berbew | a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2024, 02:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe
Size

109KB
MD5

a497e8d2c1a06c006c00d9580ce39380
SHA1

27e3a1736a9f36fcabf5673bf26bd919c78ec735
SHA256

a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224
SHA512

a9f0e874c5ef908d0cf5df4d5c20257c9f7b481cbc98f4fb833cfb83aa2909aac9be25a0c6ca63244c19c8629f2d05422c375d2d32eeedc2857a41e904f4a6d4
SSDEEP

3072:FWAFp1wOArZD1KSKS8fo3PXl9Z7S/yCsKh2EzZA/z:twTySgo35e/yCthvUz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnonbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
1820	Pdfjifjo.exe
2696	Pfhfan32.exe
3620	Pnonbk32.exe
2124	Pjeoglgc.exe
1488	Pcncpbmd.exe
4040	Pjhlml32.exe
4124	Pqbdjfln.exe
2232	Pjjhbl32.exe
4488	Pcbmka32.exe
3148	Pfaigm32.exe
4200	Qmkadgpo.exe
1804	Qceiaa32.exe
3796	Qffbbldm.exe
1212	Anmjcieo.exe
3552	Afhohlbj.exe
4720	Ambgef32.exe
3292	Aeiofcji.exe
3512	Agglboim.exe
1684	Anadoi32.exe
724	Amddjegd.exe
3276	Acnlgp32.exe
4824	Ajhddjfn.exe
1932	Andqdh32.exe
2956	Aeniabfd.exe
2848	Aminee32.exe
5068	Aepefb32.exe
3136	Accfbokl.exe
4172	Bfabnjjp.exe
1520	Bjmnoi32.exe
3944	Bmkjkd32.exe
3660	Bebblb32.exe
2964	Bganhm32.exe
3112	Bnkgeg32.exe
5004	Beeoaapl.exe
3408	Bgcknmop.exe
232	Bffkij32.exe
2500	Bnmcjg32.exe
4992	Balpgb32.exe
2552	Beglgani.exe
4392	Bgehcmmm.exe
2628	Bjddphlq.exe
2672	Bnpppgdj.exe
3716	Banllbdn.exe
3192	Bclhhnca.exe
1604	Bfkedibe.exe
4444	Bnbmefbg.exe
2484	Bmemac32.exe
5088	Belebq32.exe
1532	Chjaol32.exe
1596	Cjinkg32.exe
3728	Cndikf32.exe
316	Cabfga32.exe
5116	Cenahpha.exe
5044	Chmndlge.exe
3284	Cjkjpgfi.exe
2736	Cmiflbel.exe
5072	Caebma32.exe
2348	Cdcoim32.exe
1644	Cfbkeh32.exe
4616	Cnicfe32.exe
3060	Cagobalc.exe
5084	Cdfkolkf.exe
1240	Cfdhkhjj.exe
1444	Cnkplejl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Pnonbk32.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Fjbnapki.dll	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pnonbk32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2924	876	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnonbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcbmka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnonbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 1820	4224	a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe	83
PID 4224 wrote to memory of 1820	4224	a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe	83
PID 4224 wrote to memory of 1820	4224	a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe	83
PID 1820 wrote to memory of 2696	1820	Pdfjifjo.exe	84
PID 1820 wrote to memory of 2696	1820	Pdfjifjo.exe	84
PID 1820 wrote to memory of 2696	1820	Pdfjifjo.exe	84
PID 2696 wrote to memory of 3620	2696	Pfhfan32.exe	85
PID 2696 wrote to memory of 3620	2696	Pfhfan32.exe	85
PID 2696 wrote to memory of 3620	2696	Pfhfan32.exe	85
PID 3620 wrote to memory of 2124	3620	Pnonbk32.exe	86
PID 3620 wrote to memory of 2124	3620	Pnonbk32.exe	86
PID 3620 wrote to memory of 2124	3620	Pnonbk32.exe	86
PID 2124 wrote to memory of 1488	2124	Pjeoglgc.exe	87
PID 2124 wrote to memory of 1488	2124	Pjeoglgc.exe	87
PID 2124 wrote to memory of 1488	2124	Pjeoglgc.exe	87
PID 1488 wrote to memory of 4040	1488	Pcncpbmd.exe	88
PID 1488 wrote to memory of 4040	1488	Pcncpbmd.exe	88
PID 1488 wrote to memory of 4040	1488	Pcncpbmd.exe	88
PID 4040 wrote to memory of 4124	4040	Pjhlml32.exe	89
PID 4040 wrote to memory of 4124	4040	Pjhlml32.exe	89
PID 4040 wrote to memory of 4124	4040	Pjhlml32.exe	89
PID 4124 wrote to memory of 2232	4124	Pqbdjfln.exe	90
PID 4124 wrote to memory of 2232	4124	Pqbdjfln.exe	90
PID 4124 wrote to memory of 2232	4124	Pqbdjfln.exe	90
PID 2232 wrote to memory of 4488	2232	Pjjhbl32.exe	91
PID 2232 wrote to memory of 4488	2232	Pjjhbl32.exe	91
PID 2232 wrote to memory of 4488	2232	Pjjhbl32.exe	91
PID 4488 wrote to memory of 3148	4488	Pcbmka32.exe	92
PID 4488 wrote to memory of 3148	4488	Pcbmka32.exe	92
PID 4488 wrote to memory of 3148	4488	Pcbmka32.exe	92
PID 3148 wrote to memory of 4200	3148	Pfaigm32.exe	93
PID 3148 wrote to memory of 4200	3148	Pfaigm32.exe	93
PID 3148 wrote to memory of 4200	3148	Pfaigm32.exe	93
PID 4200 wrote to memory of 1804	4200	Qmkadgpo.exe	94
PID 4200 wrote to memory of 1804	4200	Qmkadgpo.exe	94
PID 4200 wrote to memory of 1804	4200	Qmkadgpo.exe	94
PID 1804 wrote to memory of 3796	1804	Qceiaa32.exe	95
PID 1804 wrote to memory of 3796	1804	Qceiaa32.exe	95
PID 1804 wrote to memory of 3796	1804	Qceiaa32.exe	95
PID 3796 wrote to memory of 1212	3796	Qffbbldm.exe	96
PID 3796 wrote to memory of 1212	3796	Qffbbldm.exe	96
PID 3796 wrote to memory of 1212	3796	Qffbbldm.exe	96
PID 1212 wrote to memory of 3552	1212	Anmjcieo.exe	97
PID 1212 wrote to memory of 3552	1212	Anmjcieo.exe	97
PID 1212 wrote to memory of 3552	1212	Anmjcieo.exe	97
PID 3552 wrote to memory of 4720	3552	Afhohlbj.exe	98
PID 3552 wrote to memory of 4720	3552	Afhohlbj.exe	98
PID 3552 wrote to memory of 4720	3552	Afhohlbj.exe	98
PID 4720 wrote to memory of 3292	4720	Ambgef32.exe	99
PID 4720 wrote to memory of 3292	4720	Ambgef32.exe	99
PID 4720 wrote to memory of 3292	4720	Ambgef32.exe	99
PID 3292 wrote to memory of 3512	3292	Aeiofcji.exe	100
PID 3292 wrote to memory of 3512	3292	Aeiofcji.exe	100
PID 3292 wrote to memory of 3512	3292	Aeiofcji.exe	100
PID 3512 wrote to memory of 1684	3512	Agglboim.exe	101
PID 3512 wrote to memory of 1684	3512	Agglboim.exe	101
PID 3512 wrote to memory of 1684	3512	Agglboim.exe	101
PID 1684 wrote to memory of 724	1684	Anadoi32.exe	102
PID 1684 wrote to memory of 724	1684	Anadoi32.exe	102
PID 1684 wrote to memory of 724	1684	Anadoi32.exe	102
PID 724 wrote to memory of 3276	724	Amddjegd.exe	103
PID 724 wrote to memory of 3276	724	Amddjegd.exe	103
PID 724 wrote to memory of 3276	724	Amddjegd.exe	103
PID 3276 wrote to memory of 4824	3276	Acnlgp32.exe	104

C:\Users\Admin\AppData\Local\Temp\a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe
"C:\Users\Admin\AppData\Local\Temp\a6061ab68b04da8b51753e58bb098a9f9c05119029ea76119813d16d6a12a224.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\SysWOW64\Pdfjifjo.exe
  C:\Windows\system32\Pdfjifjo.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\Pfhfan32.exe
    C:\Windows\system32\Pfhfan32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Pnonbk32.exe
      C:\Windows\system32\Pnonbk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        29⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        34⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5084
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        69⤵
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:592
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:368
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        85⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        89⤵
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 408
        90⤵
        Program crash
        
        PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 876 -ip 876
1⤵
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
109KB

MD5
82cce0bdcd524675c6d3a9142cf5213a

SHA1
14edd31c4e96cc4050d1bb04f00a3e1368d77ae8

SHA256
a2317a734ae7e18d9f8bca8170ef970c9b63798de3393df949e4f7bed0afdfab

SHA512
cd596c0dc321f220f4f89f58f48c38401157aa17a6a9d3557fd4779263d78649e84d5857bd66a95147e912bd8213838ac022192ea0f85480f6173b74a33c2f76

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
109KB

MD5
6dee3999167993c98d5c119f80e9957b

SHA1
4cb8757f40119df73f2834764fe53e8022ec3ee5

SHA256
3e93645414e94cbc1adc66f06e12b388d12be171c23bd1cb6ae02c6cd94160af

SHA512
1ffb766e510726a025c602d3e15f20b07a06cdc16f1d8c6f977969e2bbed335eb88f7319cf7abb95503c1d453e80dd00c7770c08818fc881277f017f260b6c89

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
109KB

MD5
74bbaf21996114cb7dac83cc63d47518

SHA1
3770bd9ee9233f3680bcd7a109a17b68cdbe66af

SHA256
bf050171d84beb39935c318a6b4ffafb92dbf4fb3b6c541c2bc9e4f0f831993e

SHA512
9aafe1862c1d69f145c77f8afa23389c83e7941d2b6dc590e56b035c163bff93c536b1198486f227268e82dfe6b2cb2a818d32ff3b7c794163b30b924ec2bd61

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
109KB

MD5
4acb54df6ce55cc7a4bc503488e79045

SHA1
f76a550a641dfc814e92716324b39548b1f3644f

SHA256
243b23a1ee998293ecee02d0c2db941540c931023db143dcefa06fbda114f120

SHA512
52ef1b914c862204026b7b48f24c15a0d4bf45ee6934f97a17aa6b662b13067aba2b1e5144e8a5f8a57186d882b5dd11b44a9fec44e3e8209607c957c9168933

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
109KB

MD5
426fac6c58150d30228f27aaf602216f

SHA1
0e869cec2f45cd30970b7e56c6e6401e76d8b30a

SHA256
5428e4d6a5d9cec6459ac883cc3e1e5092fd5905be3c3bd9467ffbf53aff0b41

SHA512
aa8b2bc0dc5b30cd457851155ed1eb1851c7ecda8249d1e328b2ec7ae1bc9da16652c9621a196e335e50468b0b722534f536e509c8168e87acaedb0d3d462c21

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
109KB

MD5
6c44ca8a16353c9e2dd1acd5f5a8d9e2

SHA1
1ac35abc0d9946ba0c8d82d4eac72c637598782b

SHA256
ab7d3a362f8a53d3a590871aca47231d2ba1cc10f7ee9676dca295e0eb4e5eec

SHA512
cc4acb1cfb2d38aa42d4c520de4495e066a610fa8d07aa0dabdfd3370c167396d4cd18b98dbcc2ba672ffda4bfc9b0e84d5343038770ea1ac1484c8360a0988f

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
109KB

MD5
24ce35efdb9a87074b839ca3aff4002a

SHA1
0ff0458422bc8733bcbc4d60f523001985764a91

SHA256
f323a9ec2a8cc8ff45f4d27a27c7d270ebc781fd12e45c72ab4548811c34b8a5

SHA512
8db84b9105beb40713507c0d93f6af7071120db32af14ce2425a91a8012f2ac7ce3713c91131da6201d9bbb55d5d403b997658f3b66153754afc77154c763030

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
109KB

MD5
f5c1b7e911b89d094c79deaeda180b11

SHA1
0ae436012945bce4d690b47dcae7fc823096695d

SHA256
c96977f69eab08362100f4593e7493d456bd5a803627c484e9a7b22a49198fa2

SHA512
65ce89b6624195a2d4645baa5139467f0c6789d232fcdcc3903a0f4b51b09130791b7b329a260ee2c1900f74805ec4766ad31399c66527da621391f64f6202de

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
109KB

MD5
c286177951e8000d50ba1aac9449adcf

SHA1
eeefb4d05d3cbae740136f4446df8cdb1492f073

SHA256
47fb0e2ba519936abfb5270f0cdc606586f68bafe94641a7e1379130e747086a

SHA512
b6354976dfb236fafb5d0e4a0ba419f45cce15a286915064a5a39b91c8b6ba34b66db72ff1fcfed50d47c80d208f4fcfed8fe7dfa6421c5f25682f08e884acf8

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
109KB

MD5
ba1e84ecb9b006f0cb8563f9b22de5ee

SHA1
ca272d083c4fb2040e34d603e164000459afea7b

SHA256
09fb2f9c0ab9c4b5d8bc6b8a32b3146249494fa2f745f6718b5844dce38a214c

SHA512
0a167b74acfecf3a0a39c75a9aa398a130f4aee3096338d379b9307387b7847cd690fa3e9337d14045c0af972ccbd12fbb570118e86c4937297378d2893695c9

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
109KB

MD5
9c785274bf4f20341fa57c18dfb0f55d

SHA1
87a21df012addf643d3ec8c4bf14d469df24cec2

SHA256
1b0ad190db09b576a3d59ed23caba7742981cb6018287cad7df19d7e85e81a13

SHA512
d6194d3c432b1a08881ce6468c7b8e6e2fe532f2b04b4c0f270563720e892e580d77b53201732028965d5c1e5beb68b85a6982ff322ca28a202a7b3e908f4165

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
109KB

MD5
7e4fb6ca9997de945a3aa8c5dc084a43

SHA1
e69995e97c0f20bbe69b572f67afead9f443b81d

SHA256
02541b47f230fb3bc57d914b38232d10e99d0576700f072e4ab07f95883c95fb

SHA512
a427669ebe9b1c1b40c082890c1742b4998226fad5d8a2701e7f83633465c3bd76465c878788cc74782924ad3b132ee8f8c240b54ff271970c434aaa154cf1b6

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
109KB

MD5
fd3433080adba89fa594ec0129025639

SHA1
fcfb4200137819cd36ff5ab08db34741ccfd1194

SHA256
7236fc6b1ff896091f42d24b3da1a27395c41b36d5aa56cb5dfdc508eadb6a99

SHA512
68f5ba069dfd2097738981074fb5c141fda183ab5133ed266aa4e488162f70ed1560c4aa07b4137155b2620d75ac4b988c394a8659abcf2101837dd00e223566

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
109KB

MD5
dcb82c275519ff5a3a8b09b9b8e8246f

SHA1
63b94d6bfeea891c8186be509b8273cc340640bd

SHA256
5df48d44071f4d85d85f87f11875a0794b09242e1a04cad7e410d94ca95f4039

SHA512
0e97849a5a16e7323451f0cbef199a567c1354052ffe890835ae4c8cf84d23b670f4236b350ae42db71e686882e8778fe130014ab4aac0a35107d5b5bc33aa72

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
109KB

MD5
d4d35765aff1cbce859584a55ed81d3e

SHA1
d75fe206b526e01b9d6c846a74868f1778680055

SHA256
e86aa31458589da594da717b21aa6816a71e995c410f72e922ebfb11f3f37fcd

SHA512
c4ea260bbfe1e35870bb85c2a34f79fac7e3c67006f8751b569c549ea29c506d6448aa33a8486469d938a49c722d513ef94d42d6b3e3d6cd526636ac57061d9b

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
109KB

MD5
f330b32a4cfc3c133667bc060cd76ce7

SHA1
d27652247cf1d99504c2018c67d9d5dfaa68cf8a

SHA256
f139e98e94babb1f6ca01ca45c7e03f6621a5d04cd828036eb4241878e25ae67

SHA512
013c9b8073e1380010f5656b342288a0e71e93c534d44a3a2225424836398f5af931e0f7610580dc9afb81d222ca6a8edd00bd9f46c737a24dfe21df67c52a40

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
109KB

MD5
a41cf9dfc72f911b409da8dbb3cbc160

SHA1
8aedf53ff203c9e185e3f492db0dd167e1556594

SHA256
19908749bba617c475108adccdf2a083939e8fc4f0ed51c5570add9bc5493502

SHA512
5563574a3b0ff972789cdd6c30f48e4c825692771de659970fa2d548510f118dda6f8a0b65808dc9a3255d2e36e8dca40004d36294536e86431350a428b0c81f

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
109KB

MD5
b9357be066abeaa279b37959fd9cc2f5

SHA1
5bf2691a6ba399156fb232411d7750307211be68

SHA256
4f1efe060cf93213e0696464a756654ce651b6ba9aa1fb4aedd049846bb1eba3

SHA512
1778c788207ad736b1c9283a1d111565d5437769d0d2baebd7bba450b191a16f44d053974a3a78161d7f06323829e0f53db22bb8659af078597fee3cc49a85ca

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
109KB

MD5
b03ed9ccc6923cd76325ea4d3b33553d

SHA1
f3a244c976666b97c626c4e011890bd6dfdae31f

SHA256
170985f93d3abd401e9da6cf7bd2c8d0ba1b8fa2296b8364b38b340fd459da0a

SHA512
d36b2271f0e38a07a749eebcbe6f6f75136aafa03202b1310900b4c88f37b76c3189454548b76341ff8b695687bca36bc2bf8abe97a9c444e105c6d4812f3a24

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
109KB

MD5
6f09d814edc703746ff4ad502d70554e

SHA1
e3fa2dde49e05d09c0beab98b28bd9436799f1d9

SHA256
0db0653e11dface16736226ce2de678c7756313f239f41d8eec2f4f0c0de5871

SHA512
01bc6e04ecba0554d72239e74b7fe84ecd461a6327d1835b580760f8bfcf780a88b225f3b036e6d03f39f9453b07aa0f5f956f5cbb2b3b9aecd77a57c96cfb33

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
109KB

MD5
d64ac3d6c20cb25cdd88e2d5e0298bb2

SHA1
e7f68e38d803ef31b98ee116a1dc1aeac34db0ba

SHA256
ee2a76d0fe3ae1e16dfd7fb584f6e7d2c5221f0daa432d2cd7296fc039da168c

SHA512
4aae0e4903cc4f36535b3761ee2151329e43d802beee6bd4f71f04aa645ca4e682c144200592d690519755a0373d8c3898315a13455e42685f19d9c8540a00f4

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
109KB

MD5
140ffdde2446a851a46d0ad4dafb114f

SHA1
df72942f202e33709757653ced2582a493c10f05

SHA256
a614b7afa7764cc3b71e81780ae635c4803858d5dd08062136aa3ea8dbb2a192

SHA512
f6ed2115f00a1298b464a3ee9099d61961481fe8dd04e2d836f8d2a467db2165e49aeb1596517ffbe945ed0288c37798ba9fd99bee99dd3b3fba82b656c70c75

Download Submit
C:\Windows\SysWOW64\Oomibind.dll

Filesize
7KB

MD5
27bf959ba39359c574a6d0a816813d0a

SHA1
d1be990c01fa927e1bd0433bee0590f93d907ef0

SHA256
ac6c9256cc3b1b4b0ec19d2f64fb907502dc2f4b1c70d95e93efb07aeca766d6

SHA512
dc4ba48acb55873a2eeff504e365e584853c400b4cff25458160890b5a0a5171cc4b8ffa48791354fc06f379a91001624b18bfcbca745fb99d3239ec3dd13680

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
109KB

MD5
d466387f407a2ae52d767a64561e4bbf

SHA1
fb97b02502f900a518530bbff448d990c346a625

SHA256
d98776913651b485770e09835962da617043dd7df30f2718d1bb5de7914680b0

SHA512
c3ae62e13dc5d23c3aebb298bf2e907f4216e416c0919a7801fe0715d6821d2a45d24ca84cdd86b80063148e89c65083ba810f3177c1cb74044e99bff180f4c8

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
109KB

MD5
c492d4e5be8b56267e672b92fc487e55

SHA1
4c22de5424293c911bc6b57f41ca1122dff70d83

SHA256
e6021d7b9908fd607a5175e7006ef52ca59f227749a58528a4baa79b9c530350

SHA512
2c5baf1b6995f3bd53909cbc37f6b0d1e93ac25d3097128f09ec0026f625fd8483455fb3bd99921afde9bb71944e7d8272cbf7a924ec1d4762d00c6f2c97b2b4

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
109KB

MD5
5887a048735db0b00d4618b65557aa1e

SHA1
6e517c14ed551e3f3f454abe3bdb7914b145148c

SHA256
b899d76a2876474024ee8f11f54f60969463fd14b056ee3353442e3195c5efe0

SHA512
67f02bcff3b188259a513a9e7b8b594c710b7c777c43fe07a99fd24465b32a719187f887e29ccd0f86cc7910fbd80c6d32bd4aaec78cf0f401e416d188e79fbb

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
109KB

MD5
b9c3734bb18bc862e186e30c163e9583

SHA1
eafb5f86a1daab7b6d873c42d73f182970bad518

SHA256
bad791d71762d009e7b56d74ba94881393292e8981ce22e9429b1a64011dd3ec

SHA512
d87cdeafd6411336fc086d4709a6a1c3abac8a93c05c09e6b20bdaa0ea8b7dfe3f58efe7da8a814113a3275ea4ef9ea97e44ba82a3809e64adf24fee1db9be16

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
109KB

MD5
84acf79bd9c4af08489cb3407d56c2ce

SHA1
ee117740f215d3104a63118d2522904fa449320a

SHA256
fed7540361ceca22d5ba07314127da7f9cb62b12a622320a5c1842f65bbe3aeb

SHA512
6aeae7b6606967e97678cefc3cb1c8dd7490dc71e73adaa7b23b7a20ac35a82753ccba64575276e46c315c2394400d8018ea45a9289d8dbc322491fe2b771f4b

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
109KB

MD5
601181f09887aa86b5d0ef2d344774e7

SHA1
4a99aab7efaae54b1d2e271ba98c993b95f2e810

SHA256
4c922a21d06c87f3ae036d56ea4e49c93241cc4aa482591d6b3bca487f53508c

SHA512
3658bd5bb71f710032db8f6c83ac3f03b547585ca040cb55f2b0f67f54a7583c211e0bb2c14eec321be08c953d62bae5dbd67aec381df5202ef84e5efe4f987c

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
109KB

MD5
2508c65546956fa0aea09727e4057ae8

SHA1
e2cb202faafe9ffa943b77a967972ca57151731a

SHA256
dfeb1b15c5721d2acb3fc593a7eea69c4a1f8326484d1687e2453961b9a00e15

SHA512
3016ddde898d7e7fbb773b0229dfb381e08585d5c7d7b9f9b4d8e2eac5cd4bf249bfe5a7627eded47184c10ef1b2ba7b453a4e5d88cdc83cf81307c18f1a22b3

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
109KB

MD5
4e12855d32d7f7a7b2105d4836304210

SHA1
129fbc40cc6dcb5925d16b4eb76f10aa5ce6bcf0

SHA256
e0a47d929dcf1ce5c3696b79a4ce73b6f4e6b387a5555f08a92118b1706c3a42

SHA512
0772e8bc029406b1ba936a1ccdbe787188ddcb217928d76ea4647fdb000404dbdfbaab4181874fff89923c29bf4b331f31bb7d02e836a2855d18c8036b8d7208

Download Submit
C:\Windows\SysWOW64\Pnonbk32.exe

Filesize
109KB

MD5
9166f2fae4957eef645929586bd30047

SHA1
e699c757bcb239b63e60fc5ebffd1e8e6efaff93

SHA256
8529067eff43e4ec7d026d6688e36c9ee53c7af030b6742dc0f7299d7f092313

SHA512
1d876c1a3a66538b42113b1c6709c487ab2075464c7e5b0d97715c3b8517e2e4bf4a23c4e7796eda269979823c5c03584e01137858a91092a9f459173e3f31e3

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
109KB

MD5
c97ef5aa5ca997fd2885678d965fa860

SHA1
141d1899f20998b6d8507253e33f197f958cec1c

SHA256
7b563adff43bd364e933748ea982f1ef8f9263c3a37e1c043118420930b89052

SHA512
7e62c9bb7fe171985f0ab041892c9e8663859f334038b75ec7487b9f48636807a24f698b9cd7490e16c0c48861c4517e4ce0212cd52b0883d667be1e3a68552d

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
109KB

MD5
3acc55765361bb9233840e6ef6f543c0

SHA1
52a4d9312eb7cf76cbef8cc2d9a1de98a0013e28

SHA256
2f5bf6afb49884391a4cf86c2a1fdf6ad09c0a1efb53cd6f31d13b48434bc603

SHA512
b3b135fcdf327c1762907ae1fca1299ef3da77f66e5aa7e6b679dc5a769f9540eed2c605c3bdb1c23862bff3f31b68fc81cb36301d794edbca962b698715323f

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
109KB

MD5
190a0782b6066f7313be04b40ac7b4b4

SHA1
5dcfa5d47e85deee967a745778e65619932024f3

SHA256
65a531bcdec185f88d62b8f2c4bb28be94d28654e0db7ea8449cf716472c8004

SHA512
33a48836db79b8b33903392361114900191b5d0da859c8c9332be03dca952d51f5df207ef1f6c07407e12bad19ec746339ce62923f90377c830adbad0ef2a7bc

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
109KB

MD5
3803e49f995f35a1d2efecb6d8e4bf03

SHA1
41365c3f4e7c1c2007507851bb51a4962f973aca

SHA256
b1b0df50fcda194863907c0f9982018f912f29706e5126d3c8a4cfba4d5aa738

SHA512
e3544bd41933eb9ccc024e5aed44c9f89982725ae009838272b0f25726ebb8b1f954effcdb94da038c7e792fbb490299b29a18065b5986d9871505cba19943d4

Download Submit
memory/232-302-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/316-398-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/592-494-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/724-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1072-530-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1212-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1212-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1240-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1376-536-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1444-470-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1488-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1488-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1520-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1532-380-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-386-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-356-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1644-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1684-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1804-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1820-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1932-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2028-518-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2124-115-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2168-482-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2232-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2348-434-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2484-368-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2500-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2552-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-476-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2628-332-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2672-338-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2696-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2696-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2736-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2848-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2956-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2964-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3060-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3112-284-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3136-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3148-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3148-214-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3192-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3276-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3284-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3292-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3292-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3304-548-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3408-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3512-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3552-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3552-259-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3568-488-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3620-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3620-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3660-269-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3716-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3728-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3796-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3796-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3852-506-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3916-500-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3944-260-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4124-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4124-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4200-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4200-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4224-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4224-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4244-542-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4276-512-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4392-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4436-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-362-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4540-524-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4616-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4720-142-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4824-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4992-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5044-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5068-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5072-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5084-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5116-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads