berbew | e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e

Analysis

max time kernel
93s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e.exe
Size

81KB
MD5

a519ca2e6591c1eb297fc10fd1cfbcef
SHA1

65c9f76f137581829a0728cf202625e8da4f322a
SHA256

e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e
SHA512

b72d7e83aefff027a301d31515c96243cb15029968f9d2bdc25f1c3e35f639f87a2f7da9cae31639e224f0f4031e8ae93122a10a29dba24c3d92d5c589f4849b
SSDEEP

1536:nI1W4sdWtb7lkmFqLNw8UBdH7m4LO++/+1m6KadhYxU33HX0L:s6At17FqudH/LrCimBaH8UH30L

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfjcgn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgmpccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olkhmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pclgkb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4212	Ofqpqo32.exe
3012	Olkhmi32.exe
4464	Odapnf32.exe
1920	Ofcmfodb.exe
2560	Olmeci32.exe
2880	Ocgmpccl.exe
4916	Ojaelm32.exe
1384	Pdfjifjo.exe
2416	Pfhfan32.exe
4708	Pqmjog32.exe
3588	Pclgkb32.exe
3692	Pfjcgn32.exe
4100	Pmdkch32.exe
2168	Pcncpbmd.exe
3564	Pfolbmje.exe
648	Pmidog32.exe
4644	Pgnilpah.exe
2272	Pjmehkqk.exe
3492	Qqfmde32.exe
4672	Qceiaa32.exe
3208	Qnjnnj32.exe
3336	Qddfkd32.exe
748	Qffbbldm.exe
1536	Ampkof32.exe
1552	Acjclpcf.exe
3236	Ajckij32.exe
3308	Ambgef32.exe
4216	Aeiofcji.exe
4424	Afjlnk32.exe
3440	Acnlgp32.exe
4136	Afmhck32.exe
396	Andqdh32.exe
2248	Aabmqd32.exe
4576	Aeniabfd.exe
2028	Aglemn32.exe
4604	Aepefb32.exe
3764	Accfbokl.exe
3052	Bnhjohkb.exe
4600	Bagflcje.exe
2484	Bcebhoii.exe
2704	Bganhm32.exe
3864	Baicac32.exe
4528	Bnmcjg32.exe
4880	Balpgb32.exe
3672	Bgehcmmm.exe
3428	Bnpppgdj.exe
3696	Bclhhnca.exe
3132	Bnbmefbg.exe
824	Bmemac32.exe
4412	Bcoenmao.exe
4956	Cfmajipb.exe
3020	Cenahpha.exe
712	Chmndlge.exe
4472	Cmiflbel.exe
1280	Cdcoim32.exe
3456	Chokikeb.exe
1704	Cjmgfgdf.exe
4544	Ceckcp32.exe
1460	Cfdhkhjj.exe
4492	Cnkplejl.exe
4056	Ceehho32.exe
1836	Cdhhdlid.exe
3676	Cjbpaf32.exe
4448	Cnnlaehj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ccdlci32.dll	Pmidog32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Pgnilpah.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Hgaoidec.dll	Pgnilpah.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Pfjcgn32.exe	Pclgkb32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Olmeci32.exe	Ofcmfodb.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Pmidog32.exe	Pfolbmje.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Qoqbfpfe.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Lqnjfo32.dll	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4504	4008	WerFault.exe	160

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olkhmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocgmpccl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odapnf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfjcgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojaelm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamee32.dll"	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekphijkm.dll"	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmdkch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olkhmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qqfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocgmpccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odapnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiclgb32.dll"	Ofqpqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncmnnje.dll"	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfhfan32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4212	3224	e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e.exe	82
PID 3224 wrote to memory of 4212	3224	e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e.exe	82
PID 3224 wrote to memory of 4212	3224	e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e.exe	82
PID 4212 wrote to memory of 3012	4212	Ofqpqo32.exe	83
PID 4212 wrote to memory of 3012	4212	Ofqpqo32.exe	83
PID 4212 wrote to memory of 3012	4212	Ofqpqo32.exe	83
PID 3012 wrote to memory of 4464	3012	Olkhmi32.exe	84
PID 3012 wrote to memory of 4464	3012	Olkhmi32.exe	84
PID 3012 wrote to memory of 4464	3012	Olkhmi32.exe	84
PID 4464 wrote to memory of 1920	4464	Odapnf32.exe	85
PID 4464 wrote to memory of 1920	4464	Odapnf32.exe	85
PID 4464 wrote to memory of 1920	4464	Odapnf32.exe	85
PID 1920 wrote to memory of 2560	1920	Ofcmfodb.exe	86
PID 1920 wrote to memory of 2560	1920	Ofcmfodb.exe	86
PID 1920 wrote to memory of 2560	1920	Ofcmfodb.exe	86
PID 2560 wrote to memory of 2880	2560	Olmeci32.exe	87
PID 2560 wrote to memory of 2880	2560	Olmeci32.exe	87
PID 2560 wrote to memory of 2880	2560	Olmeci32.exe	87
PID 2880 wrote to memory of 4916	2880	Ocgmpccl.exe	88
PID 2880 wrote to memory of 4916	2880	Ocgmpccl.exe	88
PID 2880 wrote to memory of 4916	2880	Ocgmpccl.exe	88
PID 4916 wrote to memory of 1384	4916	Ojaelm32.exe	89
PID 4916 wrote to memory of 1384	4916	Ojaelm32.exe	89
PID 4916 wrote to memory of 1384	4916	Ojaelm32.exe	89
PID 1384 wrote to memory of 2416	1384	Pdfjifjo.exe	90
PID 1384 wrote to memory of 2416	1384	Pdfjifjo.exe	90
PID 1384 wrote to memory of 2416	1384	Pdfjifjo.exe	90
PID 2416 wrote to memory of 4708	2416	Pfhfan32.exe	91
PID 2416 wrote to memory of 4708	2416	Pfhfan32.exe	91
PID 2416 wrote to memory of 4708	2416	Pfhfan32.exe	91
PID 4708 wrote to memory of 3588	4708	Pqmjog32.exe	92
PID 4708 wrote to memory of 3588	4708	Pqmjog32.exe	92
PID 4708 wrote to memory of 3588	4708	Pqmjog32.exe	92
PID 3588 wrote to memory of 3692	3588	Pclgkb32.exe	93
PID 3588 wrote to memory of 3692	3588	Pclgkb32.exe	93
PID 3588 wrote to memory of 3692	3588	Pclgkb32.exe	93
PID 3692 wrote to memory of 4100	3692	Pfjcgn32.exe	94
PID 3692 wrote to memory of 4100	3692	Pfjcgn32.exe	94
PID 3692 wrote to memory of 4100	3692	Pfjcgn32.exe	94
PID 4100 wrote to memory of 2168	4100	Pmdkch32.exe	95
PID 4100 wrote to memory of 2168	4100	Pmdkch32.exe	95
PID 4100 wrote to memory of 2168	4100	Pmdkch32.exe	95
PID 2168 wrote to memory of 3564	2168	Pcncpbmd.exe	96
PID 2168 wrote to memory of 3564	2168	Pcncpbmd.exe	96
PID 2168 wrote to memory of 3564	2168	Pcncpbmd.exe	96
PID 3564 wrote to memory of 648	3564	Pfolbmje.exe	97
PID 3564 wrote to memory of 648	3564	Pfolbmje.exe	97
PID 3564 wrote to memory of 648	3564	Pfolbmje.exe	97
PID 648 wrote to memory of 4644	648	Pmidog32.exe	98
PID 648 wrote to memory of 4644	648	Pmidog32.exe	98
PID 648 wrote to memory of 4644	648	Pmidog32.exe	98
PID 4644 wrote to memory of 2272	4644	Pgnilpah.exe	99
PID 4644 wrote to memory of 2272	4644	Pgnilpah.exe	99
PID 4644 wrote to memory of 2272	4644	Pgnilpah.exe	99
PID 2272 wrote to memory of 3492	2272	Pjmehkqk.exe	100
PID 2272 wrote to memory of 3492	2272	Pjmehkqk.exe	100
PID 2272 wrote to memory of 3492	2272	Pjmehkqk.exe	100
PID 3492 wrote to memory of 4672	3492	Qqfmde32.exe	101
PID 3492 wrote to memory of 4672	3492	Qqfmde32.exe	101
PID 3492 wrote to memory of 4672	3492	Qqfmde32.exe	101
PID 4672 wrote to memory of 3208	4672	Qceiaa32.exe	102
PID 4672 wrote to memory of 3208	4672	Qceiaa32.exe	102
PID 4672 wrote to memory of 3208	4672	Qceiaa32.exe	102
PID 3208 wrote to memory of 3336	3208	Qnjnnj32.exe	103

C:\Users\Admin\AppData\Local\Temp\e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e.exe
"C:\Users\Admin\AppData\Local\Temp\e1d30aaaaf89cdc489d080a2050e8feab246c533fdab4d8959532d00da89b32e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\SysWOW64\Ofqpqo32.exe
  C:\Windows\system32\Ofqpqo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\Olkhmi32.exe
    C:\Windows\system32\Olkhmi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\Odapnf32.exe
      C:\Windows\system32\Odapnf32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4464
    - - C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Ocgmpccl.exe
        
        C:\Windows\system32\Ocgmpccl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Ojaelm32.exe
        
        C:\Windows\system32\Ojaelm32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Pfjcgn32.exe
        
        C:\Windows\system32\Pfjcgn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2028
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:712
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 396
        81⤵
        Program crash
        
        PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4008 -ip 4008
1⤵
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
81KB

MD5
cb81ab4cef00d5d4c3a5eb1d0c2c6dba

SHA1
62dc0df64bd749726fcb7abc379faf7ba7de00d6

SHA256
9e73b8df5d806904e8fff4cadf77a1a9d35c80a575f4d26792226b3cab856703

SHA512
e52f03b77d27358bcc32861695dc1d11c9ce5a015322aea7b0acdd49a798494b4e612888945b300dc5b7bc8db647edc233ea715e2ffc8b8ea54d5cece95b65b2

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
81KB

MD5
562500476c9a4d98b856f0b30e6517f5

SHA1
5d0f8627b42b0acdf49dc1a7dab0b11c1d31422b

SHA256
b79d018ad0a8866279c2207a807aa896e3ee48a69090cd4b90523d726311f6c8

SHA512
676152ba14b415ad75ab95e0fd397db4f56c1dd6618e3782293417ab8bf7407edac5ec23545e001d1cae20cd2b8d3ed33e6714c93bc5c4910a729571bbf197b0

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
81KB

MD5
146318e84118b2abbe5a114908fe7ab5

SHA1
fb7923ecdac14e8dad08b6982a001165a397593a

SHA256
5c18f1d25a1654aaf76a1130f8234e6efab05586db30a4968bb9d2235156be8c

SHA512
bb54ec08e91ac720f243b069604c07af35d52da5de0656adb4de787231125999fb134980d4642f8a8d96e479fd244a91bbf50ec8fe8c8526ebc5721d66511674

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
81KB

MD5
7ca403cad55bb9ebaf14392442acfa5d

SHA1
eba43b5d7b53fdd213a55d27c82ca752a11145da

SHA256
ef85e2e521b54f6536d757bf1b190e6203b602b039fbf2947aa610c6caa8573a

SHA512
d678d76ba35589908b441939ae2e09bb3643e295a40c164c613ff394f344b19752bea3e25366c093b08207336d75e4b84a2945b49f8e7741aeb31dbe2ab5d135

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
81KB

MD5
8b92394cb7a25180e8da7e83ea3f2403

SHA1
98167e08524b513630f5714c334be2216feea284

SHA256
aa14329de8c0ecf874a37a11ae82cd4798588fdfae48d00b085e798d6911d2a1

SHA512
7b61f9a71c7f325edad6bfb77f55848e34c4968b6ce4553ce42c58160f5821c32b17c98e7395f730b631f7bf00f0608f93d9816576f85a834b0ca72e6470e675

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
81KB

MD5
27df7de286644a9d2946ec029ce7016a

SHA1
c406e6f843a3e592faa7afdc6da83ce771b55abe

SHA256
378c73c6abfdc2cdb123fbe0ed559ba1159ed775b20d029d6f3698ffb6dda82e

SHA512
bd236509539336abc7c8ce4184e6cd1196074c504765a100680e5b004a55025fe1a4663cb1e024b867b5adc14cdcdd07a7d324a2f7b8a8ac7eab6970711e1049

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
81KB

MD5
b5e3069a760fff277e2f7841fa50fb08

SHA1
747d263e9951c87467ef3948697bfb88c2d9d3ff

SHA256
0e8cc6fe35680aa61ccc339aec854a0348018ce279ea6a87fd3b0a320be8c701

SHA512
e01f353d3095964fce28f625f5870c07fec20a94cc086f5ae33a235f417186341c48b2b93cdd28eff049628a128f94b80b24546ba305a35f4108a4114f63c226

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
81KB

MD5
ed276fa659bed4b01daf0e4cfdb8df14

SHA1
81fb295b6cab5ba630f577982a7a437d9eb35a29

SHA256
df176d39d45e59590bb09397297df067dcaefda8367680feafc2e857ab8f6524

SHA512
ed98905c68c36c004febf028ab6d225c295060abb73f4f62ccbf459ac9aa7a9183804f14e078030adb1037f6182c072ab21114e2c01656e0b6209ea4adfd4c40

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
81KB

MD5
36b533cfb8f9ef265c45aa54cc4dbcfd

SHA1
110b99e0c26326707474a6f7f1d2c451a1a8d11c

SHA256
39939f4b191c2d3bc3cd910a428d1f0b23061a5409a6d4a656016fe69e2573cf

SHA512
45e6df5cc4dd7998c256148da637c69b7dd148ccc0bf281379ae507ea5ace7528c3aa12d7d402a4c33382373bd2af732415d86f279aaed6a7accaf65c25ae17d

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
81KB

MD5
e55a02b5ece414724f87d9caa01bf9f5

SHA1
8edcd69fef4b7252220102cfea4385b629e7bd33

SHA256
a08e1338908c44cffc13b8a928de03ab18e62dd98cb5141cb87e03263dc547a0

SHA512
a8193855d727779b90248fd6e0022a5fa334c98f0884d81f3f63c9bd7e9a7bff785878c348a4362bbdd61d50c3ade60ed2a5ffcffdfa235c5f71a68bd9004569

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
81KB

MD5
7ccf7f40e9e03c05c4902fad342b32ad

SHA1
8d0387596fe72d89bb6498e85bc88abe7a214189

SHA256
76deec2c79277f67213dd66b29511f1b9df12ae554d9b710351f948c7078f5c5

SHA512
14e8fed51a01a87bba46fc8d1eead8b22c95618b36ef24d30f0fb96175bb46392a5b7de1334b8d4557ed847acdceab7366853d91df24f1fa48b47be16acf2913

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
81KB

MD5
d400034eee42a6d639f75ea6d59ea97b

SHA1
a0a06a7ac4e6ae05c6c8d791d4ff2b8575a49144

SHA256
02efaf6af29de7b3eba0d1cfff1465e50084a1f73e45a868aeb3d8b67c3b7425

SHA512
c6f274515382ebe55b416d55cd4e1381391d52456f7d9a41d9cf7b79857e50118aa389aa4ae8b609b89cade6f460ceada6788c43ff58d1401dc8bc42084935f0

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
81KB

MD5
c85230ad8cdf4b25e1188cc848dbee7d

SHA1
d281b1a90837297187bfa6c938cafee781bae898

SHA256
d77d5acc6c2591ddaf75c5357b653524d4f61792119d4f1c7f9e99baca0164d9

SHA512
6d53de4162d69dab575e1ff14b096f7156849b6ff61e072ff8849b09210b8983851b980270089abb7e4ea05aba68bef3715f59f2dfc79d8d17d0509c09132ef2

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
81KB

MD5
5fba9b1a4ee9d7ba064883939cc503ee

SHA1
df1e818acc43fe26f4530b5ea6d654e816ff2cf2

SHA256
229e992e3c14733f795bdabf055808cbb598a350a2f5597d6912c00042146208

SHA512
5c3a1327f13f0501407e013f67770aa7dc2e516e2048408b3ca19820f5c1c202fcb041f4e4016ce8eeabd6eb141bdbabec1f7d30a33186480ca3e6e8d4b05814

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
81KB

MD5
948a97a28322442a5dd045eb4e4c0539

SHA1
b0ce5db91853ad64c21e2e0017b1aaa8f5cd3d70

SHA256
efaef11ea8b02db27a586414a1cdf31e62c84e6a8a17e4dc4f7f2aad2f13ba35

SHA512
459def969c64ba22e726b44c7370f5991f16de4cbf2c88a1aff311894f855ca2e60323e5b4c8562f7af11615349dc53f7fc06f2320f9141c821e6c557a5635ae

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
81KB

MD5
5a27f1f692e1f1ed42606cccc5c49c4a

SHA1
4358945b72b77e168dc6e3ac61ad263dbbc4f225

SHA256
88ac2d4e7ea713a1b03805411dd6553a18156c88808f0c88ceee258347f50738

SHA512
15d666512b5886a4aafcd00271ed72a560fd5e5eb0d53d45e170c86aac1b096c1c0fbd9bdde421a1c77f1872159dd51f94309553b89640201344531522f09b92

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
81KB

MD5
168893f3e65296f6c248b4c0661a4be2

SHA1
43196940a1ffe422e63c4b3341f32b18cb644b40

SHA256
6af3eec9ce07d1861f2c7bab37dcb16f61cb2136f5c44a2b2849c28f01dc6c1d

SHA512
bf532ac9f69198f93ab74ab4eba598b211300fcd96add279c997191d034b3c60c70c650674db39859db611db12fdd1a5038a15d7d5c9fdf73ee09d23a89d6246

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
81KB

MD5
3c88cd750f7a36fe7ea6afcfcacac140

SHA1
9bdd99c0ef2f4a7f8257f10ef93350e625d2726c

SHA256
64452a08d8a6e8d71035e6ae80cdc3d3eae77676248f91fc9d36086060784bf6

SHA512
d3f5998a78b1ade42cb8dff2d8428788c18202d8280fd6cec4e1540fcac4f215a763dca8ea2ff9c327547ec779e1b1a90d95b06897d0a4c0f183cca01841c11a

Download Submit
C:\Windows\SysWOW64\Ocgmpccl.exe

Filesize
81KB

MD5
a7c457fe0dbd6d5603bc34514a170c6f

SHA1
bc4afca84e5f26c142e9fee6c0bf845c2143a5fe

SHA256
fa2c30e4c352299d0c7a21bf97326144e8dbb70f4c34804a1dc1baa7e6b46fdc

SHA512
312173004cf66e605cd297ce5abc65c31351620ee7b6e3c2493bc1ab677994cf1b704ceb432ad13dfb8daa361c4cf1207a4a8dcd1ae2bb46d218c6572f8745f1

Download Submit
C:\Windows\SysWOW64\Odapnf32.exe

Filesize
81KB

MD5
4f49ba0e27faffa1dc349f023127a31e

SHA1
6a94ed2efaa09a1c509ba1a60395ceac4f6c062c

SHA256
6c16a83b5080dc9fa816567dd979d627db053b8b43a36d31bfb40368c6340916

SHA512
5781c9f31627f90d0ae7b81c3540911210d08223c8ff0363a7a50f3a9c445568e50e749e5f82307ec627b9497ff7dd3e4e9e10ea2cdbd72af2b0cfc0f6fdce31

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
81KB

MD5
3b157ebbbe98d923a50a83fb80a92dd2

SHA1
e4e9b2606e760ec9faa32e901e2e7f3b20f305aa

SHA256
6a7501b88907bfc8586177f963aec838d75c161d78c2b4a9b965f75caecef9d4

SHA512
03412ad422259bb69d81b280bfce1de63de4fc2c634e0efa4a59b3a6fb8f3695b763a666d1363c25e377e9edda109fbd613053ac2a70d477bb8a77b77f57fc66

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
81KB

MD5
db265106668d51e5454853059b5f4c16

SHA1
bbd44cbffe577fa90f99b2a4a62081830b5855ea

SHA256
09a0ef383aca7efc49f8cb4489d322012b2008464d1d137aa5fb09ef77b1a187

SHA512
98dbfaf4cde76cdc8d8fd921f2775a987984dffbfb1dfab842787692623c54d3ed3213b372be589b2db62429adfe37b15cd86b4ba38f5c032e0d8564e13a697a

Download Submit
C:\Windows\SysWOW64\Ojaelm32.exe

Filesize
81KB

MD5
84352a1668b57be401d579f8f28adea6

SHA1
b6b5f3741c61aa6c802281701e9bf46eb175294f

SHA256
1c580f1160dbf9fca69d2cdd372c0044915ee6c7b1f317b42082c5cb5c6fb75f

SHA512
daace140fff7c055965ca3199b16f4ecc786d45cb8e1ba44316a52a37e4371c07536e8cfdec6a7263ab1d8ed6286b1b6d42cc2dbcf3101836b42ea0731231538

Download Submit
C:\Windows\SysWOW64\Olkhmi32.exe

Filesize
81KB

MD5
8bdf1d5c0d9cb880a2aa49394c7b7cd5

SHA1
6dad48a3749d45505c8c45ff2df4604b52740d9f

SHA256
3ecdee6de54e6e14e262fd43e3a9d0e6254e52fca08655360454e099c1f0c74e

SHA512
269ccc13e0da597c66477181363892fe890a26c1e1d0a381317d187b3ba4011a2f3cc271ec3aea03928fe1d38e32673432cdf765ce1e903e523d0412dd63123a

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
81KB

MD5
48a79edc3d353a655fbb5b0cbbce6743

SHA1
d61890cb1a5a2f7002ff9d5215ac0f9e89550c08

SHA256
f7da671e8e1a672908bdbf44c1faf16a9cd55e91feee337f459c4d4c8bbb3ec6

SHA512
cc55102a3502b1926219d2b290c236ef20a88cdf471889129a6b2658dae39b4a743476e319bd9b28f64aecd5569f890a4542b118bf23e62c44d9defc124ac884

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
81KB

MD5
7c7944b2279bc51db33d3d32a94cdcc3

SHA1
afb18065443084df48ed04253499984c9095d9aa

SHA256
dbe0c35a1cbcf0ee0a76feefe6c5e1b1ceab2f36ad094e6387b3302989584582

SHA512
5072666fc747a963a3389adbc6fac03a156c64cda8273c2a30dac0b1e487fa75421872989825fc7d722490a6649d3b7d9eeb4df1c8b9e4e28937e4ee6cfca3a0

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
81KB

MD5
d4478546dd9991df69013d3b9aa86231

SHA1
74cd4c5d44ceab405991d76bd25f4c480d1af1dd

SHA256
61e9eba37c951a80ca498e8bd37c05002f69cb3847f8fca23b64eb0c7a53bc81

SHA512
8f92f41bb8854697ce860e258ca1e2ebf265e11e1639ea124354d377be876639a0c68e8be184697deb269de2a14792d28971d3ec503f1aa4c7b44142512e8526

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
81KB

MD5
b902419e72a92f7cd2d9125fa34a971b

SHA1
6c12834abd0456e50ed33218e796889354830c63

SHA256
a0b675f65fe5f2f8dfafc6ae17cc8ab6a45b0c91f8905c9040b2b56e8fab5ef4

SHA512
84931f5747a89e006528a82166519b20bf2bbf10cde71f2e248880b011b634c37131d9b95a9e21f8324402a3617c3a9162e79d243a4f330bd0a2cb127ced516e

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
81KB

MD5
b43654299761e9de4afe68beb002d951

SHA1
6f032c13deb8f067a4994b7255f7253c968c37da

SHA256
15956d2f085f4a94d3231ea8c911ea1c021d787454ab358cdf956eedaab16bfe

SHA512
3ade9727933955cd9ff774ce1a7ac1360ffd390594fdec51b058f7164ff8e48b03cd35c9eacdbf210aadddda880e4c642f1e592bc29e9f49793f9db688d00058

Download Submit
C:\Windows\SysWOW64\Pfjcgn32.exe

Filesize
81KB

MD5
f98add5a0e5cfa7a1c5659eb51799ff2

SHA1
54daf138f1c795a646e856efe23eefa52f96c137

SHA256
7f9779877c992a9bbab11fa1f4d90033d5806c9312fc156f6e24691646e4fd87

SHA512
42f3129004e745340b91318230449c4f4da9d84b4bcacb6d3ede823956927b311f070e3d7ae766ebd1642c2f29384705984414c85ac9a5c856ddbe16b5379d72

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
81KB

MD5
bcc00487af6ebe348ef522ce60ce7446

SHA1
59fcdb6b710b318e3d3f3a6c234b708f49ae3e17

SHA256
b1767a771be130820786db42eb86d95db859335192069eb926c92ee777baede9

SHA512
8d76cac37ea4e5991893c2332d7f3832236e9841bd1af2bf61a206ba720bd11ce14e1a5a5d7c175ebbe2134d3b5acef8fbfc358d914ec2ad0f6b49c7614543b4

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
81KB

MD5
27c4dbace2b729abae197c826403c6d8

SHA1
72578141db790806cb85681153259294f1dcc324

SHA256
6f4ef1015a6995021d165163e51e8a04c5a114426b09e635b3e6fc6f20fe2e7b

SHA512
cba0d6a90275edff75d30eae24b288f63683eb48db936e4be2168e6cc3d3e59c64a2c17e425991b00322bd03ed2c6401123860806d7a68ae1ef99d802b1e597e

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
81KB

MD5
29064d66559e30b9cf9e5dc1da89adb1

SHA1
060e0c89db60ae1598879dbe842942e42831d6e2

SHA256
0f6f862c83f4f1b38ac3cf13a1089346848c70d2c3e6c09bb34e9cbdce5f19fd

SHA512
0e7ce7173f3ef219a43fffede2fe4b39a47b7e23720803586456b082650fa717c519a00a73d68e5043a3b28c4727f7988631c382ff0a210c81279ca1419a3baa

Download Submit
C:\Windows\SysWOW64\Pmdkch32.exe

Filesize
81KB

MD5
1c31978471acdb10ec110510c439192e

SHA1
04d1e8f1713e47dfc860f354302e163d4c707042

SHA256
c537b267234ee74e9a95c0559bc68b2588ec24252c844a948d439e93ee3fa6cb

SHA512
79f893ef9fb3adb42c8c522add4646e66674a412a734372fa73e3689b438173a53758e5b0aa0a3733e979c970bea4840bb920bce6cc9d1f9bd8a24f5170f9887

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
81KB

MD5
b9357d9e221b4545276d137ecd67b4dc

SHA1
7d0f949b6d70d6a673bcdc7caa617960a8979236

SHA256
b3d15c0c4d252ef02d44c6914ec80d362347332988b43bf54899ee113e3f213b

SHA512
b5738d701f348dd88fc26847af0a9ac3cac311d67d0739f7425be67bf9804d7dc4cbe23b28000908b5e2333ab588bf2bbf416490c0d3a89982c1d6dbfcdd06ee

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
81KB

MD5
a03823dea940887d7b37df1b782dbde7

SHA1
c5d751a52a213af0e4fc3495a51f66b09005f920

SHA256
6c51704aa7e9f134aae6a36cc75b6ceb048ba3446cfe538990334eeb1a586f58

SHA512
71ffbdf81c5ca9712f7ddc427c6b0c2f8d1935369e9c43357900657548ce861b511e6e433c32f2daa0687c9a44a7a726fc109abea85726a646ac239863850094

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
81KB

MD5
3b9ab4758d179450359960a0c08d47d0

SHA1
f81dfe52fa93c8508e4df16c10d2b44e956e7b0d

SHA256
cbef32a58236df12d8db500b4d7c2a79d90ce04854b4e9c81bc44b6a3893f410

SHA512
e46af70e26093c15489bb0e64ded2579865091f9cb4d57d0d6fd1f67cba4d67c1257abfbf4dfdddd7b153f7ad3895126b98037fa29a606af8c3115b934143802

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
81KB

MD5
018fb85a5100e235b8653e02d301969d

SHA1
c391b2036fe07de04487ef9ab60eaec1489317bc

SHA256
14c534807e857c8a9b8e117c08e1bae2c6171ba2fd458ecd7d244d908c65ac16

SHA512
715298883df7789600757460adfb30191c944c496fa700071edbb72d862b5ab9e50f89847479fd6f29b4ce97c7dea72db198e0dccdbbb5a111e977e2b34661ba

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
81KB

MD5
6fd0e0b63979c07046ca1af4091b02f2

SHA1
6c8a2743b070bd9cebd4d24ebf0f6ba1136f1e04

SHA256
3f82e652585b7caf22fa1d9342fa792c11feecd837b66553b06ee5c32cf32bf8

SHA512
960ff970099b0d8008c2149e0b81051d2cede58b320521a15fc7b3ceb1dbaafeb95c54ec8405026e5eec3af4081a6c2622295c04f7f4b08cc981f8bca415bf77

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
81KB

MD5
4a6ddf94227d2c58c775977dc1162eff

SHA1
f59e5f67bfc4713e2f27ba01a0c6d4da7921af49

SHA256
20a8b17e595802464c09375dffe2bafdf5a7947f1feac1a8bd6f93e79cde1458

SHA512
2ae86c61ae0efe9aa249204206bbb0f918f535c2196d3e25b7ba46b7a41c2e08b28c0f4188086543be1cc1a9ef18b90bb5d521e6bf333f364400e883bc3d5908

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
81KB

MD5
f889f391b07e90dd041da65f74b7f7cb

SHA1
836e218fc9bd7a2559a6b2c56dda94736864d5d0

SHA256
3ededd088003b86f9bc12c1b48e8e3197e2dbe38c64aeb54b67b3a840bb5c798

SHA512
775ddd161d2d0daddb9809d64a605374479db2e34ee81111b3069bcc6026e1a8d174ce2dc38e691b88a61f133099898660e211a58176a5abcc69a0ec9b26e2eb

Download Submit
memory/316-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/648-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/712-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/744-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/824-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/896-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1384-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1460-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-521-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2168-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3052-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-539-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3236-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3336-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3428-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3456-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-571-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3564-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3672-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-443-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3692-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3756-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3864-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4008-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4056-431-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4100-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4208-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4472-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4528-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4544-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4660-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4708-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads