berbew | 38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
Size

74KB
MD5

44586504e989cdc4ea9f095ed01143d6
SHA1

50c7896d34e5ce3d3ac6049a567ef73a461f0bff
SHA256

38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db
SHA512

d1fb3ea6d73ad23cb6fd2f81802758522fd5f6114e8330d122bcdcce771036bd1d7772fd1d340dbb7735837347257b2fc31eb187c87341c9b505025064d6a941
SSDEEP

1536:s16ijeKuNMMhwkeS3/izkpZCXz2RVFzVhLo:mdj2MM9eSPQ64j2RVFpto

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgoapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oohqqlei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohaeia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdlkiepd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oebimf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oancnfoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neplhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oebimf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nofdklgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neplhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oohqqlei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ohaeia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onpjghhn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbelipa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbplbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcfefmnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpfeppop.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 58 IoCs

pid	Process
2792	Nofdklgl.exe
2928	Neplhf32.exe
2760	Oohqqlei.exe
2580	Oebimf32.exe
3060	Ohaeia32.exe
572	Oaiibg32.exe
1492	Ohcaoajg.exe
2200	Onpjghhn.exe
1040	Odjbdb32.exe
2564	Oancnfoe.exe
1760	Ojigbhlp.exe
3000	Oqcpob32.exe
1708	Ogmhkmki.exe
2304	Pngphgbf.exe
2224	Pdaheq32.exe
2416	Pfbelipa.exe
1624	Pokieo32.exe
1360	Pcfefmnk.exe
1868	Pfdabino.exe
300	Pmojocel.exe
1376	Pomfkndo.exe
1736	Pjbjhgde.exe
1684	Piekcd32.exe
876	Pdlkiepd.exe
2396	Pndpajgd.exe
1688	Qbplbi32.exe
2788	Qodlkm32.exe
2904	Qgoapp32.exe
2740	Qkkmqnck.exe
2596	Aecaidjl.exe
1076	Aganeoip.exe
2292	Ajpjakhc.exe
2988	Anlfbi32.exe
2156	Annbhi32.exe
2404	Aaloddnn.exe
308	Apalea32.exe
1572	Abphal32.exe
1932	Amelne32.exe
2004	Abbeflpf.exe
2352	Bpfeppop.exe
768	Biojif32.exe
2428	Blmfea32.exe
2684	Bajomhbl.exe
948	Blobjaba.exe
1308	Balkchpi.exe
1728	Bhfcpb32.exe
2024	Boplllob.exe
2504	Bejdiffp.exe
1588	Bhhpeafc.exe
2940	Bfkpqn32.exe
2604	Bobhal32.exe
2696	Bmeimhdj.exe
2056	Cdoajb32.exe
860	Chkmkacq.exe
2420	Cfnmfn32.exe
1616	Ckiigmcd.exe
2272	Cmgechbh.exe
2880	Cacacg32.exe

Loads dropped DLL 64 IoCs

pid	Process
2312	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
2312	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
2792	Nofdklgl.exe
2792	Nofdklgl.exe
2928	Neplhf32.exe
2928	Neplhf32.exe
2760	Oohqqlei.exe
2760	Oohqqlei.exe
2580	Oebimf32.exe
2580	Oebimf32.exe
3060	Ohaeia32.exe
3060	Ohaeia32.exe
572	Oaiibg32.exe
572	Oaiibg32.exe
1492	Ohcaoajg.exe
1492	Ohcaoajg.exe
2200	Onpjghhn.exe
2200	Onpjghhn.exe
1040	Odjbdb32.exe
1040	Odjbdb32.exe
2564	Oancnfoe.exe
2564	Oancnfoe.exe
1760	Ojigbhlp.exe
1760	Ojigbhlp.exe
3000	Oqcpob32.exe
3000	Oqcpob32.exe
1708	Ogmhkmki.exe
1708	Ogmhkmki.exe
2304	Pngphgbf.exe
2304	Pngphgbf.exe
2224	Pdaheq32.exe
2224	Pdaheq32.exe
2416	Pfbelipa.exe
2416	Pfbelipa.exe
1624	Pokieo32.exe
1624	Pokieo32.exe
1360	Pcfefmnk.exe
1360	Pcfefmnk.exe
1868	Pfdabino.exe
1868	Pfdabino.exe
300	Pmojocel.exe
300	Pmojocel.exe
1376	Pomfkndo.exe
1376	Pomfkndo.exe
1736	Pjbjhgde.exe
1736	Pjbjhgde.exe
1684	Piekcd32.exe
1684	Piekcd32.exe
876	Pdlkiepd.exe
876	Pdlkiepd.exe
2396	Pndpajgd.exe
2396	Pndpajgd.exe
1688	Qbplbi32.exe
1688	Qbplbi32.exe
2788	Qodlkm32.exe
2788	Qodlkm32.exe
2904	Qgoapp32.exe
2904	Qgoapp32.exe
2740	Qkkmqnck.exe
2740	Qkkmqnck.exe
2596	Aecaidjl.exe
2596	Aecaidjl.exe
1076	Aganeoip.exe
1076	Aganeoip.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Hhppho32.dll	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Chdqghfp.dll	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Pdlkiepd.exe	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Kpkdli32.dll	Oohqqlei.exe
File opened for modification	C:\Windows\SysWOW64\Ohaeia32.exe	Oebimf32.exe
File created	C:\Windows\SysWOW64\Pcfefmnk.exe	Pokieo32.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Jgafgmqa.dll	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Pdlkiepd.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Adagkoae.dll	Pfdabino.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Annbhi32.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Neplhf32.exe	Nofdklgl.exe
File created	C:\Windows\SysWOW64\Ohcaoajg.exe	Oaiibg32.exe
File created	C:\Windows\SysWOW64\Mfkbpc32.dll	Oaiibg32.exe
File created	C:\Windows\SysWOW64\Aeqmqeba.dll	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Pmojocel.exe	Pfdabino.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Ajpjakhc.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Balkchpi.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Oohqqlei.exe	Neplhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ojigbhlp.exe	Oancnfoe.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Onpjghhn.exe	Ohcaoajg.exe
File created	C:\Windows\SysWOW64\Ogmhkmki.exe	Oqcpob32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjhgde.exe	Pomfkndo.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Apalea32.exe
File created	C:\Windows\SysWOW64\Pndpajgd.exe	Pdlkiepd.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Ojigbhlp.exe	Oancnfoe.exe
File created	C:\Windows\SysWOW64\Pokieo32.exe	Pfbelipa.exe
File created	C:\Windows\SysWOW64\Pfdabino.exe	Pcfefmnk.exe
File created	C:\Windows\SysWOW64\Blkahecm.dll	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Oaiibg32.exe	Ohaeia32.exe
File opened for modification	C:\Windows\SysWOW64\Oqcpob32.exe	Ojigbhlp.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Qbplbi32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Nofdklgl.exe	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
File opened for modification	C:\Windows\SysWOW64\Bpfeppop.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Amelne32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1420	2880	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqcpob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogmhkmki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdlkiepd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abbeflpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofdklgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaiibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aecaidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apalea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odjbdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmojocel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anlfbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biojif32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbelipa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkkmqnck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaloddnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onpjghhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oohqqlei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbplbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qodlkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcfefmnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neplhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfdabino.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oebimf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohaeia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oancnfoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohcaoajg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojigbhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokieo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgoapp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blmfea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkbpc32.dll"	Oaiibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojigbhlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Docdkd32.dll"	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oancnfoe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgafgmqa.dll"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbplbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oohqqlei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oaiibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgenio32.dll"	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfga32.dll"	Oqcpob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apalea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odjbdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onpjghhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmojocel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmomkh32.dll"	Pfbelipa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfdabino.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeqmqeba.dll"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oebimf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pokieo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkkmqnck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbappj32.dll"	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Annbhi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2792	2312	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe	30
PID 2312 wrote to memory of 2792	2312	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe	30
PID 2312 wrote to memory of 2792	2312	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe	30
PID 2312 wrote to memory of 2792	2312	38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe	30
PID 2792 wrote to memory of 2928	2792	Nofdklgl.exe	31
PID 2792 wrote to memory of 2928	2792	Nofdklgl.exe	31
PID 2792 wrote to memory of 2928	2792	Nofdklgl.exe	31
PID 2792 wrote to memory of 2928	2792	Nofdklgl.exe	31
PID 2928 wrote to memory of 2760	2928	Neplhf32.exe	32
PID 2928 wrote to memory of 2760	2928	Neplhf32.exe	32
PID 2928 wrote to memory of 2760	2928	Neplhf32.exe	32
PID 2928 wrote to memory of 2760	2928	Neplhf32.exe	32
PID 2760 wrote to memory of 2580	2760	Oohqqlei.exe	33
PID 2760 wrote to memory of 2580	2760	Oohqqlei.exe	33
PID 2760 wrote to memory of 2580	2760	Oohqqlei.exe	33
PID 2760 wrote to memory of 2580	2760	Oohqqlei.exe	33
PID 2580 wrote to memory of 3060	2580	Oebimf32.exe	34
PID 2580 wrote to memory of 3060	2580	Oebimf32.exe	34
PID 2580 wrote to memory of 3060	2580	Oebimf32.exe	34
PID 2580 wrote to memory of 3060	2580	Oebimf32.exe	34
PID 3060 wrote to memory of 572	3060	Ohaeia32.exe	35
PID 3060 wrote to memory of 572	3060	Ohaeia32.exe	35
PID 3060 wrote to memory of 572	3060	Ohaeia32.exe	35
PID 3060 wrote to memory of 572	3060	Ohaeia32.exe	35
PID 572 wrote to memory of 1492	572	Oaiibg32.exe	36
PID 572 wrote to memory of 1492	572	Oaiibg32.exe	36
PID 572 wrote to memory of 1492	572	Oaiibg32.exe	36
PID 572 wrote to memory of 1492	572	Oaiibg32.exe	36
PID 1492 wrote to memory of 2200	1492	Ohcaoajg.exe	37
PID 1492 wrote to memory of 2200	1492	Ohcaoajg.exe	37
PID 1492 wrote to memory of 2200	1492	Ohcaoajg.exe	37
PID 1492 wrote to memory of 2200	1492	Ohcaoajg.exe	37
PID 2200 wrote to memory of 1040	2200	Onpjghhn.exe	38
PID 2200 wrote to memory of 1040	2200	Onpjghhn.exe	38
PID 2200 wrote to memory of 1040	2200	Onpjghhn.exe	38
PID 2200 wrote to memory of 1040	2200	Onpjghhn.exe	38
PID 1040 wrote to memory of 2564	1040	Odjbdb32.exe	39
PID 1040 wrote to memory of 2564	1040	Odjbdb32.exe	39
PID 1040 wrote to memory of 2564	1040	Odjbdb32.exe	39
PID 1040 wrote to memory of 2564	1040	Odjbdb32.exe	39
PID 2564 wrote to memory of 1760	2564	Oancnfoe.exe	40
PID 2564 wrote to memory of 1760	2564	Oancnfoe.exe	40
PID 2564 wrote to memory of 1760	2564	Oancnfoe.exe	40
PID 2564 wrote to memory of 1760	2564	Oancnfoe.exe	40
PID 1760 wrote to memory of 3000	1760	Ojigbhlp.exe	41
PID 1760 wrote to memory of 3000	1760	Ojigbhlp.exe	41
PID 1760 wrote to memory of 3000	1760	Ojigbhlp.exe	41
PID 1760 wrote to memory of 3000	1760	Ojigbhlp.exe	41
PID 3000 wrote to memory of 1708	3000	Oqcpob32.exe	42
PID 3000 wrote to memory of 1708	3000	Oqcpob32.exe	42
PID 3000 wrote to memory of 1708	3000	Oqcpob32.exe	42
PID 3000 wrote to memory of 1708	3000	Oqcpob32.exe	42
PID 1708 wrote to memory of 2304	1708	Ogmhkmki.exe	43
PID 1708 wrote to memory of 2304	1708	Ogmhkmki.exe	43
PID 1708 wrote to memory of 2304	1708	Ogmhkmki.exe	43
PID 1708 wrote to memory of 2304	1708	Ogmhkmki.exe	43
PID 2304 wrote to memory of 2224	2304	Pngphgbf.exe	44
PID 2304 wrote to memory of 2224	2304	Pngphgbf.exe	44
PID 2304 wrote to memory of 2224	2304	Pngphgbf.exe	44
PID 2304 wrote to memory of 2224	2304	Pngphgbf.exe	44
PID 2224 wrote to memory of 2416	2224	Pdaheq32.exe	45
PID 2224 wrote to memory of 2416	2224	Pdaheq32.exe	45
PID 2224 wrote to memory of 2416	2224	Pdaheq32.exe	45
PID 2224 wrote to memory of 2416	2224	Pdaheq32.exe	45

C:\Users\Admin\AppData\Local\Temp\38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe
"C:\Users\Admin\AppData\Local\Temp\38d458849c09947fb3bbe3f13d63dcd3e83c48680074849273049ae7727392db.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\Nofdklgl.exe
  C:\Windows\system32\Nofdklgl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\Neplhf32.exe
    C:\Windows\system32\Neplhf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\Oohqqlei.exe
      C:\Windows\system32\Oohqqlei.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Oebimf32.exe
        
        C:\Windows\system32\Oebimf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\Ohaeia32.exe
        
        C:\Windows\system32\Ohaeia32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Oaiibg32.exe
        
        C:\Windows\system32\Oaiibg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Ohcaoajg.exe
        
        C:\Windows\system32\Ohcaoajg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Onpjghhn.exe
        
        C:\Windows\system32\Onpjghhn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Odjbdb32.exe
        
        C:\Windows\system32\Odjbdb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Oancnfoe.exe
        
        C:\Windows\system32\Oancnfoe.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Ojigbhlp.exe
        
        C:\Windows\system32\Ojigbhlp.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Oqcpob32.exe
        
        C:\Windows\system32\Oqcpob32.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ogmhkmki.exe
        
        C:\Windows\system32\Ogmhkmki.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Pdaheq32.exe
        
        C:\Windows\system32\Pdaheq32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Pfbelipa.exe
        
        C:\Windows\system32\Pfbelipa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Pokieo32.exe
        
        C:\Windows\system32\Pokieo32.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Pcfefmnk.exe
        
        C:\Windows\system32\Pcfefmnk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        C:\Windows\SysWOW64\Pfdabino.exe
        
        C:\Windows\system32\Pfdabino.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:300
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Pjbjhgde.exe
        
        C:\Windows\system32\Pjbjhgde.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Pdlkiepd.exe
        
        C:\Windows\system32\Pdlkiepd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Qbplbi32.exe
        
        C:\Windows\system32\Qbplbi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Qgoapp32.exe
        
        C:\Windows\system32\Qgoapp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\Qkkmqnck.exe
        
        C:\Windows\system32\Qkkmqnck.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Apalea32.exe
        
        C:\Windows\system32\Apalea32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:308
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 140
        60⤵
        Program crash
        
        PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
74KB

MD5
d9ba958078f62a6ffeab490c4a5e4d82

SHA1
deba9af105d49e372a79b54238668748ee84d6df

SHA256
14d986f8032020edf06bc198272634dc6267fcd314f15b39e9535cda1fcd5ae9

SHA512
d728de7232f93f17534e6e43f6bee78e6414544f78fcebcf6afe2d1a23788c0dfc25b2abc16ef01c78f459305b88abbce31d33a44a2118db392d2c5a5e1a8ee0

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
74KB

MD5
7bf637982b68859b4f0b35d39ee3c272

SHA1
60494d3695ccc2711bca7e76165325cdd00ff2b1

SHA256
028affbdb98af1da3763598901a6aee62b5062fe5ac4a098938d74b48b79bb29

SHA512
d89db2fdcac5ea8c8512483d6e76d23099a982ee67c52d3cb9aa0bea2a74caf00491f327a629aa27f30647fad2e363691e59c8cfc74a0d9cc5cd6b0d7394c3a7

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
74KB

MD5
b40975e8adae6e0320cdb93b330460b7

SHA1
228865eff8abeb82645955d308de7585086d3c81

SHA256
fac93a13fe11382edd79ce129b0d59203dc565975b0ea2ecee8fa736023b8db3

SHA512
571aa89f91098285027984478ae8a4a7236dbc0f549d07134712e36ecd08e99d91ef264207724269d013f38a548161637762eccefb7f3fe6d1bf56dcc1f74d20

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
74KB

MD5
9c3f7ca09c1381f4882168c102167394

SHA1
cee2b43bbf3d04ef2246103d5da9d9bca9de6685

SHA256
33e64bf695de28dc545ac8669863a136b98193379e2e55c3d161dd48e45d6b02

SHA512
60a792f6ac1deb0422123e59ecd09bdc6039d3cedfe2634f0e962a27300da3a5feccf9af6cdd86a3a88a56db8ba7f5571bf4b9e7cd786bfd533a11bdb0120b3a

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
74KB

MD5
b48203ef43b2bac8fd4faa1c03d67f49

SHA1
1141679b469a03fdc3a64c98243f3dbe3358e699

SHA256
d4a37bb5803d3b10eeec76885f183eb4dfdc94f6a7687cba2f34f42b809b73ab

SHA512
6d741f11bef7391cf9b80e2065dac005ca954bc0a23c65a0e91c196d7dcc58acbdd7dbc520d44510d06a289c8c7ac454a26d5d6538b6c6df13656c9d887ba3c7

Download Submit
C:\Windows\SysWOW64\Ajpjakhc.exe

Filesize
74KB

MD5
2543ab41dda9b336e7256cb89fcb8bad

SHA1
a6dc688917f850a8806baac304a09bf2032108ef

SHA256
2c0738e24ad3bbf00bfae323820b275eecc8a98ad814da4188f7a0fc0b05f21d

SHA512
b4378240452d361e10197e378b426006dc819a7bd15805d2ccda7cdc066fdd45e919a09fdc5943bd66822d70b06d4b5d0c22b7479c526719456e376e7f4bca65

Download Submit
C:\Windows\SysWOW64\Amelne32.exe

Filesize
74KB

MD5
2fe59fce476b79ed81539e4fe08c5733

SHA1
5ac73dfbb5c945f776c76dafb4c9afb29fdd88bb

SHA256
a914d77dc07916bbb8a324026cbfe42be837648cad5e2ba5ac55f6ddc4da1aab

SHA512
0f8b5b6cedd495548fc4cb6847400f7f3d2f8f38c70e4a75438bfaa718c1ba501d8c434e232e3ccbc8aad65e0849af0fd04c3d4ed440858d47c05179954f3130

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
74KB

MD5
7cbcc120ece392a9f67ad17a53e62066

SHA1
e574c437431153926b976373b1df2d646a4db6d6

SHA256
2d6f025d7f2c150dd5a8ffb7d5ee77c1d00f0f306d0863e3b6b66835d99d0e85

SHA512
9dd0f17657ed4e5f1a03478945e3bd220f81fa991773252a817ed3531259db88ac1c9af0c0811762bb7b26b8f019341d48bfd7c5df7cfe47782f56bf435b0d08

Download Submit
C:\Windows\SysWOW64\Annbhi32.exe

Filesize
74KB

MD5
2abbbca6f8e7216de7247291ce88b2d0

SHA1
10ed000472dc143d5c3d20b5b096153d5d63571a

SHA256
9cba426dfc009ed904f5a76a454cd84b6844f96d00044df8f7ce266c6edaf810

SHA512
0ac041ee8f3a0387335609539963698256cfc54cd1314dd94af8e42579bc12015920aa8f65319b4a2c56bfd44a217cfeca09d655d731a1cf9f93c05924abffd3

Download Submit
C:\Windows\SysWOW64\Apalea32.exe

Filesize
74KB

MD5
4a60d131d7c2eee9d0d0d04210e2dad1

SHA1
65344b385fd82e1fb83c901a7a6371b957f197f1

SHA256
14ab78368fdf1c768d732f937cd356dcaa76e60ffa655b2f12e65dc756bf8253

SHA512
42ce89fa65c082cc7d2a676341c10832df7ff93c9d2040404f0cc86d931103cb6be270284cdd66e6b0875c694d688f3e1d5c1f3bee4c74a64fd5462fa64b66e8

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
74KB

MD5
a71bdeb25c56cabc8cf76c6066ce456f

SHA1
9c13baaafce8a5cef042d5129037c0cd6c5a8652

SHA256
6c81d1e5c5c5ffc3853961ac6652296e5ddec532e58a846c17d549b108b8b00c

SHA512
cb6ce3c503715f5a89c56a09c3a7525dbd9f1b6c828e22f7dd640fa312e5a1520ae3a079f4bb069c8e51918a2c2960f870102a850e3399322885700695f25d13

Download Submit
C:\Windows\SysWOW64\Balkchpi.exe

Filesize
74KB

MD5
f2e41714f37b37aae1b92d39bfd7f591

SHA1
6d551d388e3dffb4b97f675fa3f1455497448c0f

SHA256
25e69b3d402c1856a1d6c5995ecc3d04d879757ae88e67d1f2d740e020733d75

SHA512
73066ddc1bdb1acced577b054352b70cd06e7cbbf048af145a0af4114c35efb9cd14cdd5a6b95815425b8ccc463ab2c6ba5f4e3dd7050910f6da67113db6b7a8

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
74KB

MD5
de4bbb7e0dbbe58fdea768354e03be25

SHA1
be734d51083673527b81d3e819162154b310c6b8

SHA256
e249e9dd0dac65538b07738077ca0def11e8e437dd1c9d2ff6641334e7832e74

SHA512
1b3dc69abe46eb994c7bcc69523ae06562a2a4c6d112af66778776945e8cdc08ddecc0b1117ce51dbcfb927631a56b73cc5e0773a902aadb97447f27a0d45d6e

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
74KB

MD5
5fb8e589d5c6704d28f6519ac5e8793b

SHA1
48ba2750215bdaa9dedbd07b2d0ede90d3c0d241

SHA256
4538bc7b7f9a92a54ab1ffcefa1eeeff439b02a986451e7647164360deff1bc2

SHA512
d6439ee3dd7c26a9aaff620a3b7519fc5926ddc375816cfe80e4412cd751419a291101d059312e1c8926f6d01e7c4055a2a10f64197af8d329fae1993ae25107

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
74KB

MD5
8342b020db183ca148049b5dbbfbffd6

SHA1
f71c6819638a6a7f3a8dc71cf9bb8120281bea21

SHA256
d47d390abec6b85797624d179ed58590b8a684c3611ad3077cc3816725170f77

SHA512
f8d48c7809975ae30bfc75b44ff374ada3aeb63a4a2a48a4416d79860f0b60fe76509874180bff37fedacca469944f9b299c684654f656f47ea35e7053720d15

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
74KB

MD5
932760c417227dd27b2c9f4847b62496

SHA1
11c10a2c38545828ba562223c16eb21dee9a7a97

SHA256
1000d512f2325a42d297e89d89f9c61c8ce48aa76e5f80f0500e16e095374702

SHA512
4761ef1d6b15b7be9b7b99f6ac7ca020fcace84d6b528946333f4eb8c29f79934d41c6eb31d2836fd9161a56a65604ada19b8d2792fb8b4ab30cc3e4be958191

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
74KB

MD5
af7b42fdc263bf346c388988f87e848c

SHA1
32ec13f3ea4995013fd5cace2605a52cc836aad3

SHA256
40e830751661d658861e12306af5d134b4300db2761d8591af8943596f20ea4e

SHA512
46af613cb20f23e20d95a69bd675bbe36bf8b12e9b6a0e46893fb5f4db9c651bdb2ffcb667cf12a5cb635a372a728d426c4f39e0df1b62639631036206b420ec

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
74KB

MD5
24f0f036935b6404d1b499b2ad1abb5c

SHA1
6cadb8f23d22c944d39319b5a5ca0df1930c2f2b

SHA256
8e83fe954ef719ff1a8f4cc00c23b1b0b7e68b8a7b1e5b79973545abef8aa8a8

SHA512
e30246eef401ed389ce4de4dfecd1cbd111c521602b00a9b1c766aa4e48780eaaee68bbec29cfca0ca81a0dc0c01a99d25a2f7e2463a61fa6c2a3ae241166490

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
74KB

MD5
7728a7b11961b0097065fb5015dcec2a

SHA1
cf96f39bbd1d40dd19e1cecbc20412d96f915796

SHA256
396e4098b9a3d2fc588d96a560105cee901b6415a0ae0e2a98088fd337c80561

SHA512
afb7b2b3690338d847eebef7dd4839eccbea2a3373fd0be5da061195f581aa855885e9f73e5073d98e8df3f95fe77dbb7665b9eb87dbb88c7b104c99e7f2d657

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
74KB

MD5
31d2201b563230dbdbf5a56ac0eee376

SHA1
7f96415fa1acc9eeedbed301c58a73fd3d864c23

SHA256
0ab379c9d06d5395b971738805d05b3b3bef718933c3461936226269c7487e1e

SHA512
cd6590c7dd8e6f61fabe240f03b3ddfed946d59a2c46dff07770d31604520978fc0c5a5a90e0af6e8033209d4cc765e77966b06342c6a8a46ff8bfc8c027302e

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
74KB

MD5
8d9ff12c1a101c658101966ae47995c8

SHA1
c0421aa48b1e001f1a48444656592383a7024b8f

SHA256
23c14e89bdfb31b2ba318073d28cc6007c421700460aa2fc21dffbbc2452c5b4

SHA512
767b8829eef0a9454964ffc64751cb7235926ae287a16f3ca5160e98e678709e04fcaa4798a5d0badc42b7962a751fa76ec0dc6184048fb90590c814b67d1506

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
74KB

MD5
6d32c0f19f29c4b8730829dfa7d7c54a

SHA1
49abee5ddc126a549171ff1f3eb1cfd5eadc6446

SHA256
5c363b8657f8e9caea1cd99027ff3ea60e4525dbd226ed768a3a735882b0766a

SHA512
b8793eb128ecd305472c4b10244619c119be56d1a6d1d9f323d0605897571e13c1fc5af17091aea50c211cad1d8f7501bd5047b1ff79dfcc013f43adeab25378

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
74KB

MD5
28577cc41b28d1bf4d07aac8fd59cdd5

SHA1
020e3c87283a43d222366137253439c400d04ec3

SHA256
e774c6d475c843e9a67cff0a6bcf8aafe4d73fdcd3086ffc78fe92745cd71c40

SHA512
404a8f79a2f119979aefced0fd787727b1bc9cffde24c4417ecba1d8773f121bb23afdcf3961d758cb7287821f015093435bc052a8926e8ad7a9efbf8b7e7c6f

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
74KB

MD5
4d25af40ccbe33ea66b69322dbdd0848

SHA1
8a48207ae2660b7aa708f29a35dbe8b59e82bc99

SHA256
5d9f56e56d8608f5d58fb8e199bd14ef8a5c8efb77da3ceeb8c7be9401b8b6e2

SHA512
8d071c750c3057389a40caf5dbfb1e7dbb6dcd027e57341459d0b51e75df6f10df59a837208be472a19f65b4542701c2d3047563291808a1d8c4de02485ae598

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
74KB

MD5
0c6e369402ec7d51f89d04dc70e564d0

SHA1
266714c72821912f7122eca32a5b6a2753c837dd

SHA256
4b8d2b4b58bd75b12553497f25827b5a5d03f9df8894581d156c120d1491b7cb

SHA512
1000bd31af2bb083150020bac8863094db583c73462f103c8c7ee5401678cc6f58a8f4611ba81f2d38e5a04ff8b086cf20eb9a47e4b5ca2d4d33931c8a928606

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
74KB

MD5
dc4527d299bb4a25817bc443e754d7f3

SHA1
bfebc562c6a83c1830cd38425742201c7d30b2eb

SHA256
36faa1031b8dde45db11f99888239e9f1634c3b03cb6606c9f93e7f14a7588e8

SHA512
2bb7e5273a8b43f5ab56eb07f19cc14fc2972cd459a2b6ae2798ef6261469c494b12e2408ec9302dc99738a101c9d72ffba3b91000fe3570b7afc1a3da42557d

Download Submit
C:\Windows\SysWOW64\Chkmkacq.exe

Filesize
74KB

MD5
cc873f84bbf29fbebfeafe017bf056a4

SHA1
27b8b4863df0e71c7ed25884b74ae4ed5fa770b2

SHA256
b6138222c33be4129ab7662d786cb00fca91a1fb0a895c1366b5c5c3f6dccdcc

SHA512
18aad465b9c737f7e4b827e2ad888c58ff6b6f96fef8fcee941843bfbf04d61de6bf24fbdca9d7f09cc4c9c24181730283ac45e02f83c0436b55b6b11cb72cec

Download Submit
C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
74KB

MD5
763a3b91de84475f112e73861bbd79e4

SHA1
7bf7719059d2289c4f58d009c04da90f43b3f592

SHA256
cf334121231bcc01bd447836695b5e83c226233a1c4226407487f69b31a715fd

SHA512
cc62a7036657ec5d44a84a59e24e9b852a88f36bb961f88a8c8b1c43b2c133577d34c5751c72a1840f6610c580ff39181c1dcd8644ae5ee9abfd9f67a1490f34

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
74KB

MD5
8f6be6ea30193fa53b78f30884289220

SHA1
263652358c9c21a85f950ccd2b1c5a50195b6338

SHA256
471c3b8c40ea05d9192decfebf758969a77748dc2606544d070d67a90502dce7

SHA512
ce3486788588e877ebdb44c714fab901691116a741e76635f0ebc98b77b17700f37dc15f20b999a58d4cec70152336f6174b6fd8580ff8ab96fa8299de4c9f7d

Download Submit
C:\Windows\SysWOW64\Icdleb32.dll

Filesize
7KB

MD5
0a7028cb82027fb6c6c70b69fa1ddafe

SHA1
b787184d8d4b427c1c25a455fb943f85e5d402be

SHA256
62895d7f2abb887fcf3a66bbf9647e984024706f15d90f54ae6182e71fe55525

SHA512
22f09fe5390366da9f75c4e47c7cc45e0e34eb7b1d8031571156a7b592ece4193eb54bbfc83821d8ad64a97426a60e08354b0fa7b23a35e55fbcafe839f81535

Download Submit
C:\Windows\SysWOW64\Ogmhkmki.exe

Filesize
74KB

MD5
89fe7664ed190678d849dfee5e6c98d4

SHA1
1feb1dd5b2ab86ac47fb75936931453b66f33d8d

SHA256
61683bd0c888174f2b510985d256e203da1a8b56ccf23a699e3685e7c03fb508

SHA512
7f67fa4daec452d94d480fa8dca70a024ae93b8b9a8690b509fc817d223dd985e1de8f704f39dcd3be342ac3ee904d0068714e71562a9fb05700b173df9145ed

Download Submit
C:\Windows\SysWOW64\Ohaeia32.exe

Filesize
74KB

MD5
0a9c2ff6fa1c4154d80d63b547d40bb1

SHA1
5b3d3658c9fc6fead14247206196a2845007c852

SHA256
713ec3f1fcdd75ba9a0ac7c37333f3070972a55e0e5de9e2638b945c532de995

SHA512
39904ca13c054fc57fefa45068bbfbc1a4c90975b09c17e408b52ec267184109f75b66413e72265033a0fba5e615deed00c6b55d0417a7d05e91b5fe8e12b5bd

Download Submit
C:\Windows\SysWOW64\Ohcaoajg.exe

Filesize
74KB

MD5
eb6190ebb74916fc6e6ced875352eb70

SHA1
839758eeb74afc9b6b0beb0a2102516e306d8fa1

SHA256
293c0e934bd5d822f411b03292da0c995c035c18e84374162638af3f74a39014

SHA512
7e3281d7f718c4b81096a81ea1fb8beee57800beeacb6d9193a9a2437af6768bb88c4df8a8ab503cf27b401e2aa36c90cf595d097ca5a680588c80bf09692f74

Download Submit
C:\Windows\SysWOW64\Pcfefmnk.exe

Filesize
74KB

MD5
066ee4fcee635ac95dcf8624b5d9c82b

SHA1
a98bbbca7fbc956fd480d2a8be5aab8c677d0453

SHA256
e793904dee26fe4599031a90c0b5ddecd6b9dc904629582f3f6b3ec846517e08

SHA512
0d1d2a2957f3a2d2a4e2623206aa52f8bf8ae6c341c37f11f05795dd2eb536cd6b0b4ba496d3783cbdd1d66ba4b126237da89c7bc44f152db698a04e337574f7

Download Submit
C:\Windows\SysWOW64\Pdlkiepd.exe

Filesize
74KB

MD5
3d0d17a6a562f332b854382c00d9debf

SHA1
fdc785ecf96e191d4c1e77babd55e52ba84d1a8f

SHA256
9d1ded999b7699eb9809d40fc1a573fca4d9b3144b2cec8c3a4925724edb69f4

SHA512
a75dae868201291476c67bb9e44115ca2dc2119547ddce868eb1decaf6e6e0ab92c596d0e75eafb869ea91f2875a7ee90e2ef3af72cb780449227234a6a91e77

Download Submit
C:\Windows\SysWOW64\Pfdabino.exe

Filesize
74KB

MD5
5a5eea51afd378664b0ae252eef8271b

SHA1
5434099df9af897a3648bfd9f4760e10c4547651

SHA256
5a9db224413589dcb10801ebf8ab1aea2f573aac89f3e75ed3ae2597afebf8e6

SHA512
b350433ccde61278f4eb8bd87ecc7824c8c6afcb7bc80957cb0e8b8974369f330b538dd5d09ecc487b30c7d9ba0b0cda4458c50f54314c31b14baa5da0c1b68a

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
74KB

MD5
4518efa507fdca1dd9ba7fe7f397f02a

SHA1
c60e168899e77a616ab322ef157720ca66b8a070

SHA256
55ab21736db6b36a35f3b444752eec37cdfd25b93e6d36a1bdf2c3e7e3d1d25d

SHA512
dd393f29bf0d05663c8989bbba4b63eb37add2fae48058ccbcc1cbc1224b0fa97d59a7d4c2586111a08236fe1f59d9ee6b20c5fe2e71601610e1a086662eee05

Download Submit
C:\Windows\SysWOW64\Pjbjhgde.exe

Filesize
74KB

MD5
5458e13697e006d5e4c1dc8ca100103c

SHA1
4becaaeec479c26aa31aad4e80f756ae7ce7394a

SHA256
962f483ff27c40759c5da4f5431fb89b671c197dbcbe1cf44a6ca26762eb1e15

SHA512
ebbf6b1bcc8fd1d9407167828d1c0bb41b9dcda19d12ebbdd860b33f765f80212b1f38fabc349b86bd6078f0a95e25ab70d07d0038f9ab3325ac57b6e80c80a2

Download Submit
C:\Windows\SysWOW64\Pmojocel.exe

Filesize
74KB

MD5
7d2112e251f737ea3bfca499f7215e06

SHA1
56ffed6e813cc8133e43317978695628844e434e

SHA256
5730d8cd37b5c16847612c15db976c876b334f7b867a591aff44822525b1fdf5

SHA512
51bd6438dceec0e82aa6a6f3b97f7b40fb94fe78f34ac719266543b7843f6ebbda5db6973f1f92c4c9006bafb65deaf213ad89364cfb328d92e56002d78a3093

Download Submit
C:\Windows\SysWOW64\Pndpajgd.exe

Filesize
74KB

MD5
d8adb355255c348b7ea1e7f895de51d1

SHA1
e2778c7ecb525b485f23938f2323ec91a405f589

SHA256
298eb95018be1c6ce2633902595c4364527bb54827fb56f9044d5962a308a750

SHA512
9c87dda7330f28004f984d6df17550fbd6d9bc7028435fb6a0b9ba2dd6cdb4f730a2907e6cd32cafa757cd20b0e35d8401d885e4e65b49c0e83154cf73a81532

Download Submit
C:\Windows\SysWOW64\Pokieo32.exe

Filesize
74KB

MD5
26e63b545bfc61a95e0cd64d822df04c

SHA1
25b7e14026b17260b71f0d2ec7e054c677c4635a

SHA256
1baaff2f2dcce4a051d26070c95cce68ada7420ec9e2512b967cc2e3f22e1201

SHA512
53091a3e0e6f7c0cbde3c493413257e11480cb4f43cebd9d9b5d83f1c39227f197d5bdd41db23d2fb7d77e8a152a98f7bee9fcc519e153d05b052c8db9a9f4ea

Download Submit
C:\Windows\SysWOW64\Pomfkndo.exe

Filesize
74KB

MD5
5397d18477eea5b2a459334572c9f298

SHA1
bfc14a92bf2ab85cfbc4081c23954d4feda43e01

SHA256
bcb9b6d0607e834deb274ec82370ea3c38c1d13c0d6f5b7dc04a586e01a64a28

SHA512
9c36c621874a738a126e203289967d57c6fa1d6c97dc8b03b1b2af66f5248793d47d7938b4d3066370c8c7a143d36f7c8ff876d6bef126d2be7d2dcee4b573a4

Download Submit
C:\Windows\SysWOW64\Qbplbi32.exe

Filesize
74KB

MD5
398d34614f4cc3967d8ff93b1d099c56

SHA1
26f62f982aba8b3c01c862a236f8eb4a1b06cd2e

SHA256
0ac1bcd7ded5f137bbe6e426f6d84a2c3d63a0b6fdd61f4f6de87fdf72cd8909

SHA512
5cdec2de38de5c4d2f4f3d165579a6d1157779534853af8deee7abbeb12367d610810dbd2751da129fcf74de5efefa718c0f89590ce09183f9e246c166f9e4ac

Download Submit
C:\Windows\SysWOW64\Qgoapp32.exe

Filesize
74KB

MD5
d811b80e8c4832e8ead069a97b0f3903

SHA1
7e1417fc5ae8d357569725a14bbef5043b5e6132

SHA256
e7b2dfe905d1189bbd80b276b70c04ccbf749fe064d6eb42737781f3f5baba07

SHA512
7fe39e4039171b19ba1744c4053c5fec774e0f7c4e19a353e579d2990a4c1fc24f6269c38799238c411f4dabe07d810a19158ebc42a711f96a41414ae2d04599

Download Submit
C:\Windows\SysWOW64\Qkkmqnck.exe

Filesize
74KB

MD5
ba1a8650a92ede961390d5366a4f1000

SHA1
abb1250aabfaf35c7e63e6453ba3e4fe17dbc989

SHA256
22f3c1f4a29ee8e87da8fecd4462532443677a10498c0311c2f7ea741b1a8f38

SHA512
1725e947246fcbb569fdccc3baacd4e3b70e6ec10c49fc8a096faf010d796a6dab562beb47d274965cbc6c03be4ac3f450ca548ccc3b93cf8c26edba4d9aca52

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
74KB

MD5
ed649c607247ce108985bb74749946dd

SHA1
965ac1857085a0b62e8c367502e36768a3fd5a96

SHA256
309d098d54785ba08a9ed0c1ae6be67506bcc4028a65df2bfabef501dbc47814

SHA512
e48ab6cb92c121b0295230a2de1ae1a3417dbf0eb1658879343f5074d3418258c6420d6724b42e9900271495f7e36d610f533abf4b4b6867eb4fac5fd164d16f

Download Submit
\Windows\SysWOW64\Neplhf32.exe

Filesize
74KB

MD5
fcee85d259d571969086596da295ac13

SHA1
e7c19bbf5a7a8f1288ab6606e4ba06d2447b8340

SHA256
1ae46295a1298ddaafc8364b9db89c8dc1e1f0bdda87889af343e5488cb5b405

SHA512
a970261624205ef7b3c3311f40b0ddd234651c3e3fa2c786290c62a42d62d8c748c764b2a28c0e4931f3a53821a62a0e7df0abe15efa73c8963747cec8061f1a

Download Submit
\Windows\SysWOW64\Nofdklgl.exe

Filesize
74KB

MD5
43c0bf30bccaee0163f6ffd9ba74b508

SHA1
336a8c0f7722ae3b5552939e363ce0efbd524b43

SHA256
fa3f1cffb81795be77c41b17b58b6549da412da0fd0ba5755d68e7de900d9cb7

SHA512
bd15f8c5afa108d2aeda6df008837955a820958c5b8cbf713c5934e16111768f3b1aff4c484d94cc5b08f7614f9ed3352ed4fbbdc111cb90ceb45e7401d17780

Download Submit
\Windows\SysWOW64\Oaiibg32.exe

Filesize
74KB

MD5
c2cd2c16be8b2b65b16bbdc621349932

SHA1
53fdcdd5402e3d7a32e1385613139ec4f7708292

SHA256
7785783559490bdbc43afc8ed126a0256a0aec46dfcf2700be5c5fb8a189ae5d

SHA512
836ddb7339c1eca1778f382ba826d579bc4e4b535a32bed46abcecc6576275574b295f3f4bddfce99b42e9d6e75c0495ea192f6d4fc18291bff0dfdc3573cbd3

Download Submit
\Windows\SysWOW64\Oancnfoe.exe

Filesize
74KB

MD5
685b101b82fcbe1e6767401826427cf0

SHA1
e178d390044b495afc74ce72e8ce115b9ace4303

SHA256
f2999401f426b8c839c393a9ed2e7a10a6607e0821557c75a954ac17cd9a7036

SHA512
f0793f97238d281f5e2ec7df7e105e9d95a82c5d1087f48d424b5faef32749723377bfaeacc0830c1cae9a22044ee1735c81085c86e79f815523532b020f7bf0

Download Submit
\Windows\SysWOW64\Odjbdb32.exe

Filesize
74KB

MD5
a2c519915cd2b45cf975193b0783e26f

SHA1
e9e76a1f2b7b7afabbedcbcec52196fde342c741

SHA256
5c40665e6b9b1fd4d59257f2a1fe89f958b00b5aad5c8d9def80fdd20e0c5742

SHA512
d2d866728d5f0f3ba7be46af32ce6b6f89cfe7b50f7a5ea19275285cad4ae24e297fc24a379be7964b48630f73182a2d510f09f6d0e9b9f63a028d4a3ff8621d

Download Submit
\Windows\SysWOW64\Oebimf32.exe

Filesize
74KB

MD5
948e718204d4f68bebe7959e4ca0308d

SHA1
0adb411088d77db300d784a32533dca54afe2682

SHA256
a1caaa4ddaf1c78feafd4e6fdb86e7294e82e99417659547354a40ec51162338

SHA512
f24a0b2cb2d466a9ec40cf3938ac81b40c2804b31d244a26d6bd935fedaac089fe265fa074010a14d841a6d77707ad41c843ca21e0baed70b543883182cb5c21

Download Submit
\Windows\SysWOW64\Ojigbhlp.exe

Filesize
74KB

MD5
295db64bcd9e87d71571cb0aab586eaf

SHA1
0b0597ec96e7521eaa9c1f35eb8a298aa67f68fc

SHA256
4d8649a245a40eb5ed2a1c330bb4f22f029c7784e5bb7372e6126210a1303989

SHA512
1f48069581c281ce539c6112c980698e9c2ab9a81da3e92a4953ea1794e2222fd8fc98a52ddcc059415bab811b4c6c57969befc1da63a965f70b0506f6253911

Download Submit
\Windows\SysWOW64\Onpjghhn.exe

Filesize
74KB

MD5
83fcc08839eacefc4470afbd41d02867

SHA1
646f752fe7f925f92f862acc88f9f0f521360cbb

SHA256
7ca086bd6fdd506267379a355e63de45af1df2cc913923f04b3fe88490aaa0bf

SHA512
565c47c300279a0bb3cdd11bd6b5cfa3478c1370a03d3843826f029a6760d6a9ea42c812b38deec128600c90c1c718f4d223e9ecb3d891baf9f1e9cb6ad97cc1

Download Submit
\Windows\SysWOW64\Oohqqlei.exe

Filesize
74KB

MD5
1fcf61da8bd9d3d9cbd215ca7de52b45

SHA1
d1325a44e87cb776f295292bf79023c78e7e1c62

SHA256
ed6fc9515e7ee38de71d01f4b3a91c88f00fa6783c2fc082b06234f497fd23cc

SHA512
85ee8f9c60e20a9441bc8c705689b7401bd052133c04033a7adae36c3db9d9a0d5e879ae060d4ce79209338febf344e34ddb8ccf86cafa1300763dbb666eeb43

Download Submit
\Windows\SysWOW64\Oqcpob32.exe

Filesize
74KB

MD5
8a935f94162cc82b4381576148f58c5b

SHA1
3a2dff66b5a05e517fcd68f7c8cfda6b42b76dac

SHA256
9c3009b1d7b8c69cffe4801b54dfe3bb5b9528539e5e16038262cb4db1e3d587

SHA512
81fdfff46aaa460391c63c0108014318b9f0663e8e59430445c9f0e803353d2f2434c1985450c7b86d13aadce852b80c53c94b2be90b6c2faece38079107f2b8

Download Submit
\Windows\SysWOW64\Pdaheq32.exe

Filesize
74KB

MD5
f694ff2e9e468f3a5ef468849697a994

SHA1
3cad6ffd80a66f182ced58e66ee459cce70c0171

SHA256
510f24a3653246cd57583ffd559b6f88b516c612d5b8355fbb4b67c560203211

SHA512
9e1ef3a696749cf8fa551299bff8754f7b27ec1ebf5160caebcb487ba83c8078e5ccdac2b61aff7c9be6148c3b17e0103107128440caa6e35479f17752d3b33f

Download Submit
\Windows\SysWOW64\Pfbelipa.exe

Filesize
74KB

MD5
a5d2d287bbbacabfbac53da456dfb03a

SHA1
bb6403b777bbd48d58cd82825a9775bc8a149571

SHA256
70d1ff16a73156e530e23f2ccc35bf34cd123383e3a73d03784036e74d800dbb

SHA512
899831149717c986e8e02f00d488d84885aab19346ca6819f57381548d68d2eb59e5d4bcacafa1ccf790542852a9cb956bc292e1f8aa2c1c6ed7556f8b692e2a

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
74KB

MD5
e903670d9a6b73c96c6483b176304967

SHA1
8934ab6105d2efd08b605db45d52b3bdc695a530

SHA256
16f80cade3226a862a29a2f3865b3d6fc12c0d17c39d86f7543e07bb209c892c

SHA512
4533f5483b60a6bfe6023f2e6da37d50680fa265a09190d03ba650224d1cc0ec31074d6aaf092170d9f8a87de952a60b3c2e0838c12d75b3fb46fd9b1afd8895

Download Submit
memory/300-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/308-428-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/308-438-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/572-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/768-479-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/768-490-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/768-489-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/876-303-0x00000000002C0000-0x00000000002F7000-memory.dmp

Filesize
220KB

Download
memory/876-299-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/876-304-0x00000000002C0000-0x00000000002F7000-memory.dmp

Filesize
220KB

Download
memory/1040-128-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1040-491-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1040-121-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1076-383-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/1076-380-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/1076-370-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1360-242-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1360-238-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1376-270-0x0000000000360000-0x0000000000397000-memory.dmp

Filesize
220KB

Download
memory/1376-261-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1376-271-0x0000000000360000-0x0000000000397000-memory.dmp

Filesize
220KB

Download
memory/1492-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1492-465-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1572-437-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1624-223-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1624-232-0x0000000000290000-0x00000000002C7000-memory.dmp

Filesize
220KB

Download
memory/1684-288-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/1684-297-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/1684-283-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1688-326-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/1688-322-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/1688-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1708-174-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1736-282-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1736-281-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/1736-272-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1760-147-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1760-155-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1868-243-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1932-458-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1932-454-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2004-459-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2156-414-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2156-415-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2156-408-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2200-108-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2200-480-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2224-208-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2224-205-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2292-381-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2292-397-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2304-187-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2312-12-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2312-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2312-382-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2312-13-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2312-400-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/2352-478-0x00000000002B0000-0x00000000002E7000-memory.dmp

Filesize
220KB

Download
memory/2352-469-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2396-314-0x00000000004B0000-0x00000000004E7000-memory.dmp

Filesize
220KB

Download
memory/2396-315-0x00000000004B0000-0x00000000004E7000-memory.dmp

Filesize
220KB

Download
memory/2396-305-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2404-426-0x0000000000280000-0x00000000002B7000-memory.dmp

Filesize
220KB

Download
memory/2404-416-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2428-502-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2428-500-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2580-66-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2596-369-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2596-368-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2596-375-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2684-511-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/2684-501-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-358-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2740-359-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2740-349-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2760-41-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2760-54-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2760-427-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2788-336-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2788-327-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2788-337-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2792-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2792-27-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2792-392-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2904-338-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2904-348-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2904-347-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2928-28-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2928-404-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2928-421-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/2988-398-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3000-166-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3060-446-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3060-68-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3060-76-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/3060-448-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads