berbew | 31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6

Analysis

max time kernel
95s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe
Size

64KB
MD5

b4b0a05477d27be88485dc07dc5477ee
SHA1

f238e48c8cff66356ccab119de8a6cd6002c5217
SHA256

31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6
SHA512

c5d4956017fad5ee297e1729a17a776267ae77c15e17835cad56bb854f22fd8f8c6529597364ee4e14a712fe45ff06773cb04a2239a93641a2a2bb55944a28b3
SSDEEP

1536:Ec1FJtB6beQkx7Ocrvm2tG92LwORF+FoQs2:Ec1mbeQe7O43bRo68

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojjolnaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmkadgpo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1216	Oflgep32.exe
1332	Opakbi32.exe
1136	Ocpgod32.exe
1484	Ojjolnaq.exe
1728	Opdghh32.exe
1220	Ocbddc32.exe
2052	Ojllan32.exe
2716	Olkhmi32.exe
3668	Odapnf32.exe
1048	Ofcmfodb.exe
2556	Olmeci32.exe
3796	Ocgmpccl.exe
5092	Ojaelm32.exe
3660	Pqknig32.exe
3976	Pcijeb32.exe
1504	Pdmpje32.exe
368	Pfolbmje.exe
4064	Pnfdcjkg.exe
2252	Pcbmka32.exe
764	Pjmehkqk.exe
2112	Qmkadgpo.exe
3952	Qceiaa32.exe
4952	Qfcfml32.exe
3724	Qnjnnj32.exe
4084	Qddfkd32.exe
4528	Qgcbgo32.exe
2744	Ajanck32.exe
4420	Ampkof32.exe
4452	Adgbpc32.exe
3892	Afhohlbj.exe
4508	Ambgef32.exe
528	Agglboim.exe
1632	Ajfhnjhq.exe
3624	Aqppkd32.exe
3180	Acnlgp32.exe
3508	Afmhck32.exe
2072	Andqdh32.exe
2792	Amgapeea.exe
4352	Aeniabfd.exe
3124	Aglemn32.exe
5008	Ajkaii32.exe
2212	Aminee32.exe
452	Aepefb32.exe
3712	Agoabn32.exe
3068	Bjmnoi32.exe
3664	Bnhjohkb.exe
4384	Bebblb32.exe
2816	Bfdodjhm.exe
4176	Bmngqdpj.exe
2812	Baicac32.exe
2092	Bgcknmop.exe
2640	Bjagjhnc.exe
3828	Bmpcfdmg.exe
1624	Beglgani.exe
1948	Bgehcmmm.exe
2436	Bjddphlq.exe
4160	Bmbplc32.exe
3444	Beihma32.exe
4584	Bhhdil32.exe
1380	Bjfaeh32.exe
3616	Bnbmefbg.exe
4916	Belebq32.exe
2284	Chjaol32.exe
2776	Cjinkg32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Olkhmi32.exe	Ojllan32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Pfolbmje.exe	Pdmpje32.exe
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocpgod32.exe	Opakbi32.exe
File opened for modification	C:\Windows\SysWOW64\Pcijeb32.exe	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Fdjlic32.dll	31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pcijeb32.exe
File created	C:\Windows\SysWOW64\Naekcf32.dll	Olkhmi32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Oadacmff.dll	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Odapnf32.exe	Olkhmi32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ldamee32.dll	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5220	6128	WerFault.exe	186

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojjolnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocpgod32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opakbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opdghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opakbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naekcf32.dll"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohjdgn32.dll"	Ocpgod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadacmff.dll"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debdld32.dll"	Opakbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojaelm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Olmeci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1216	1640	31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe	84
PID 1640 wrote to memory of 1216	1640	31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe	84
PID 1640 wrote to memory of 1216	1640	31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe	84
PID 1216 wrote to memory of 1332	1216	Oflgep32.exe	85
PID 1216 wrote to memory of 1332	1216	Oflgep32.exe	85
PID 1216 wrote to memory of 1332	1216	Oflgep32.exe	85
PID 1332 wrote to memory of 1136	1332	Opakbi32.exe	86
PID 1332 wrote to memory of 1136	1332	Opakbi32.exe	86
PID 1332 wrote to memory of 1136	1332	Opakbi32.exe	86
PID 1136 wrote to memory of 1484	1136	Ocpgod32.exe	87
PID 1136 wrote to memory of 1484	1136	Ocpgod32.exe	87
PID 1136 wrote to memory of 1484	1136	Ocpgod32.exe	87
PID 1484 wrote to memory of 1728	1484	Ojjolnaq.exe	88
PID 1484 wrote to memory of 1728	1484	Ojjolnaq.exe	88
PID 1484 wrote to memory of 1728	1484	Ojjolnaq.exe	88
PID 1728 wrote to memory of 1220	1728	Opdghh32.exe	89
PID 1728 wrote to memory of 1220	1728	Opdghh32.exe	89
PID 1728 wrote to memory of 1220	1728	Opdghh32.exe	89
PID 1220 wrote to memory of 2052	1220	Ocbddc32.exe	90
PID 1220 wrote to memory of 2052	1220	Ocbddc32.exe	90
PID 1220 wrote to memory of 2052	1220	Ocbddc32.exe	90
PID 2052 wrote to memory of 2716	2052	Ojllan32.exe	91
PID 2052 wrote to memory of 2716	2052	Ojllan32.exe	91
PID 2052 wrote to memory of 2716	2052	Ojllan32.exe	91
PID 2716 wrote to memory of 3668	2716	Olkhmi32.exe	92
PID 2716 wrote to memory of 3668	2716	Olkhmi32.exe	92
PID 2716 wrote to memory of 3668	2716	Olkhmi32.exe	92
PID 3668 wrote to memory of 1048	3668	Odapnf32.exe	94
PID 3668 wrote to memory of 1048	3668	Odapnf32.exe	94
PID 3668 wrote to memory of 1048	3668	Odapnf32.exe	94
PID 1048 wrote to memory of 2556	1048	Ofcmfodb.exe	95
PID 1048 wrote to memory of 2556	1048	Ofcmfodb.exe	95
PID 1048 wrote to memory of 2556	1048	Ofcmfodb.exe	95
PID 2556 wrote to memory of 3796	2556	Olmeci32.exe	96
PID 2556 wrote to memory of 3796	2556	Olmeci32.exe	96
PID 2556 wrote to memory of 3796	2556	Olmeci32.exe	96
PID 3796 wrote to memory of 5092	3796	Ocgmpccl.exe	97
PID 3796 wrote to memory of 5092	3796	Ocgmpccl.exe	97
PID 3796 wrote to memory of 5092	3796	Ocgmpccl.exe	97
PID 5092 wrote to memory of 3660	5092	Ojaelm32.exe	99
PID 5092 wrote to memory of 3660	5092	Ojaelm32.exe	99
PID 5092 wrote to memory of 3660	5092	Ojaelm32.exe	99
PID 3660 wrote to memory of 3976	3660	Pqknig32.exe	100
PID 3660 wrote to memory of 3976	3660	Pqknig32.exe	100
PID 3660 wrote to memory of 3976	3660	Pqknig32.exe	100
PID 3976 wrote to memory of 1504	3976	Pcijeb32.exe	101
PID 3976 wrote to memory of 1504	3976	Pcijeb32.exe	101
PID 3976 wrote to memory of 1504	3976	Pcijeb32.exe	101
PID 1504 wrote to memory of 368	1504	Pdmpje32.exe	102
PID 1504 wrote to memory of 368	1504	Pdmpje32.exe	102
PID 1504 wrote to memory of 368	1504	Pdmpje32.exe	102
PID 368 wrote to memory of 4064	368	Pfolbmje.exe	104
PID 368 wrote to memory of 4064	368	Pfolbmje.exe	104
PID 368 wrote to memory of 4064	368	Pfolbmje.exe	104
PID 4064 wrote to memory of 2252	4064	Pnfdcjkg.exe	105
PID 4064 wrote to memory of 2252	4064	Pnfdcjkg.exe	105
PID 4064 wrote to memory of 2252	4064	Pnfdcjkg.exe	105
PID 2252 wrote to memory of 764	2252	Pcbmka32.exe	106
PID 2252 wrote to memory of 764	2252	Pcbmka32.exe	106
PID 2252 wrote to memory of 764	2252	Pcbmka32.exe	106
PID 764 wrote to memory of 2112	764	Pjmehkqk.exe	107
PID 764 wrote to memory of 2112	764	Pjmehkqk.exe	107
PID 764 wrote to memory of 2112	764	Pjmehkqk.exe	107
PID 2112 wrote to memory of 3952	2112	Qmkadgpo.exe	108

C:\Users\Admin\AppData\Local\Temp\31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe
"C:\Users\Admin\AppData\Local\Temp\31fec5d00f3bcb82eb6f8a3b668a9e8a3d842aec996654e93817582efa18a1d6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\Oflgep32.exe
  C:\Windows\system32\Oflgep32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\Opakbi32.exe
    C:\Windows\system32\Opakbi32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\Ocpgod32.exe
      C:\Windows\system32\Ocpgod32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Windows\SysWOW64\Ojjolnaq.exe
        
        C:\Windows\system32\Ojjolnaq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\Ocbddc32.exe
        
        C:\Windows\system32\Ocbddc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Olkhmi32.exe
        
        C:\Windows\system32\Olkhmi32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Odapnf32.exe
        
        C:\Windows\system32\Odapnf32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3952
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        48⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        69⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        70⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4796
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        79⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5236
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        82⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5372
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5600
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        88⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        89⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        91⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        92⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        93⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        94⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:5996
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 404
        100⤵
        Program crash
        
        PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6128 -ip 6128
1⤵
PID:5168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
64KB

MD5
e51e4516aca133b84024eccbfdca8955

SHA1
b7dda6e7f234b7a9acd0fa80016343f5e5db7bd0

SHA256
9694767f021638f5184f13f493df43bde418898e7c0a836fbc9057e6a9496b3b

SHA512
6b29797eda50fc5f146eb545d369dcb161a3c1353a711beebf2520b4e7895005db716a25af0953c9017610223af8265a8f72895c96a5bbc540172eddb487067b

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
64KB

MD5
efa210cbebb8fdc2e61e57ec8c33c51f

SHA1
5938ff67fbd590cff2c112f1556951dc55b99b60

SHA256
0debf59d61a74dcf0ef7c9abe560606fd4de2d5f9c1186023dea21c059c4d1bf

SHA512
6110834fed90c0dba219efb592f465968a40aaf9546744c2123ea3d6977db366f62d41246d02cd1ae42a589118d3dba163a45753af5d8fc5e333b93864fb23c6

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
64KB

MD5
c4ad6de4ad7120c257d6ae833ffaec70

SHA1
885e12819f726fd68b9b9680e56d2c79390c89cc

SHA256
c96fff324525ed0749af4ee7961903a4f554f563be60f97abbd2736422a90bfa

SHA512
a39834c353f58f3af3529f7496c283448717b72ec54901a8739025b26d51031bd96c88238d8bb3e8720071bad3089ba71689c326e9972254f33f21d880ce1087

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
64KB

MD5
cb1e5b5d46f39787c16779775b300667

SHA1
6a981da6fbd00947c48d627da95b6defff92fccf

SHA256
576973ef3d9a1c8297e15c0ff01b5ab81add5b5747c22eb63be9766e37cd3ef1

SHA512
2330d6eccbb617c9b39e0faf63b300e6cdc91f3875402b4d6e7c8773a8755fdf244a4720bf8f4c74aa8fa0964a82e38029d95f3be2fb9ff8f671443607d55341

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
64KB

MD5
af14dccc7b704d13526eba2ba6e96b54

SHA1
127522aec95f88d8076cd343056cc7018eb1161a

SHA256
01ced2509ebaa6e4628d2b800be1941ac9b4ad7eec48ff80def010664da0ee9e

SHA512
4d8ba09e93d907dbca166d4102b83c9caa3f3bb178fb169fb6d01d3e0084139f5d8c4bc880d17c0cd836edcdde5cbaa3d5f420d6b6fcbddc3e74940e65e5cee0

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
64KB

MD5
16e952c921446713c91f51b55e553a69

SHA1
62238555caf0f97fcf5dcd12806a0c92c87c354d

SHA256
42d891a9f47e27eea411a13e761408be49ec66ec43a86f21817c008921491fb5

SHA512
0c68d0cd5dcbc48d67fd985c05288a072c87bdcb0fe7870e1b6c200dfd2c95c65640969bb687cc3f5fa4796aa2042a42c2399499ffa353f6f162bca571a28bc0

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
64KB

MD5
332d8ff39207232efaa6fe8e7cff8eec

SHA1
1ee16064d465310ccd4041ba89552817ed1b6f22

SHA256
4d69c494280ca276fcc6153a139b5ad1d205f68b9d5ca09f7afa3462efb9684d

SHA512
8b97edc56ddbf5734cc9f58fa05b7e101d16d2d4f7c5ad05671d9b4f949dcec63fb0f8aefc402b515546d11f102068db21c134eed70d0595dd504fb2c2fe1a19

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
64KB

MD5
a2d5fd9b0e9c025053b1b4b8b66e4673

SHA1
7c834bf3afbe470697dfa90207fd72472f089954

SHA256
e63d4ee3e4f4db9ecbe4994d622760b1b4107c55a2f759fb9b688951bfbda36f

SHA512
786f000ab49245bb68c7f6a382af07fdc8efd30063afa2e1010264572f082c4ca520d3e9996f5caf2171dd560b7203bd4efa4a9963c45afef2b93a661726c6bc

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
64KB

MD5
729f133a7cf95512ba082649c40c33fe

SHA1
17b91ba2cb15a2595a95f2475280b0178bd184dc

SHA256
e08dbaf8e54ee7e8e051d4a5c1ffb01fd02afe6a4be1f3d67b6172f48b3fba61

SHA512
b7fd3e2335b1dee8207b846541e9d54f5960c44a3fe4fe0aa990241f1de66014dd9ee5c1be3a28f5bbb5cd4df24c4e20993453ae9760d2b6e709984d5e24a4cf

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
64KB

MD5
f0d470e3edff0879d27bdd43de5d4cea

SHA1
a623f8e915d7c42858e4b3d5ddc95f72ab0530a1

SHA256
a817579c409e59dfbe2c046fea24ad4f15f19408a9baf5b684644195262a3af6

SHA512
76c18665759241112a2c6fd87ea2f842ed9e291f11a7445282a0f5cab60a2b61b7c87d73472b675d026cae97fafb8fb58aaf34fd36a0f942873199a77e2e563c

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
64KB

MD5
cc059096dbd9175746d2993dea48547f

SHA1
1ac8ecb11c53056466f397dcfc32107b808e5bcc

SHA256
08fe4e07c5e9a420afad4852f21dd723ec8809444323bb4d3d8f19d1648621ea

SHA512
3304e6918279716690f0f78355e4ad04ad2312cd2c7ffc66bf575fbd0543b5e94fbecde329aa9b4519bfbf1fbc43ab83b3bde5b68a0cc127c44552db0de8b0e2

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
64KB

MD5
b207bff03c63dfea7957cbef35b742a8

SHA1
98ae5b5036aefaaf95fc632650845f6ea5ffc385

SHA256
31647cf87c4a9683b395f42e8348505be392b432a2071a8e0d4ec0415ecfcd00

SHA512
7d810a050ab75e943815a82eeb1354d89807771831737300aca37b99767cee8a21b139d24fd43cf688107f55d60829fd93cbf4781b81fb1ddcf82f9265ad0751

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
64KB

MD5
966f45cb827bad24da3b2ac806519285

SHA1
1ab5cbf041a7bb5545531b5e8e2d7036517f8a16

SHA256
ade02bf55998532d8818277806444f915d4de5e4f0d3a7d389d12c7d7318008d

SHA512
d5176e28ce08421e39027af38eea476e562a14382bd08d926bfc60a8086b19ae21d541ecc82e69a7564b4638775bba42ca18e4ca4d43bc196a2223d9ab9a30a0

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
64KB

MD5
0899e4bd2c1c69bbb5bacdd636a111c1

SHA1
64164650f125768b6e6a611180f147aac7e3af3c

SHA256
293f23c31c86ea5646536640003e4d44c7f91e8db101deec514e558d82f3c9e4

SHA512
aae2f4b0517ac72dcc3a45ab573e41a48ad89f962ce32951b6ccf3afb3dbfe245dd37defa859c1ad3a1ebcc40cfbe31280a21b41981dcbe49b44c2382d0a930e

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
64KB

MD5
3c5ff54b91f72248410db3a7b2c69bd7

SHA1
e5fbb796c6bfeb1ab1d955d148dd903f1fe19823

SHA256
8a0a0920f57d9c68a8a927cb83082a9db55a6e963c36aa8e9346d30e755baa26

SHA512
72cdee8cc185f19031bff48fbcca9422383bbcdcd8144d8c63c061ac4e283632e4088b84be77917388d718efcdea86f14177d0a8e23493979de48d52ab734f9e

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
64KB

MD5
2d63a4472d0019a4cf47bdec559e842c

SHA1
2f34a5fcfc19c94120186b663f2284f3ed05519b

SHA256
8928ed0e9248935ba363a6897f39a8653c4c44362bf533e6195cb2d3e853b41c

SHA512
ecfb9a211f0f48dc4f4b5124f7fca69d1d482fe7addee6f6ec06849eea00c17c5afd6f5ca4b4ef0c05f4824517f7f89e61cd33333e8d69e831164e5841f3dee3

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
64KB

MD5
f752d272d9441c6fa94224a4223bfe59

SHA1
f6b8616f47c5e2d741a58640a5eb515f9c64e175

SHA256
74dc901422103511dc7f2f4a01975215583187885b35d88589a0c158d5d108a6

SHA512
ecf39ab7d7d5a0b7b33abbcfd5b2588d0260fc3478f77a656c14afaf22f762ad5905f1720721980bf5e90dfecb100bf19bdc5af7558543439757627388bd3cf6

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
64KB

MD5
85a04d7232ecb41bf121dd251df78244

SHA1
0246b3ae5c4046d472286ee3cb1e0014e024f188

SHA256
a6e6e0433f754cf56985366a0276736dae3ac0c5f26e7b68759d041afc45842a

SHA512
d17dc7bbe0e866e8f8353142398e0ec58a8cd189756cc0c57139d9c432e922445f4ca78f85944f437fa67ad56fe6f0accea6cc215d4bbb0ca56df331311db1f9

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
64KB

MD5
70178ec8dde3148102ed51c47f8e4a4c

SHA1
677e436a239c798976aec742ed19ef5d5f5090ac

SHA256
42ad7b2a66338813bb048016c5ad7c6737145c706d4bbe3194e47cca21ffbdab

SHA512
8b5278d449ddb6148c9f3d822ef8e58458dc55aa70d5ca4102e1ca20d7a1c85ab049bca33629adaabc180fb7b90f0dfda77b13c0f8c85574661d3aea9bf64066

Download Submit
C:\Windows\SysWOW64\Ojjolnaq.exe

Filesize
64KB

MD5
97487c71f150a718d996e32fcfc0a194

SHA1
a4f2c3559a92171c1f74a7888b9336a5f2a6a411

SHA256
e93a5e6b3ca62fb3325aea87323d2e458610c6e57fbb478cc3744faeee348b89

SHA512
24d5d57222bbf47c2b0beec8888d5b9710f734d42b229e669123115fc8801931450bc02a42bb9607d113e7e0acf2bb9f9b550b499ce5dd47a5ec2bf83b2c038c

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
64KB

MD5
429335446867e7a76067289fad7819e5

SHA1
767fab8d4f71694c0d926f7f49e2036e74dcfa45

SHA256
67fdb27b326f7e19170bbdeebc321a2689b279cde35abff8247b08a69dfa5fdb

SHA512
a88c5fa41ff591424971398752a910e97d3dd6c182ce0720b32878ac8123ed089c19253c5bd271d2812c99d6b0143e263d787f3b0b2b8f07f5c3909176c2c782

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
64KB

MD5
031da05a27851fed36d9de04e14b74b5

SHA1
61119e8e3a7680249cfc210e87df8e9cbc02f11a

SHA256
9a3492f3f24f4d393dbd427f021aa2b425f018454154dfa2f167a47469896e48

SHA512
c3c22db6db1ecaae6940640b4453808bad50922e9a4ab8773794dce366ac57622e558fb7df8ecb4b2755c5d7f4e9907d527bdb1d54bab82c293ae9c4a07e9dc7

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
64KB

MD5
03a219462e0b0531ef2e0840b7adb971

SHA1
afe9cf00aa55534f832e77068f69c8d94939c0b9

SHA256
16fdc9119376c84b3da940855aef4c82a4987fd53502b22b3c1ff26dfbf2e641

SHA512
4369f2744b844425bdc92c8cb1b6e2e99bc4c120670767da715de014fc19531a265b92e1086101f6ff1264f70c9ac8ed3ac863785e07059d021cd3cac07176ca

Download Submit
C:\Windows\SysWOW64\Opakbi32.exe

Filesize
64KB

MD5
b7f190b86f92f9c54a20ada69ac80dd8

SHA1
6924dd22fac60dc59ba30d8360de8b106224fac8

SHA256
1d47b4e588126129c25a89f3a6d008b1d26c89616d10ac8c529a1062984b68ed

SHA512
0f9f623a09e7c3fbccebd220e5cf250553ec649b238895208b5eee5c6434aedb8cc9252373eadeebe5714b25bac997a419349476275ec5225f5db663a90c27b8

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
64KB

MD5
7b610270b20d1969b068c44a0e84e1b0

SHA1
744d9dab6b49dd89b73adc390e422ec81d913e78

SHA256
ad97ffbcd9b005b231a75dedf6d3ba73fcae50519d45ae8bb68d311b995b629a

SHA512
2aba53db0f425790ddb96ee5a3a17da3b6997057a13503325f8a3c6d8f0e66cb07f4a4ad4980d2a29d5b01381dd30be7adde9ced8cfc7df06c1cc7eab7e5bc32

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
64KB

MD5
5e8a6ef4ab10e467c0114f1f763d1dd1

SHA1
ad005e4a719fb70ca1fc0042eb8ae917ee329b36

SHA256
268cf38a631650fb0792faa72fee46b680335f5773507df361765728af8e7967

SHA512
8a238cd2572dae25341df91e368a5a8f5006173b377328793c2d1c315b6cf377ddf0f6a31af3761ca5105de7498d977e1061dd94db5e875c4535a39e15ca850d

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
64KB

MD5
be3a60980906d449f04d6ad41af265fb

SHA1
86f09750ac47eefa9ed1be46ef87edf45752d08b

SHA256
15a193cfac38f6c7c43c592e8b071f001c0b1237478146fa0c2f6884002963cc

SHA512
f7ac5a1722d6de97ab8118cdad24aa54d934d88d1e02cc1dc1af239a65a48c40f9bc17ce2062f06638ef95e236d09b4ace5f654521c640625cbdb481ea9c40b5

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
64KB

MD5
5d05a16990800d4726e1d49d05c75e21

SHA1
81f973cc82bb72765212c398c78dfd9200e9433b

SHA256
cd09616039634679879f885b9ffcff47ab748a8f0a098435b79d610fb03b606a

SHA512
8922c0a6cbeafee5359eedac480143d5a074d98f8d440f1cdc344ab071e70bdcc7bf1a1233e9ba6203222f162d4a7d24cb82193a61e61734af59412f50cab733

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
64KB

MD5
768b651a3d0c330d5114de1584a3c49e

SHA1
97f7ae800e7fde27acb4075233e4c91b68eb2bab

SHA256
f8e99fbec0f94b6f65acf82c5a680919e26ddfdb5a530eafaf70bebbf0aca900

SHA512
9aec4584eccc5ada76f2ad9144a191aa29263140912dce47b7b253c23fe1d15b8598ee36f07547fee56fb10b79a72cb8fdd6ae5df8dc57b39a4d2e6d2678ad6d

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
64KB

MD5
43ce9a918e65f0052515029ab28ae16f

SHA1
07d569fdf6759a3c75d388ccdb8342462e5ba0a6

SHA256
aeabaad9c7d82931816744fabd229e6492c0f23c08dfbaa927ec3b521aef9f5f

SHA512
322b12f19dbff23764770e073dac69259083b782a2adb682f79803ffdd3567581744195729a4aa1c808c6fd144255cc0d0ca9550fd636868104c4ffd0e66683b

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
64KB

MD5
cdb3dd5baf7e9d8397eaf263e0194440

SHA1
d3af38eee8fcd25fe09eabb4cc5b1745591a4834

SHA256
27e30cee3da64e9de16a43f617076ce09bf3b94fb2e36e044557155b558c8a25

SHA512
db54c436e98a119e34ae447a04ba3af325e4cdfd5a3e22d2088e7cb99f31da2500fb3d76e3de418fe8ba543a87e8262deedb864b3d25d9ba2a9c76a39ab69837

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
64KB

MD5
4b415768fa8bd0352791e41774693f24

SHA1
c69b0a2f9cd4e5116ced9bd0a62276742cf60679

SHA256
df8f9f06b06d9baa866dd63e2783781f13e17b9205b5651908c93e2c045a5a79

SHA512
a6a4bd2be05cc425d5214af3f4c229a150f7f9a243ed70ae32afdfdb94450c418ab51359a054a556bcaec5ecafe6d629a0bd7efd38d8150de59686bb6e5968c7

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
64KB

MD5
62f1d7dc8d775282b80a3a6b666bef34

SHA1
542817c3c4b034c45e2f095ea049aa0c6e05896e

SHA256
1dda3ef14c4086e016572bc44e8e580bac492b71534ad774b931a4577c747bbe

SHA512
aeb204d1489526efca4d05d5dfbcf7318319655c6986cdceb96aa79af02fe408bb82c47984e0c6d397d9441c0b6f97c6614d52521c69d447d6b6e3829b3039cf

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
64KB

MD5
47dff9a8097bfdcf364afb19150ed490

SHA1
a8496e596806c7b0c74db6daf363cd41b99c56a0

SHA256
3f8fb26e63481359032fed2e4a715517020552a4233f23d44b4ac345c4e9ebb6

SHA512
586064445541f41bc6f6db934589672ce99c6dfda656120ed260b6afc31f316ab6855e5b6d42916f67a5b6720c4380dc02275884fa93a517ab34f585fe44972e

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
64KB

MD5
389eb554ff7bd82612940b29a3a05cc4

SHA1
469645d0ed64b708deab85302d331d65f0aef802

SHA256
a04a57b0d2ee01600b147d880cb3a09ab27fa4a38e77c026aa727fbbfb72f373

SHA512
fa6aec306f8de003b4e4aca3feffeaaf3919b14860f43fe6d8d21c653c4643bdd67e33d0f2a5a4edaa37357dfb91718f6f110e29b580b5f283eb14f33eac37cd

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
64KB

MD5
6a934228296114a3cbce232f88a9fea0

SHA1
0e2a14dee6b151c30af5db3a9befe25d0570e8fb

SHA256
dea5b4d9cc3a639880794144dbcddc4037185da2d0809b592c3e6910806d9ab2

SHA512
c9606da4396b092640493995804c3764bffbfcfea27ea11b632452e78f16cad487d4435b8161b6bd7958e92c0c21b9d37a265b15c6431b31bdd610deeb5f4e91

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
64KB

MD5
49e5d4fe2ee69f926ecbfa832c2309e2

SHA1
c639c9c365618288e50dd493f53fa514bf7c6b8e

SHA256
81dcf0c0c37b64f08ced346089d761c7f69b2748874fdce899ec3646cd18bfcb

SHA512
bad0be1516350b3a1e66e398637b6096949334f150662cd4889b5853cdf41b02b152fb5a5cfd6001aa090054911afc2ed52215e4576edc34ce6ef3c87bbc76f3

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
64KB

MD5
2b2ea30827abbe886c248c0b9f842894

SHA1
dbac282b627f1902f1d26d2fd2b827465f2837f8

SHA256
04f11cb69df9d8e2009bfa56ba957beba2aba1408986fc662b77d0bc8bd3108f

SHA512
573b273c5142554d97cf7253df74b68b462eb78fe2dcbd4f400707599b91889e0889e95d9528fe31ac52d829deb56d66cea69b38288928f98094267b49a34733

Download Submit
memory/368-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/904-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1136-561-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1728-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-589-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3124-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3180-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3616-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3840-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3952-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-748-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4176-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4352-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5156-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5192-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5280-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5324-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5436-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5540-576-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5600-583-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads