berbew | ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68

Analysis

max time kernel
92s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68.exe
Size

67KB
MD5

385acb2ae9c186c97daf1b30cb4979a5
SHA1

324936b5d470ffeb51c6c32f33b3e6a791bb7e31
SHA256

ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68
SHA512

e0add31fa9419f13693dba0cd80d0cfdcef48713903f5f0fd8ea4fda0631cb2ae0c3e04bcc1a7b99eae0210c714bb01a4aca2a1fa8bd70bed9b4306dbfdcd035
SSDEEP

1536:ZnzgY6Ft9jZSxRGwSaJEUm5x5sJifTduD4oTxw:BkZjwPeTsJibdMTxw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogbipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdifoehl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 64 IoCs

pid	Process
4476	Oqhacgdh.exe
2312	Ogbipa32.exe
5004	Pnlaml32.exe
2644	Pdfjifjo.exe
3616	Pfhfan32.exe
4844	Pnonbk32.exe
4236	Pdifoehl.exe
4312	Pggbkagp.exe
3468	Pjeoglgc.exe
1780	Pqpgdfnp.exe
3412	Pcncpbmd.exe
2000	Pjhlml32.exe
1304	Pmfhig32.exe
1720	Pjjhbl32.exe
4196	Pcbmka32.exe
2812	Pjmehkqk.exe
3728	Qdbiedpa.exe
744	Qjoankoi.exe
208	Qqijje32.exe
1888	Qcgffqei.exe
3172	Anmjcieo.exe
396	Acjclpcf.exe
1476	Ajckij32.exe
4120	Aeiofcji.exe
1252	Afjlnk32.exe
4012	Amddjegd.exe
4140	Agjhgngj.exe
2688	Andqdh32.exe
1144	Aeniabfd.exe
4980	Aglemn32.exe
3268	Anfmjhmd.exe
2288	Aepefb32.exe
4344	Agoabn32.exe
4396	Bfabnjjp.exe
1816	Bnhjohkb.exe
2280	Bagflcje.exe
2120	Bebblb32.exe
4380	Bjokdipf.exe
2512	Beeoaapl.exe
3636	Bgcknmop.exe
4080	Bjagjhnc.exe
4900	Bcjlcn32.exe
2016	Bmbplc32.exe
2552	Bhhdil32.exe
1784	Bapiabak.exe
2344	Cfmajipb.exe
4860	Cmgjgcgo.exe
116	Cfpnph32.exe
2968	Cmiflbel.exe
3320	Cdcoim32.exe
2920	Cagobalc.exe
752	Chagok32.exe
2132	Cnkplejl.exe
4128	Chcddk32.exe
4876	Cmqmma32.exe
2492	Ddjejl32.exe
4524	Dfiafg32.exe
948	Dopigd32.exe
3628	Dmcibama.exe
4568	Ddmaok32.exe
3944	Dfknkg32.exe
3544	Dobfld32.exe
1464	Delnin32.exe
2276	Ddonekbl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Pjhlml32.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Pnlaml32.exe	Ogbipa32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhfan32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Nlaqpipg.dll	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ajckij32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pjmehkqk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3416	816	WerFault.exe	154

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogbipa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhacgdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkbljp32.dll"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogbipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaqpipg.dll"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjinlko.dll"	Pnlaml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgldjcmk.dll"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4476	4676	ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68.exe	82
PID 4676 wrote to memory of 4476	4676	ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68.exe	82
PID 4676 wrote to memory of 4476	4676	ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68.exe	82
PID 4476 wrote to memory of 2312	4476	Oqhacgdh.exe	83
PID 4476 wrote to memory of 2312	4476	Oqhacgdh.exe	83
PID 4476 wrote to memory of 2312	4476	Oqhacgdh.exe	83
PID 2312 wrote to memory of 5004	2312	Ogbipa32.exe	84
PID 2312 wrote to memory of 5004	2312	Ogbipa32.exe	84
PID 2312 wrote to memory of 5004	2312	Ogbipa32.exe	84
PID 5004 wrote to memory of 2644	5004	Pnlaml32.exe	85
PID 5004 wrote to memory of 2644	5004	Pnlaml32.exe	85
PID 5004 wrote to memory of 2644	5004	Pnlaml32.exe	85
PID 2644 wrote to memory of 3616	2644	Pdfjifjo.exe	86
PID 2644 wrote to memory of 3616	2644	Pdfjifjo.exe	86
PID 2644 wrote to memory of 3616	2644	Pdfjifjo.exe	86
PID 3616 wrote to memory of 4844	3616	Pfhfan32.exe	87
PID 3616 wrote to memory of 4844	3616	Pfhfan32.exe	87
PID 3616 wrote to memory of 4844	3616	Pfhfan32.exe	87
PID 4844 wrote to memory of 4236	4844	Pnonbk32.exe	88
PID 4844 wrote to memory of 4236	4844	Pnonbk32.exe	88
PID 4844 wrote to memory of 4236	4844	Pnonbk32.exe	88
PID 4236 wrote to memory of 4312	4236	Pdifoehl.exe	89
PID 4236 wrote to memory of 4312	4236	Pdifoehl.exe	89
PID 4236 wrote to memory of 4312	4236	Pdifoehl.exe	89
PID 4312 wrote to memory of 3468	4312	Pggbkagp.exe	90
PID 4312 wrote to memory of 3468	4312	Pggbkagp.exe	90
PID 4312 wrote to memory of 3468	4312	Pggbkagp.exe	90
PID 3468 wrote to memory of 1780	3468	Pjeoglgc.exe	91
PID 3468 wrote to memory of 1780	3468	Pjeoglgc.exe	91
PID 3468 wrote to memory of 1780	3468	Pjeoglgc.exe	91
PID 1780 wrote to memory of 3412	1780	Pqpgdfnp.exe	92
PID 1780 wrote to memory of 3412	1780	Pqpgdfnp.exe	92
PID 1780 wrote to memory of 3412	1780	Pqpgdfnp.exe	92
PID 3412 wrote to memory of 2000	3412	Pcncpbmd.exe	93
PID 3412 wrote to memory of 2000	3412	Pcncpbmd.exe	93
PID 3412 wrote to memory of 2000	3412	Pcncpbmd.exe	93
PID 2000 wrote to memory of 1304	2000	Pjhlml32.exe	94
PID 2000 wrote to memory of 1304	2000	Pjhlml32.exe	94
PID 2000 wrote to memory of 1304	2000	Pjhlml32.exe	94
PID 1304 wrote to memory of 1720	1304	Pmfhig32.exe	95
PID 1304 wrote to memory of 1720	1304	Pmfhig32.exe	95
PID 1304 wrote to memory of 1720	1304	Pmfhig32.exe	95
PID 1720 wrote to memory of 4196	1720	Pjjhbl32.exe	96
PID 1720 wrote to memory of 4196	1720	Pjjhbl32.exe	96
PID 1720 wrote to memory of 4196	1720	Pjjhbl32.exe	96
PID 4196 wrote to memory of 2812	4196	Pcbmka32.exe	97
PID 4196 wrote to memory of 2812	4196	Pcbmka32.exe	97
PID 4196 wrote to memory of 2812	4196	Pcbmka32.exe	97
PID 2812 wrote to memory of 3728	2812	Pjmehkqk.exe	98
PID 2812 wrote to memory of 3728	2812	Pjmehkqk.exe	98
PID 2812 wrote to memory of 3728	2812	Pjmehkqk.exe	98
PID 3728 wrote to memory of 744	3728	Qdbiedpa.exe	99
PID 3728 wrote to memory of 744	3728	Qdbiedpa.exe	99
PID 3728 wrote to memory of 744	3728	Qdbiedpa.exe	99
PID 744 wrote to memory of 208	744	Qjoankoi.exe	100
PID 744 wrote to memory of 208	744	Qjoankoi.exe	100
PID 744 wrote to memory of 208	744	Qjoankoi.exe	100
PID 208 wrote to memory of 1888	208	Qqijje32.exe	101
PID 208 wrote to memory of 1888	208	Qqijje32.exe	101
PID 208 wrote to memory of 1888	208	Qqijje32.exe	101
PID 1888 wrote to memory of 3172	1888	Qcgffqei.exe	102
PID 1888 wrote to memory of 3172	1888	Qcgffqei.exe	102
PID 1888 wrote to memory of 3172	1888	Qcgffqei.exe	102
PID 3172 wrote to memory of 396	3172	Anmjcieo.exe	103

C:\Users\Admin\AppData\Local\Temp\ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68.exe
"C:\Users\Admin\AppData\Local\Temp\ded489ea62e8082b37a87e24ba9dc454b33435adc9ea28b5aca968d95c353d68.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\Oqhacgdh.exe
  C:\Windows\system32\Oqhacgdh.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\SysWOW64\Ogbipa32.exe
    C:\Windows\system32\Ogbipa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\Pnlaml32.exe
      C:\Windows\system32\Pnlaml32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3636
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 228
        75⤵
        Program crash
        
        PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 816 -ip 816
1⤵
PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
67KB

MD5
c7d32d7899e9fa9d10e5ae9eb33d9ecf

SHA1
21ff9c27ebb7e258292d59760bcef1e484d017ca

SHA256
24d7938af443518b660f719b2f83dca47a089f92f168f67d4d00c8000ade1e05

SHA512
345a52b0144fdf6d30903560ba3d95a5ee7171537dbeec3cf9fc1660e403377cf1d2e013ff1d74be70f32ff1112af41736731bca6dcd4b6398a0439258c02058

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
67KB

MD5
bb5b0c5ce10a63489eb56a091bdb6b99

SHA1
37625507e3fd5bdb4efce384feb681bdde235835

SHA256
36df8dbe0e169727e810da717a5acb887a05d45be9520bb7f25c3fb3156096fb

SHA512
3ba7fc6349da206e2b1e4229bb9b09dffb6610c009b5404fa2b6a0c08fbe7c01a5d8b6caa8d5e638f61b7e57ca631e5d51eeae574c998a2e79d0473068234b6a

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
67KB

MD5
1ef71368389e555b6c9cd0e30caad641

SHA1
0ff6bfd3d57a5222165056553943d23887d50446

SHA256
6d126d6f294f32cdf3d6b9ce18325833fbc84311bec7ec4df445b6a6a795e0a9

SHA512
42cfe53f63fe2de449e278ff7e5b3619405e3a05318ff4181424ec9f90da96ff143b500f32c1c857046b24d432e987522d33e45ac7cf33655d2e480e94123d8c

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
67KB

MD5
9c04f60b1d516f3be266775249d12144

SHA1
3c061df17680acaea0ee8bb993d0b23de322dca5

SHA256
56dec47ba8664f6f4529bb9c5313b1430bd732567569c61df7b36d5b303b9470

SHA512
6ba29b71954e5829a779625ec99294c970fc56baaf2f3ac11c3318bf69b2dd04a8546189185eb511b248376e55d689ac0f1a717aacb7dddb96fc3be89bd7afe4

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
67KB

MD5
ede0875b12edeba0e8d40a6f1f62a554

SHA1
5e506ecc4b1d53274e6f0e62bf74013477d33da5

SHA256
deb674ca10cea7fceba0f7e59e4765420a31d47fa718e2a8e3dccb6efd083d23

SHA512
6658402d825f04684a4b0b58a8837c71db3ff6235c6797c706925d550e0fe770ddf96b3036ab1b89ba93704dbdb3c69ce6c65e0840fc305ab75c785b3116f0f1

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
67KB

MD5
3fefc753c2e1e587895a02b72821758a

SHA1
28f6f353aa2b7836232dbad4f679f1fca7d0f95e

SHA256
0e3c4baf579556b391124d06ea6d6b72731e20ce5a0d6ce8b7765814e8da0577

SHA512
76b499ab29b34bf968149342168e69e1f429edc9a02f910e42672207c6a8dc448b9fdd395bf6c3999b849ca25acd4093e842b320d06671844321b38f47ea6b51

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
67KB

MD5
d6df63ec02e0854e359074f4d289f1e3

SHA1
37223605474c8f7e8462c4957fb872a2fc3b8251

SHA256
a7f5b5a960a894ba2b249d7be84595019f0dcfce3958341e2c2a261ca5168731

SHA512
e42b5145245a3a775888b55e67fb6a82ccbb1d0440636dc08f8c5d90966cec154f3c82e28b8ccb6f108215adfce74f10488ccfeb71b87dc180bcb744daad5169

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
67KB

MD5
3cacabd7cbc03d5e26ce4dbe956eb6c8

SHA1
5d4be0689d9e78922b4528419be909036ca596f8

SHA256
a33778645653c765ac0e8c0ad499e3994285d3e8b014991af32cb2aabe02b383

SHA512
a4aeb412d095bb8ada96f27c6349180644f37a4c53936253a597be5b4158299ca7f225b552cc92882a96de08922b82723ed11abc3dbdf9c8cbd398fc45d6c889

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
67KB

MD5
e63c9d48005f2a52910bc8c39257c5b7

SHA1
f5e2448ffaa701f0063793401c4e1864f9be13a0

SHA256
28a86fa56710dc9a1455566021b22c80c54da17e0aae3b98a4eafefad70ab1e7

SHA512
5bf88f89fb527225f8be881e76c8577437a97bf61d7719a1b54d8d6d48f9a0d3462c0e9f76c07e3d1eb5ea2980c745858e470c3915ff0784c8c21eca81e869fa

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
67KB

MD5
ebcfcf45f6be242ed085eedd428f0860

SHA1
47aecdfc1fe6c5f6f5fa49cbd3ea493c6a06065d

SHA256
ab389c0f9a60abb6e147680b8b0f995cff021fe71bca24e191b9ef9788fd6451

SHA512
7ab0818355df1676b69ab474322733753465540d48db33d3cb2bfdfe0def98ec6e32aec0337f37dab674e118e35303be04da19ba1e42c13bd5524eef8dc79b1d

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
67KB

MD5
e10d96d167ba9c1fe7f207aefcee8278

SHA1
4dc05d3fd6d6c8a828c24dd6fac4a6e12cdf90a7

SHA256
185d44a9e40f235f08a89da5cb335c2bb8f03392f9d8be5750ac14ced1febbff

SHA512
c40e2eec3138c96cd0e23aa61249430bfb379f5f9808f67f98c68a9fe9e9242a913d14834df901266203cfd9b8ff0659c6ae5c750d9ad02f59dabfaad1f5196d

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
67KB

MD5
7bea2c531dd9da9d7f3f7676b3ab86cb

SHA1
e4a7ff8568743974a89ddc6101d5c936812ab8c7

SHA256
1d41e8c92ab4bf96ec67ca969d6439738e008457ec0e3a883f66a39c1cfa5836

SHA512
f6d22a5372be8dee967079ef1cdfe53ec74481d9493375fe33fb0b37819b4f774d7087e6e9d72715c057c5b919e658c80107c5ec2bf7c759448000482ff6380d

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
67KB

MD5
32b63c45d52be18288673f6a85775c69

SHA1
b35414474e892f5490c945e49df9fbf09438c301

SHA256
b8827e09825955dff42c9f6fed21baaf453caa9b40568b68f60c57656c0f2a61

SHA512
9737fc925c04d11e82926cdd80c3e7b7d1061783def9fe976c25eddaa6ffdf7a1bfada931834bf6fac845f029bf3e7efd93fb7a7ab00f4680f825f808eeb7290

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
67KB

MD5
ebeae5ad9e2c147a7204a806e743e8d3

SHA1
50f75393085f24a39cf06887702c54e38f702501

SHA256
68c1a5d1e04166556881cc7192bff3c308f81994461f5dee6e46ebe59b1af835

SHA512
f1e7165ab6c3275992ae1b1ba7c1960241d122924d9a1d2c7c638245e994fed9384751a046b1b61f2cb7270e4e5abdadaf8d2609489348fe712cad88f9cc06e5

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
67KB

MD5
79b83d724ee57c013f52ede9c6b1a0ce

SHA1
e1283fef2b31f9731d6b10a3242c0eab9c52d4ba

SHA256
0118ee71791ed34a3c1ca652221bdb7342572af273830031c373de964de74134

SHA512
fd911fa4bf5c1da4b6f831346a693a883f3f5eed194622616cd6a2bd918fd62b61f9efe0a617a208e856ff6a6a561b5eef66b341d6d544ec564d578ace367551

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
67KB

MD5
9721b9caa783dee66af4c0f5a467490e

SHA1
50a4d19e2ecd9514e56f78844accc03aa96c30f8

SHA256
86b89ddd272f127d0405fd3635657957126b412eb8a83f2b9e8cb26611bcecab

SHA512
f5e3382c89bd67c9a470031054bf221b0b5f0591fd7c13fe8e043586fe4b0b3fd5b8d0e38c35df930da1766453d9207b04bc986fef958c0eb1c69121aabb9bb0

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
67KB

MD5
a5b7e1c327ec1c9c850f104590379eba

SHA1
8c697c4f9f981d72cae651bc6c9b25c432119ec9

SHA256
89f00487d63fab7f8e12f673d042164d8ec8aa1313d752404c652d372cf273a5

SHA512
2d44fe76af55e21625e42da0499fa2fad929cf6460983363324052e5c4cac151dbbbf16ea53cc3a38954a8e132927fdd2cb08e43c86df53f6eaefdb4cf1fb7c5

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
67KB

MD5
77ab20f0ec97893bc9856525810b4348

SHA1
4e7a4788831c4aa37885a5ea08b504d4fbd58c59

SHA256
8c01e55d67c483ef4e161af3665430dbf9eb0a1bdde3ff19fa99c7c069964fc0

SHA512
a9ae1a9464e6d4fcb76e2bdc11162d7421df9161fde38dea60d0cd42566dd3f3d219b2978b83077ca1cea5859af8a07f18ececb256d8eebddbcc4ecc7dac5aee

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
67KB

MD5
69472720ba5b2a90e04be98bc493e41e

SHA1
d3844cce02f991eea04e453b4f4e7f59dec68540

SHA256
e85150362849d72a3b51b0d2b6cc717707935ed532bec28cb4bef39722a1a2c6

SHA512
859ef1bcea19497515bd1ac508ce77ec66302a766dbfe25f2ffe48bbe79709a26405f8de355ee58fcaef949b6e2eedfa69203a358d526a4cb1ddef0c0f4bee7b

Download Submit
C:\Windows\SysWOW64\Ogbipa32.exe

Filesize
67KB

MD5
5d1e3e98ed09e6950b6a194126ab5e96

SHA1
6d531c3d7366c482316f26d82f8437ecc214d805

SHA256
11aa6aa49b3279f2ac294629d995375914d7b9842fb6cbe59d8d8fd416d28b43

SHA512
91dbe681c5230379e65a996ef4c6837da8c5abe4b7cbff295d21bde88f35ea3ba7369f2406be9c18f02345d0c40da3e21ac4545d2ebafd15bc06c8d3a3c19e94

Download Submit
C:\Windows\SysWOW64\Oqhacgdh.exe

Filesize
67KB

MD5
7091f83cc5907bc59b6b4fb5357a3827

SHA1
ab6a4e2a9da8fae45ee2443c5ec5132192256b48

SHA256
4ce450c6dec5213275caeb5eaadc0d684199381ae2cdc35767394d5df3b442ab

SHA512
356617d27356e238e5a835e2462889e561a15137de6265ddc60ef83017bba25f565351a724b7afdb4d37a4ed4b73366ef0693f0410cf88397baac1ba0ceb6e80

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
67KB

MD5
53a11ebe6ddc38330662a4acefb3a116

SHA1
144ff47fb08b1d90e2096ec07f31ff01f5957e63

SHA256
e9bfef3102f57da563540ad92c38b61515ba9f03125a71228660b0d6b570c984

SHA512
bc1a34a82058270a4a2c3d72c121a26d6fa75d2bec22d6469b56900333351f4b0683648508f25417eca00ec834319f461e85b79016c8a2f20b069b8a30db1c0d

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
67KB

MD5
d82d2a48c5a3e67919b73bd93944b02b

SHA1
1ec82b4dfc38d5d6dd999b66a386f79e7bffff3d

SHA256
f78cec8d65775227bad11f8c36a5c217c96151b8c1222987fa8360c693a885cd

SHA512
843c2f4327ce1475a2393a93a9f4b69280e2bdb04f8996db858638136f1f3b13fc1c3f2c22bac70868740d26fc5849e9b61f415b047117e3b9f989e3acf36603

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
67KB

MD5
257b6abc114fa6d7304ce789e4fb752d

SHA1
2df8e3406729c3b91701f8f92d46fdc8612b14aa

SHA256
8b7e17bd4f99fad23ae20be64226ecf2b90ab26a60ef5f1651cfcfdaf43f7fa0

SHA512
f6d1e9d096de6e32a99ecd4dd78e19adf83722682c9d4f525d949275a8b93278d4c3102efdc2097c8a7cfe5e35983695b38c8d4aaa38ab8940a3eec1f2745413

Download Submit
C:\Windows\SysWOW64\Pdifoehl.exe

Filesize
67KB

MD5
10690a51d348986f5f47ee59fcbbcd99

SHA1
2d1b1a82499b61da5f787c3a617fb2a07656f093

SHA256
e83a657601f488d9fe87525dcf4e507e368a4a670e7d9c64321741f2c15fbc5d

SHA512
8b3b51044ce1862179e66f9263600084bc81fbc55299e79dd64ad82a1a0522fa13f25a64d163600b1fa0c7079e1befe5d5064568dceb3a9ae352e39ffc67be03

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
67KB

MD5
ed2bf06795741e1aa36d45147e20525e

SHA1
29b83adaba69b71f14131c04b2c49e96c1a4f1d1

SHA256
c42f3365ebf8acc9660c695cecbd293184393af6152bfd0e09b3a385f31dfecd

SHA512
532809e6ce8b79a3acbe6e42a420c3fffd5bff3151016b6de4c72bdad5ebf1f954d3d6cc99ca0918d95774e5a2a3176cc3825c55a362f517080825aa11dc2dfb

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
67KB

MD5
4e97623b9c48a409f1e0f2513b3244a4

SHA1
7a2d060c9857c401f8e01c93884af718ad52a9e4

SHA256
f8b895deb051c7fdfebe4d795e3a50cb97b19589d2b6f4213381e8cedb93bbb4

SHA512
602d12ad5bee87b5802f32fd7503d445aabf2695ca49b9c72aa1876a653dffa39edd1ccc09f550ea5a33983e14fcf23ace910c10cd7e72302bc0524b8435ea25

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
67KB

MD5
9f9d37b03645161173826228808bf905

SHA1
7aa2c16b03c41d8770eb901077bbe9880d5d018e

SHA256
114e1c656aebab4036a8bb067599ef3626316b5f4aa9dc130e5f2356b915fec4

SHA512
edc8835f00bb80cb81de3b4ee4bf4758e3dd84c493508c1848310c4382dba7b6b66e84f5e7042a6ef2715f0922b85a5464fb11d9d308f96c05fc0746d627438e

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
67KB

MD5
97b28e4d3ad180574e74939d19312c1e

SHA1
4f820f7a28051229b286c767b8faaf828c571a52

SHA256
cfda2b054f7333e261b53a608e0240728bcfec9ec96a42e6a1bae31c64c33373

SHA512
b8dccc2600db82a8d4c2dbaa844ef5599466f944dcdc4f72bdabf39536a0a31df1e9f96b102579d383d2f59a5638720253ca54ee3da9af86e6ca68b0bf7e93fa

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
67KB

MD5
437b42a72d0f47f9fcb8b69cbf8ad484

SHA1
e4de45976402d5b7af3f37ee649ffe3c96e49367

SHA256
416ae5f1f3e15fc7fe7546866fa7a220c555da196053b08c98a421a8a3aee08b

SHA512
ca1f5c0a7da480797dde615000a12f0101ca8c872ee985d81fa2d9e351a27b2ea73e7db9e4f518c6ad2d2dae2956cf817ce914091c6461a05b05a7ea50d4707d

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
67KB

MD5
4cd310ef3f89b4399aa54bfd67a703b0

SHA1
b7ac823882d98ccde56e17d0528db8ed487ca8a3

SHA256
aae085c035de40929636e73b312c3775403cc191b61ea94a5ac1cdd781f5f36d

SHA512
bf019bff729af0f172feedade7ae64fac47f8f4c89a8293c08ae8979d6b98c81e63f02be373b1cc96ddac3d482e0003d663cfd7f2cd4818077f7aa759435ed26

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
67KB

MD5
327a044f045c3ea882e17e10985b16a4

SHA1
083f022df3783b0471e12e9ea33ca4a455427e62

SHA256
4ef9faf84e17c0978701569be37b1cf9c79db95a8fdfce2de804c3427bf49c7a

SHA512
244978e02bccc5c1dbbb1f8db047cf8ec83038d141c3a207e9cea2d8b698056c5d79fb54b45153f345e56554d856ddacc179db7f1062b7eeb0a537256683d3bd

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
67KB

MD5
ef4a223f45bd8a3b38b27bdc68775d25

SHA1
83c64bbd9ff53333abd5d6e8758c64abfaa8919e

SHA256
2c6d7a6bdbcd673f3f242da27e38e88d3d96a7c71b96e2b1ee460a1452081f2d

SHA512
802a0ed273305fa1cfc6a63c9c334c5f2dbfef6902e2df4d8895cf5ccdaa9fb0e90ece34916e533a2f580d44e372e247ce0e591292e05fa1c43229893bd1fd17

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
67KB

MD5
03a0e119e82d45cde68a2f7060ecbe37

SHA1
2952d0f67e5f2e2d151cd5798f36a50bf1a995d3

SHA256
02b022814efa574bd660a517eecc5cf69ac2ef18c955c768c7d6c5b968751942

SHA512
5ccc637f27d7c2bbfc740105c089e4bf05eddb84e867191cfbe954c3c30a53793232e89ab5456976b5a42e6fa06639d1caa6ba0b4c84357bea13de037f5b49e6

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
67KB

MD5
bbb3e1ba3746b7e75f4d21376e009b63

SHA1
c03b1b2172ca29c826e3f6f4d3c68c6c7d6c8a1a

SHA256
ca972f5f8362dcbf7e39c7ad9e86de88c8f9da388fa918c05ee2c25ad87c5cce

SHA512
3a96d397bf66d311873756317c3176fdea85cb3c60a9590932637b186d6db2a10ef346c2eb1a93784d4e931344cc5714f2078ba890abee34e49fd97b1aacc4fe

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
67KB

MD5
3e202c1b597ee2e53731054e44c4de70

SHA1
6aa80f280dc8955845b7830256cbfb218bc85613

SHA256
c624fbb2090c3265bd344c907f05e8971735da46b01cc041821cd2014b21f5a7

SHA512
c1612a52778171e3f6d8247c05ba97ad9f0e65df1897a759b4c1738f2004ee31fe6d14a87f9432f985730c46706f0b7dacba5d1e7b28e8fa39cf4d152a0d134a

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
67KB

MD5
4e1d2fc35314b66a590e31b4123f5242

SHA1
2c57e2d4211664b9507c4124322026f6b9be6d19

SHA256
fd2d068ab0dcaa0a371f8b7de12f79b4038511b7cfe502dfdc1dc1eb6bd9cfa4

SHA512
a7ad0fe318b16c3c9425d23b52474dd922dd2b4dd968a87495334dc9c748f1c1d862de54de9c6c83a67d8786c08bab165040fd1acebfe797ce8872b30c9497dc

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
67KB

MD5
a701c696a8cbeb992c84ad6f3b73a7e2

SHA1
5d2dff2cdc0f9b666ea757f156be34d94359bd1c

SHA256
b71272658f23ff65e68c7a1cd82a0e56473348b0fcc5fcb089567c1e32d9d09c

SHA512
e631b52340610d785ea70fd67292388a66438fbd1f76b3f8f62746ac5d092dd88472ea2608aba0ac7326bfc41f14c80b870089e53bc45d54dcf19c478f0d5bc7

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
67KB

MD5
97b307fcbe771c449ef45dac2758cc57

SHA1
eb8b72430064b07c24f2b03740f4a9ed800214d7

SHA256
9e30e9722ba2e213d593d72972e7519598c7b883533853ead75db582e542a1d1

SHA512
59ef4c785eb392320c13bbca26a829bbe93952b3f27e56ca94c65ec9cc180050931549feaaea4ac239646c55eb73222164724ef2a10c37ac6e07639a684d0281

Download Submit
memory/116-387-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/208-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/208-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/396-277-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/396-188-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/744-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/744-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/752-415-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1144-327-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1144-252-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1252-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1252-303-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1304-107-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1304-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1476-290-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1476-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1720-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1720-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1780-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1780-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1784-368-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1888-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1888-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2000-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2000-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2016-421-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2016-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2120-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2132-422-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2280-311-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2288-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2288-278-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2312-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2312-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2344-374-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2512-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2512-393-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2552-428-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2552-362-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2644-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2644-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2688-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2688-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2812-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2812-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2920-408-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2968-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3172-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3172-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3268-270-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3268-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3320-401-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3412-178-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3412-89-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3468-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3468-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3616-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3616-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3636-335-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3636-400-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3728-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3728-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4012-306-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4012-225-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4080-342-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4080-407-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4120-207-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4120-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4128-429-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4140-318-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4140-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4196-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4196-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4236-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4236-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4312-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4312-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4344-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4380-386-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4380-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4396-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4396-361-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4476-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4476-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4676-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4676-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4844-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4844-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4860-380-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4900-414-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4900-349-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4980-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4980-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5004-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5004-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads