SHA1
8649a6a8bb9ca79fb38924d009374b3d6454ae07

SHA256
3551de349963817f913378a6fb0b1fd713bbd0bd756d309825515a34a78d5fd6

SHA512
de3070ed40dc7b6aa04f995613081b3895f727921f99bc7048c8562d279bf256b41af3a53a4e113b4ffd03f9df6a9697162b1772584615ff055042b4352b5373

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
96KB

MD5
a07d1dc478a92064811959ed7d53581e

SHA1
bd0afff0140ca27d9fa5e3576a2fb3472177c78d

SHA256
78e35feff016697d1292e86ae4d0c4aba76c1953fa1f0e0e05ae796ed729c809

SHA512
62fcdff41e8d8ea755e5e83ed2ea1945ef829307c3fad385c474543dc208495c08f8b1f4305fec0c97581c77663a21de96632816956d22152d812ee29b29b7f5

Download Submit
C:\Windows\SysWOW64\Onjegled.exe

Filesize
96KB

MD5
863215ff5413f4f952a6366324b429bb

SHA1
53902442c3bbc0530fac410556ebf6fdfe70866f

SHA256
b16283a61fd468014af0fcaafc44868a722afdb71f23ef22a594f167fe0d641c

SHA512
4ef5b3d7fa63b90db09590102ad35e63eba7dba986581d2a453eb088ef1128cc550b757b9a07f49659f6681b24db3e2bf5dd7aed84eed25ef06b6bc3ef1572fb

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
96KB

MD5
9448cf7e2ddea9dabcdef092eec02c13

SHA1
d95d4a13f6166486c7b216f1c582347d012faa42

SHA256
7106ccf29c6c33c259fefea8589646e90ed8eea8ed26e9224574d9e83c66d71d

SHA512
4bd132c776e0dd033ddfccc6faae20f8e134145b75f1ec211722218eadef5f41544917d07c9e76bca9d559c14416e5eaa72ad9366f97650f5057d927ef9a936e

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
96KB

MD5
13da403d7a3fcce42461f919f5b69062

SHA1
386eecfbd4faef379bac931245d4bfb6b29ce83f

SHA256
e6dd6de76944bb1922f79edb770e4f8696b032ecf34ded996972e9b0852a2067

SHA512
e1a54a58effc849bb8ea67a4eaf72e554a3be4917fd77aead20bff1e3df97e9a8df75a0c2cde6005858b5c56173e7b8f620a1ced059d0727c9f12c7a3894b93a

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
96KB

MD5
22e4707d2e8e261f4787952277f58ec2

SHA1
a3b0b54e728e93169cfd26e4125ebe6c75213c52

SHA256
516f5d36f98ff7b87c7f231c9ff9325da8dc948261f892522cdd554ffad86143

SHA512
2314b9aa4d529858a8878d04c19dc4dca88f8896634809779fd9927246ae237863f5fc7b588e1c57a16179ec35b4baeb3d7f51c2ba356f4ec96abf1147b5c454

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
96KB

MD5
c7bdc41d943d66ce014c51716b4ad7e4

SHA1
a497bfbb47d64f7ae9931e725d1be12902798fd8

SHA256
0f5844391b7fc56a682e8fcf6bebf5d70fa8970543f437a5fe5c756951c5cc30

SHA512
d6252aa156fc60a0d2fcb459f5f4f2567ce61e4def6a881e92535854ce76da3cb66948f820f9da8d4e7238f22e3b0c044b3eb060c2116b819b66b1b5b52d49a8

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
96KB

MD5
8af4731cae3356fd63c6aba54933b39f

SHA1
2d0617edd567b0755bbc32ff91f90e2434bb8a8f

SHA256
b89273925453bef571d5c8ca6869aec72aa3b1a45d5e35be0612b804536c12ac

SHA512
08f63c8ac33b861e1e0b17111ec100bad2ca08103e4d6904125090b338303d6d7f75e44fd059cc0fcb9ca1e3125f0bfec7a33bb1d47553e49aff4880504922f8

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
96KB

MD5
fc8a992373d1e34c9965471608804a85

SHA1
730dd5414aae8076161b613e5f21bc39200f41e8

SHA256
afebc3eca115de716b542971d8561414db6339c1675772b2fef1fb9733990e57

SHA512
b6933924b6a17aa64bb76f1520da52423298c551c7cc74362123f68177533f8bd15ab0312c4b9776632318c1574e2628a47e108db4ae892dcaed631a9b8f86db

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
96KB

MD5
095c135bd9853ebef569fb101914ef65

SHA1
1dabecf57e131ad29ce6c6f738668547f4e0e553

SHA256
e47b38abc17e0cac68342fbe7d06bc6d16425ef842bee13c2e42887e9c3a75f0

SHA512
d742203bfccab2a2960a804f0e02ae025926cf9bd52e718379cc8f8921120a5825e4e9c15ed36d40888eef27016b4c2df21c4c5855556143a669129a39bc42fd

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
96KB

MD5
7018be2998384ac43122ba5db73ab996

SHA1
df9fb3efcf0ed116f2eaf2631e317a71f80fa3f1

SHA256
6b57a9ee5c673e993c8e965cc2cfe60bc2eafa8d739583f281515934f2be3fc4

SHA512
ffb775d021fbfe46d82516ad39104e40440ba2ae3148be51db73b9b9ae5d2cde82a34198ab30a936c6af1d0bcb8509690fb03fa97e9a04aecea4bff186f7b445

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
96KB

MD5
8fe17e51c03b652731a0e86f94545e55

SHA1
d1a753775cf519b2509099c8854c96d723a08fa7

SHA256
a8f8c4868f6627f0394d541553db909ec9e88b30e8e5a6f01e8dfb703b21cd56

SHA512
4e12a5a251661df432950328e2235d458277a38c0338001d258aaece167a11af67aac932c94111291cc25bc12471027b815c6a74187606bdc71b341fa9cd5691

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
96KB

MD5
30b34a52b15c1a65cb7512c3edfb2e7c

SHA1
0f99ed6b1e57788a423c1f498a1768a6f2f44b40

SHA256
3f617ef9befaf11aa222cf20c291ba83f73937226488e88b2c61351b62ad076b

SHA512
60f003ef7c574b070a059b535741df863c42d17ebfe58d72b75c70f0b23ac37555a87362474c0cbfdbfd98064696bee8121221409a692bec3c54c998db9e7467

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
96KB

MD5
201acb8ff8dfe724e35f1e4e44527235

SHA1
9620acd9df011273aee348c6de226173ac291a8b

SHA256
f9bea25754a93c0934bae7e4952dcb167d74a8a10af49173feaa72bae97c5e1d

SHA512
b33e4113a96ea4aba1c9af6f74256e63075bd8c1d3e7482f2553d8ba8f4993c198b6776da1f7505e0424be1885e70990e57d73865455f64b9853df1aa7f9a5ea

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
96KB

MD5
b03a093a94ff62928afa1f440cdd6792

SHA1
6b61f3138b293cb0d587979eb59aa5435674df8f

SHA256
a5c272e77f2a55a4628fab9bca6bb7b29a74641518525498cb76fab46afda0c3

SHA512
2326f12e11f2eeace312d914a1b799ebe68c0469774cb594acb4069f6a6e1be1c3ec72d011381a2ade9f56b1e257b87254552b24a247077e1603c48ad59bf6af

Download Submit
C:\Windows\SysWOW64\Pqdqof32.exe

Filesize
96KB

MD5
485e82e5e990b602a32dd8859847dfe0

SHA1
1a3d628717858bc19f09a95862eb5df5d93f7e6a

SHA256
7e0e5b2a7f5a6b8bba88b3008d36f2678bec91e0b2106cd2df7f15620fffe29b

SHA512
fb927e85c7269367ee393e3e28eb9223ffdd5940b1f597b9fe0e232fbf092682478952b96a04d39b4a72794a917afb1835ee5f60c5fdedf1cd6c024a8835a25f

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
96KB

MD5
a848037e7fa0ac648db40c9326a82af9

SHA1
b16120bfa333542081540b3aa8e4a9cdda536cb6

SHA256
63b771ff8519461e25e5252e7bef322cc22fef599dff1ea09a8229ddcc08abda

SHA512
c083c6c71de755f28ab41af34eaad35d5098ece10f9ba52ac7fbf7e94f8295768f1d4a044029b74dfb2300d2a6fbc3d8cb26844da3364f45c41fc1650b28be0c

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
96KB

MD5
a7c7e54244776d10b4691748a504fb24

SHA1
af097e6dee7a9329c5b270f3729ce3e7aef5494b

SHA256
87bdfcfcad08a73ee55da8e6fb14116c4f0f7f7b584c9896a4af079203c9892b

SHA512
ae823b78ad33f9911afa0013e3b4eccc0b4cf5ae5420dc4c5af7e440c4a91df14e2cfbd928f9064c2bfb023675e95393acbc5125ce25b5526598b2f5b88c71e7

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
96KB

MD5
83bae361205e9292ccd06acc7f16b23f

SHA1
90d94afda7524a7ed73ce717b7bfa95614e6e041

SHA256
d16246ceedbc67c22941bf411c99bd2610e8130a02f26f105fb7f212a2117c33

SHA512
81d31e771b2664aab1bffca8443a6adee137a8f5fb5344e8cd67d5d4f4221d696c6bc92204256c4a2f7351eeae56ec0e1341ff396333df81c9219438b19a0bcb

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
96KB

MD5
c840e589ddb336f8a876205ccc336e81

SHA1
1168a78777cd28ccf0e12aec11cceb4cd1dc0c0d

SHA256
6ca842b5bc1c35b42f785a126451f7ba6fc2db8ef9493a731df271fd448ad07b

SHA512
d3dcc44f6460fb14c1906cac5b33577432faaa0d9b98d372e5eb6ce5356fdc9069bdec316994a58cfbc474c94bffc573780320be3af9591e301a352818074104

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
4fd989888b52795c426a4e231a2aa0c8

SHA1
f5fcf8c64f7dcbc7f7616e23d19aee7b6d46ff54

SHA256
79de47276f526ace305dfef2bf6d68963108bbb58bb1a5c4560be1124db1e853

SHA512
387e0c75dd0dbac519bf01ca173cd8ce36d7ed7d83a9403baf4f04e6adfebccbb7379b1388ccdb404325305b4ab98d745a290791b6825998a654482cf11054d2

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
96KB

MD5
a4bee7dd0cdfea5151b8690b30dbd0cc

SHA1
3b6e0bcd7ac5e05194c720170ef86dab622d94da

SHA256
8553ce41a6cd28522083a3666523f1f9e807e3471267f8465addcfe8f8004b0e

SHA512
969f00bbfb80d1bb29293e1276658039f329e0398908e36f32fa2fa4c13a843c8da0cae53ad8a939ce747e2bcc62779f0adc940d81f83cd22763f6ae06660c42

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
96KB

MD5
950ea71db381188c98458e72c3f59e00

SHA1
284eeb1aad804f568c1126e435cfead737b17c09

SHA256
0414d8cbd579d3ab1e9b8abbf0dab10d71d226b7cbfbeb047db335e672a16932

SHA512
b65c76237dfe2696133dd89796eaea9f0d7e295dc3dd09643960695a8ba44154a43c44f6d9bb59406442ce45ecfab2273ae24b68a094b7a2335126de027abef2

Download Submit
memory/116-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/944-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1072-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1304-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1652-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2004-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2908-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3140-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3368-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4040-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4544-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4556-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4784-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads