berbew | dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406

Analysis

max time kernel
106s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2024, 08:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406N.exe
Size

337KB
MD5

a0edcc479947eb8d14d629a96547a370
SHA1

6786216a46c0ee2e7125ddd5390cb01a07b39dc5
SHA256

dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406
SHA512

76f765fb687efb2a91f709889ed3af9830b9b14a2e5eae6e9724551fb80d90bca38c716b350fda0fbaf1c1f4ffc683ee4bbd009a63a27d2485124ef03ee4a69d
SSDEEP

3072:g6mJNmpgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:gNmp1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcijeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgioqq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcijeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
1724	Ocgmpccl.exe
3344	Ofeilobp.exe
4924	Pnlaml32.exe
4684	Pqknig32.exe
2248	Pcijeb32.exe
3396	Pgioqq32.exe
400	Pmfhig32.exe
2948	Pcppfaka.exe
5060	Pnfdcjkg.exe
2428	Pcbmka32.exe
2340	Qnhahj32.exe
856	Qmkadgpo.exe
2168	Qceiaa32.exe
3348	Qjoankoi.exe
4908	Qgcbgo32.exe
1036	Ampkof32.exe
1212	Adgbpc32.exe
3424	Afhohlbj.exe
396	Aqncedbp.exe
404	Afjlnk32.exe
1912	Anadoi32.exe
4960	Aqppkd32.exe
4424	Acnlgp32.exe
2208	Afmhck32.exe
3000	Andqdh32.exe
512	Aeniabfd.exe
1476	Aglemn32.exe
1560	Anfmjhmd.exe
4940	Aepefb32.exe
2076	Agoabn32.exe
4344	Bmkjkd32.exe
4592	Bagflcje.exe
2616	Bebblb32.exe
1892	Bnkgeg32.exe
1568	Baicac32.exe
2644	Bgcknmop.exe
2368	Bnmcjg32.exe
3488	Bmpcfdmg.exe
5036	Beglgani.exe
4540	Bgehcmmm.exe
2588	Bjddphlq.exe
3728	Bmbplc32.exe
4496	Banllbdn.exe
4920	Bclhhnca.exe
3560	Bfkedibe.exe
8	Bnbmefbg.exe
1464	Bapiabak.exe
2044	Bcoenmao.exe
724	Cfmajipb.exe
4076	Cndikf32.exe
2220	Cenahpha.exe
832	Cjkjpgfi.exe
4616	Cmiflbel.exe
684	Cdcoim32.exe
1956	Cjmgfgdf.exe
4596	Cagobalc.exe
2388	Chagok32.exe
3900	Cjpckf32.exe
916	Cmnpgb32.exe
3164	Cdhhdlid.exe
2488	Cnnlaehj.exe
4904	Cegdnopg.exe
4452	Ddjejl32.exe
4436	Djdmffnn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Halpnqlq.dll	Pqknig32.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ocgmpccl.exe	dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406N.exe
File created	C:\Windows\SysWOW64\Pcppfaka.exe	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Pmfhig32.exe	Pgioqq32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Ofeilobp.exe	Ocgmpccl.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pnfdcjkg.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Elcmjaol.dll	Pgioqq32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Adgbpc32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4792	3504	WerFault.exe	163

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcijeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnlaml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnfdcjkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqknig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Halpnqlq.dll"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpbkoql.dll"	dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pmfhig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgioqq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofeilobp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1724	1832	dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406N.exe	84
PID 1832 wrote to memory of 1724	1832	dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406N.exe	84
PID 1832 wrote to memory of 1724	1832	dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406N.exe	84
PID 1724 wrote to memory of 3344	1724	Ocgmpccl.exe	85
PID 1724 wrote to memory of 3344	1724	Ocgmpccl.exe	85
PID 1724 wrote to memory of 3344	1724	Ocgmpccl.exe	85
PID 3344 wrote to memory of 4924	3344	Ofeilobp.exe	86
PID 3344 wrote to memory of 4924	3344	Ofeilobp.exe	86
PID 3344 wrote to memory of 4924	3344	Ofeilobp.exe	86
PID 4924 wrote to memory of 4684	4924	Pnlaml32.exe	87
PID 4924 wrote to memory of 4684	4924	Pnlaml32.exe	87
PID 4924 wrote to memory of 4684	4924	Pnlaml32.exe	87
PID 4684 wrote to memory of 2248	4684	Pqknig32.exe	88
PID 4684 wrote to memory of 2248	4684	Pqknig32.exe	88
PID 4684 wrote to memory of 2248	4684	Pqknig32.exe	88
PID 2248 wrote to memory of 3396	2248	Pcijeb32.exe	89
PID 2248 wrote to memory of 3396	2248	Pcijeb32.exe	89
PID 2248 wrote to memory of 3396	2248	Pcijeb32.exe	89
PID 3396 wrote to memory of 400	3396	Pgioqq32.exe	90
PID 3396 wrote to memory of 400	3396	Pgioqq32.exe	90
PID 3396 wrote to memory of 400	3396	Pgioqq32.exe	90
PID 400 wrote to memory of 2948	400	Pmfhig32.exe	91
PID 400 wrote to memory of 2948	400	Pmfhig32.exe	91
PID 400 wrote to memory of 2948	400	Pmfhig32.exe	91
PID 2948 wrote to memory of 5060	2948	Pcppfaka.exe	93
PID 2948 wrote to memory of 5060	2948	Pcppfaka.exe	93
PID 2948 wrote to memory of 5060	2948	Pcppfaka.exe	93
PID 5060 wrote to memory of 2428	5060	Pnfdcjkg.exe	94
PID 5060 wrote to memory of 2428	5060	Pnfdcjkg.exe	94
PID 5060 wrote to memory of 2428	5060	Pnfdcjkg.exe	94
PID 2428 wrote to memory of 2340	2428	Pcbmka32.exe	95
PID 2428 wrote to memory of 2340	2428	Pcbmka32.exe	95
PID 2428 wrote to memory of 2340	2428	Pcbmka32.exe	95
PID 2340 wrote to memory of 856	2340	Qnhahj32.exe	96
PID 2340 wrote to memory of 856	2340	Qnhahj32.exe	96
PID 2340 wrote to memory of 856	2340	Qnhahj32.exe	96
PID 856 wrote to memory of 2168	856	Qmkadgpo.exe	97
PID 856 wrote to memory of 2168	856	Qmkadgpo.exe	97
PID 856 wrote to memory of 2168	856	Qmkadgpo.exe	97
PID 2168 wrote to memory of 3348	2168	Qceiaa32.exe	99
PID 2168 wrote to memory of 3348	2168	Qceiaa32.exe	99
PID 2168 wrote to memory of 3348	2168	Qceiaa32.exe	99
PID 3348 wrote to memory of 4908	3348	Qjoankoi.exe	100
PID 3348 wrote to memory of 4908	3348	Qjoankoi.exe	100
PID 3348 wrote to memory of 4908	3348	Qjoankoi.exe	100
PID 4908 wrote to memory of 1036	4908	Qgcbgo32.exe	101
PID 4908 wrote to memory of 1036	4908	Qgcbgo32.exe	101
PID 4908 wrote to memory of 1036	4908	Qgcbgo32.exe	101
PID 1036 wrote to memory of 1212	1036	Ampkof32.exe	102
PID 1036 wrote to memory of 1212	1036	Ampkof32.exe	102
PID 1036 wrote to memory of 1212	1036	Ampkof32.exe	102
PID 1212 wrote to memory of 3424	1212	Adgbpc32.exe	103
PID 1212 wrote to memory of 3424	1212	Adgbpc32.exe	103
PID 1212 wrote to memory of 3424	1212	Adgbpc32.exe	103
PID 3424 wrote to memory of 396	3424	Afhohlbj.exe	104
PID 3424 wrote to memory of 396	3424	Afhohlbj.exe	104
PID 3424 wrote to memory of 396	3424	Afhohlbj.exe	104
PID 396 wrote to memory of 404	396	Aqncedbp.exe	105
PID 396 wrote to memory of 404	396	Aqncedbp.exe	105
PID 396 wrote to memory of 404	396	Aqncedbp.exe	105
PID 404 wrote to memory of 1912	404	Afjlnk32.exe	106
PID 404 wrote to memory of 1912	404	Afjlnk32.exe	106
PID 404 wrote to memory of 1912	404	Afjlnk32.exe	106
PID 1912 wrote to memory of 4960	1912	Anadoi32.exe	107

C:\Users\Admin\AppData\Local\Temp\dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406N.exe
"C:\Users\Admin\AppData\Local\Temp\dfcfbb53126f57c5fcf73a7a93474ce3c6114ed63d39c65614372b9f3056b406N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\Ocgmpccl.exe
  C:\Windows\system32\Ocgmpccl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\Ofeilobp.exe
    C:\Windows\system32\Ofeilobp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SysWOW64\Pnlaml32.exe
      C:\Windows\system32\Pnlaml32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
      - C:\Windows\SysWOW64\Pcijeb32.exe
        
        C:\Windows\system32\Pcijeb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Pgioqq32.exe
        
        C:\Windows\system32\Pgioqq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Pmfhig32.exe
        
        C:\Windows\system32\Pmfhig32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:512
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        62⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2476
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 396
        79⤵
        Program crash
        
        PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3504 -ip 3504
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
337KB

MD5
66de2408a150c418ba5d94ce9036b821

SHA1
706009fd2b3b52657d4b231c19f2c9b25a53e71c

SHA256
00966577fd3734f3de2933ddcad42e2c912a3afb3f145e2962f003a9316d552c

SHA512
c7984a45e44dad13b63ffbc4f69d0b32bdba2a6387d8f4ea9c5d4fc4f90569f314e655b7131359ba44821a8506446f54f7db41e1cee92264135acaf577120102

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
337KB

MD5
a74aef4369a0953fed44aa358b836d24

SHA1
044cdff5bdea1564e234997d86e28bbe3ba3c088

SHA256
10c223628d28b7d837210c94631751a9ca20d39de7cb9694b8b08e0fa6b06c20

SHA512
898604f12fbc33fb7b440753896dc693cfc712ee027dd9c864b544cf0b1c342c51e739ad8036406fed6a93b3c0673a1638ca5c1e0c62091e04f16ab9bcee9edc

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
337KB

MD5
41e8ab848e9383079a66902e28323692

SHA1
56b0a02cb89442db8e6b6f95c3e64e3d35d69741

SHA256
e9fe09ed2821a65fb7548b5cb08f874a8da286893cdc22739ff4a9a203e15680

SHA512
ed2b67d5f6234019a712513f8c32c5176bb9798a449e186aad44366ab4642f93073ac2f351870456e5da820078ecded2dea08e773ed163a696c0c69843086005

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
337KB

MD5
9eeaf0ce87021095c56250956ea35ec0

SHA1
094696d8e81ebe72a6f7a52c6a2a50f43f102096

SHA256
60c8134ff4708f8dccf79e612c86b204e7dd638e75e1c142acfca87b6b5bfea0

SHA512
634df19bfb4e81a55c7876d41b96f25d556ceb96de271b0ecdbe3f2b229247fc72a61662a2af4d1388d9bd2f9d8dcf2d0bd6ec9a33560fe6559fb9bc649c46f3

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
337KB

MD5
caa69ffceb363a5a0d28e3953166318a

SHA1
df9817802979c7b6dd84303bd4430cc186c8e3c5

SHA256
9dc704a15b7183a0dd603568c87ee3190f99ee4e99512b8777da119eaa672e73

SHA512
0e2835eadb6525e4f4dcb2ef0eab95f604c3ae1f9e3d54aae575c5152f35c20c698a557ea8fd864297458f821f5dc41c64ac577046067023f9216523e481b652

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
337KB

MD5
824ce0d0c131d4835e0fecb3141e2789

SHA1
e0a8db5031364ae0d339e759a319f57981d8e13b

SHA256
cd0dcea7e872de1bb4efc2f4bca9263c1c3e3462c47fa365f304fc2311f57e1d

SHA512
1829470f80ea6507a76025f0e987167db273ccf25feb0d4e5a6b5220ba7a0745a3c5b40c24b74769e7dabc93600cf64db88780657bbe47882d652055fdf1ac8c

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
337KB

MD5
758a25642d20d22a3c28b25f7652ce77

SHA1
568e5037717efe37c7506fb0a2c2dc24ce1e0507

SHA256
d528cb33fb6bd45120ba158e077c2a9fb048303566d9135d11a5a4f6c71cb09f

SHA512
d6f5d4a3fa02ce4d34a2ae74407a4f5d222e75c80734c4af242dc8380fe637e91aa7fed9df1eda5194dfb8b838e9b9c4834cc7bf04e911fd426ba88f4abe4c31

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
337KB

MD5
d2a02269c1609132d57560dc7d824475

SHA1
4344e4484b3387039675c74ecb3d5e5b881ed0e7

SHA256
485ed7fde39e25ff80bf7c9f08178f7c805f527d601de2a4cd65bcbadca3dd90

SHA512
e3c0de476e0657a6720bdbe07e5736a5970563f2badaaba485a518420c2818468dbaac79dd8f29b97ea9f2887ae2a7ae81a169b3a32777c42184357296981724

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
337KB

MD5
d3129ab52d2b38ec5302770cd3f4cc62

SHA1
812a43a828e2782ca20f7de22f5488912baeb33f

SHA256
2d9f1b753179cebe412df615ee96c6575f772248f4956e894def47f11eda3f86

SHA512
f351e7044a967a4425886c62fee409dd5c0382a6973e4d1f6032b86e109e9d0c5d6cf42c1d1467e3a3ca84609d47cddce929402d53da6d174f5b218b54753028

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
337KB

MD5
62d65437e8725a90a834f36cc040e730

SHA1
9c72ae6edbec5fae1c4d8376709494dd36b89840

SHA256
d291a329aa1368da0ddbdd1157eb063a5c39d92261bff340f77b93f8a42aa229

SHA512
f9adfa06e38cdd8a4c56b18590ed2128f003e5d57ad1045c5c7846e1e172ec1fc6269d6818d2ef2f041d06fbd4b87d54e3d97656424e1cae4e76e892b9ee9f5a

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
337KB

MD5
6ecc5d5b2cbbb1a27899a688ca61c7af

SHA1
d322886b10a28df778256ef94bd51837361ddbbc

SHA256
8136dd1ca490d29ac4399620a69873abd1e81dcaae6d4d3b766327a21349e72b

SHA512
301a6fc35d5c63e8312e7095c74547ce15b63b5488b90b831701919cef79638dae4c322b5d55ce2f622be76002a5e44fc2bb20e8af7f98aeb8a4ce54cd9b646b

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
337KB

MD5
3885c71b481ef611c327623e21f26357

SHA1
0ec9036a81b7b23b85573711f47af1865c27332f

SHA256
e2dc58ade4d3b6708886e5aff67696a626a73fc4de753d5631fe64038eb14702

SHA512
7f67a7627ec51136e1b86398df2f21e66daffcb4fc9cbfc86088565d2e98acbba89d033ab34ccdef7e91c4ccd9a090f892f1ae33ea06fbf7a53d25f20dd9fa1b

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
337KB

MD5
48aba1e959660b75df31eb6f5c8eaeac

SHA1
dbcadb9b605dee3294b51d165b5ee61f71af102d

SHA256
053293fa2cd0a0d248de69d998437f347699770aca6e7e1b43b43eacca835b44

SHA512
a7670cff80738dfeb77a30812ab34aa595f1170a09a6f77a276d22fb1a577bc1f6078114d1c933bc40c3b4932df3ee0d8d58f74f11e8f927299e036ebba30a22

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
337KB

MD5
d22ae9ab29fc538f3e02984c1899eb25

SHA1
4938b39b64ef6fe1fc36fc1518646e13794998e9

SHA256
53fb210b4bf3ffb47c032b2ead9000c8b45cbc356cf79cca200f87ebbcbab3e9

SHA512
d15df00de08a3dce01c52381f973daf48333e98c2fb5a6e9128db14188c5c902f536b6056261b62fdfdd0028a80710f24667de5abc61893464b4a2eed61d5b60

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
337KB

MD5
4f90d142747ec883d0065db94073213d

SHA1
321244301a2973b72a23a76d8c0aa9817dceef83

SHA256
c3b2c258731a944ca9678ddcd0f4cbfd86a92653b80e3e685803b49386cce2da

SHA512
438e0e2e3db929b287a7a01360aa8ef6d69e5def9b0d25c2482a63d29fe918fdab6e915e031adca8c854e4d53e159447ab4484f9315d314dc0fbe0ceec903a38

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
337KB

MD5
aed3665b3d33a4cc4c7a8c19fcedbe4a

SHA1
3c8d5e4ef8a418c349f46c4bbcf3dc3002670344

SHA256
edb8aa9f22939a6f5e1669dcfd521f224398ec9d88d8f56f201576c79038c3ed

SHA512
6832259e6578c10dc6ff639eedb6f0dac8e86dfe72481283ddfb2f885cebaa7ea9d5b3b76232791c93cec59d32511de6dd0ce4d66a98a81521207bdc6c94ab73

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
337KB

MD5
56f2e19ace7cb0dec0de3971f273afda

SHA1
57907872f78d1753671ac8624ce6fa8b5c2823c7

SHA256
40d6b20547e1a696942d4e1f602b7bd3f3dd7de5c19578721c67e7fbaa4e5063

SHA512
285cc739a08750d94ec0f623ec12eb0e7e8975256289a29cf4631108a456905103bdfcdfb81e3bc987b4f06cef94ad15411c7fc0615081a1f524b6c2929bbf9f

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
337KB

MD5
7be2ab4a5017943b38edb32910615c36

SHA1
dbac08c54b226cf5b20631236519fa124fd69dd9

SHA256
b8b6e46ddae8a3728de2068b1c7bcbd3347d9a662de1dcfd683de6a10a4fd10b

SHA512
c4821aad46f0c038bdedd059c430713da4ba8776b8222e84f2a64a72e05eae8591e7747688a75a3c8052048100603952151a5cbf0d1ea685d23553ca1ec6e46a

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
337KB

MD5
2192cc420e5d8cb5e96c03bff9c58bf0

SHA1
c90718441d8c07a10ff00e11a5f3dc4f9dbbf70b

SHA256
74bc613dfdc4923d5cb7f66f96918b1d5d019dbb82d5b17c2a6a499ff6aa3d50

SHA512
203b927af9c4edf965e904c75a7e63fe8913e7e222be1ea866c83e3f45a9489cf2fd181f2e27bfe6c5898d5790549a191f1df0639d06b2efb983ce61292026af

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
337KB

MD5
5bd73dd0946302fbb86067bdeb64af3e

SHA1
191674d7b8cedfaea13fe1a6ef9b539b302e3ccf

SHA256
77e235524c33f7085654f46ac0e50ad9e11fe7fc2a236a19cb4c944b464dcb41

SHA512
032d0b8653d66ecc8cf425f305a8d9b92e0258a675eb02367b360475b4396c0c3d5a2a2b93d0c7fe578811e99fc7b8f7a3a85f94e07682286077bdddcb9d4a41

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
337KB

MD5
812d18b8aaf777fbf6acaa529e71ba20

SHA1
0a18dc5d69bea95fedb77a074db35821449709e0

SHA256
88f576a5e5ef221711ba7df94ca9476c398624c941900aa48e5671b26b8d8d20

SHA512
b6460700125ac679cc623a1100b68ced3e987cb57c8fbc562183f6e7d66eca6fc1d9ea13fe7f942af83acac5fd77255a04d8845c2078517afa5d853ac6cdbe3d

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
337KB

MD5
0c5b2a9a567d91a20bddf2af2d6a76fe

SHA1
6463e7f1f2ec4cb52b61cb6fec92c635ae1cdf64

SHA256
670ee34031268de74063150f0e9fccc0d6f377b509535ff74cbdb0bfa83a352e

SHA512
39b41b5e2195077c48fe96c08119bfca2838af7aa7d3621aebdba1b0f6544e2e6edf6c0d497ddfcfad7ee1f8bb1fc8fa0496b191b9566beb78dad78ae27a28c7

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
337KB

MD5
7b49fb2d46dc86e4413f74948b377f03

SHA1
f4e624c19a933d0f0c2ff3d3ee99a98f8d9b47f2

SHA256
af3f2fd2517c4ed7a10158616ea51750316f8ffbae3683790bae834739ff271f

SHA512
ab6b1740b8736859d8204d6309b7a8839de004f674d6d246f5c9e897adc3c5c98cbd9028452c6aab66dc11ca382e062f3cba485a3ff8a4bfcd8e5c9019920f12

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
337KB

MD5
0ddc4665adcb5ddc7eed371c9d3241e9

SHA1
d0862988d49340c393fb252379c5216fd70b8382

SHA256
8cde178071843bbd048985fd106b32659b81ef83580ce58a9825842b56d74b94

SHA512
5b0944d28e1e6994b9d89f1a04fac3217b0079eb29d666bd7652753446d7ae0ab789e79a440d2dfaacbf7cde88667505294b987f4ced3ba7028c7ab0534c45fa

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
337KB

MD5
1e7467ec40f33fa977b73400a75c6afa

SHA1
d8de75c19dec89651d2a953fefa04392a53f2dd9

SHA256
999aeae6d1b58f078e016588a037d0803f9f71e2cd90e00d188331ad8323346f

SHA512
530c2576246712b2a9add6e1811ad9541e27093037222388b25d8d45cb04a881ad2c29af977f8ca07224dc134928b3d62e7a5032651d129ddbe06d32ec162991

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
337KB

MD5
887859ad1c129e6d8285ea0b2533bd49

SHA1
9b08b6060f549d590d69321e85fd7afa315f9a4c

SHA256
50f779e7d25fe29ce8468d1c8a3d4c0c014711c139747bbeb93f197be9d87f38

SHA512
bbef8217c6917179b682c0f07be8fb0881019a6cbe1746d83681cbcf005f31c0e3099b0c6f2e00a30ba80955d6dec9eecb09dfda9ec1e04996219170b0729c9c

Download Submit
C:\Windows\SysWOW64\Pcijeb32.exe

Filesize
337KB

MD5
7930838f4eaec020c0d0e40e5ea19f27

SHA1
6e64d226da4e2eabe25efea82f7c03efbe7c8cc0

SHA256
cee22e39bf67f70323ec3adddbef3966f07c863bfae36ea2203b97a6ec4a4efa

SHA512
6fe922b80bd5b2ce98e2d8e01a16fc604bdeed152c9481a1533265c5ab9d8772b4c4c03364e86826e47a590e9b06372045119c1c6a1e97971c9f479486f3b4e6

Download Submit
C:\Windows\SysWOW64\Pcppfaka.exe

Filesize
337KB

MD5
1fe8d5124f91ab4c6247447c4eb42826

SHA1
b2c79fa1a250e3fdfcd2321b839ab9e47066959d

SHA256
6852925aa2503cd5b75c6b56b794c11ab3ecffecfb250fd130e426b3a3cb36d0

SHA512
3436f5922be20924b2b8a1e3de448d9d270e606375829d4ba4cf370f072fe0dd5dcc4045ea887dd197b1554da8acd2566f85ccaa4c50ebf463877ee42719705f

Download Submit
C:\Windows\SysWOW64\Pgioqq32.exe

Filesize
337KB

MD5
649b67de2c238cbfdbd3f77a28d4b6f6

SHA1
e61c22d4ccf91f4d8d6feb962a888ca832ebca18

SHA256
5a2905e9a820480dae4cab2ee3ea06c81f789a1f2fdd463af15fb09b53612060

SHA512
675e24bc495485db6f737daf8b82bbeaa808f6c6dfbeef128513cfdd1c32f36bec8bc21cb48c5bf367ead25a4a68d7c6ef21152e14539ea24ff1713bb879e8d7

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
337KB

MD5
7139f655009d996624934c3857ccb58b

SHA1
5d808733394ed042ac8a34406957d1a6b81ada86

SHA256
17bcecdc0bca8cdffeb251fd88f4fbb2ff8b416e44ee82ad2f228f80797a25a1

SHA512
1257ce56e7585c7acb93f94cca9e2eaad4caa36fd674afa28c3e15f6cf6fb236da60827290e3e21cd0e90fe801c125dc264bd420830beb4f639d7792ab715388

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
337KB

MD5
619194f3700dc3a82a595bf9b9209495

SHA1
b88ef03d666d3c43e1a8ac2aff1beaf2497689f3

SHA256
f311a1711ad6fe1c0a6626d972c778b16a11527a3dacd85d8d1bcc5405a46fff

SHA512
ab371c4a5318b06f0c830962cbbbc93fba98a5d93b38551858763435eb578f434a687ef73ec92707fbd54383d84ddad796730277730bdfe0357bc0d45a08f48e

Download Submit
C:\Windows\SysWOW64\Pnlaml32.exe

Filesize
337KB

MD5
d44bf1174ba6da95561aa514d78492fb

SHA1
b5537ee45149e7f3b0f51bc6592df0042ce70676

SHA256
89837eb34403fd643bb507fc10e2527ed5d54fbf600dc80219e946df765d6ecd

SHA512
f428314557e9c24e7f4a07518e8fb796a58f4f92f95a14a5d1b5a28670b8e97a8a31a420688a6a85a753cb4bdfdd83a13cac7f33b73b8b9b234bcf3222dec281

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
337KB

MD5
d8f413725fb92110a5a59f2f624c4623

SHA1
ce2166a94dec992cffa40489abc0d0db0fadba14

SHA256
a4f6a95533527a30c91d8bafe184e9f309a2ad56a949c252646658a4635fa044

SHA512
4f2351d82e75b5710d4b6a4927697b9ddd0912c41b243ef031ce2589083b9fb0c6e8c78a050c6f2b9be8fbb9c8d578d94b5aadfcc38986998d1b86649f589065

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
337KB

MD5
9cc423d442cad8a7bd29e12b6a40418a

SHA1
a7a4f13fd057bdb44c12ccfba1ae3a2913dd492f

SHA256
7b86c10aa831723f693644ced4eff31e82ad0491562840f1f7006fb8627be6b5

SHA512
4002f07e9cc60aa9cb943d71ad17bb5e115e8e5f2e6f7abd87bc6a430b88c2459896807c9a2444eea78831602fa2459961225dcde13b1d90e55db12463f3ab83

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
337KB

MD5
c7490334ff29355396f34025faf5a13b

SHA1
48ecaac1eb189b244a1f1371c471dfb94ca2f783

SHA256
a5b8643ce263a50a928234f4a50a264fca0074b85d5af4df36ed48edad43027d

SHA512
037f97e576dd56b201c56920898941a70b1162d8ef9a07bdcb3fb5bbc56da52294d12d8486c9d53911e16d68c7d53f99434c53c2ed5399ce0194a14db99ad04a

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
337KB

MD5
abd8e6a46cdff7a137545e2534d4e4f6

SHA1
b9f5cdd2bc0bfe9556c57e8bdc21f3bb4649e595

SHA256
6f6388a8aec90b077c96a560a50b4278c71be3d73b1bf10dc4838e0f0fcb2df9

SHA512
f7c08797c398eaa5b11301a69ebaf5fe03234852dd58d4b996407b52a7a49b2643b4453d884831df7169f00af07bbf4a91015f4ee6dcbd9611db6670e9d9f415

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
337KB

MD5
59b74e3520cffccb967b94889a64d1c0

SHA1
62fb7bf10c597da2ae394c32b2c3e873698d87e7

SHA256
971ba34f24a9e4e44f7fa50a851ba9adf0e26cc5fd6eb7c7b415e24081830837

SHA512
0451e7dff3ba745bd3f4c3b5aad0b1107e555fa5eccd15290149075937b794cd8b77291ca9028822ffc1e8c583b6e26a10d6a22942894ec4dd6f20c5c74c067e

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
337KB

MD5
62ad2a8c7e1be99ce623755892e20716

SHA1
cec4025b550c6fed3abe83cb18ae5092dcdd853e

SHA256
5bc76f88e3557f724794d1c5cd60c1a9df859246fce5b416c75acbfe6c34f7ef

SHA512
e33c13245b5044fbccf4f3623e82fdbd88223c8158b07b06bc0b05fa8ac23c7bde416c917a46e01084c297f802f333a1c86dc803ae66317b2167c34954397959

Download Submit
memory/8-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/512-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/684-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/832-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1464-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-621-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1568-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1892-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2044-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-535-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2208-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-604-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3116-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3396-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3424-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4924-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads