berbew | 1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2024, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe
Size

320KB
MD5

a9feb93515ab0f298a454fe55d949ea0
SHA1

590b574585e94a24695eaf6e6d03bec340e92499
SHA256

1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7
SHA512

82976d6d97cb256f6f9a9daadb17e8a383aba2ea4377ad283a452f22d3e940ade5f1b41b177fd25484b1ecc363442bd90dd96f92e5fa6e0cb1633f8928a20f29
SSDEEP

6144:/DrJEyBsVQ///NR5fLvQ///NREQ///NR5fLYG3eujj:/2Xw/Nq/NZ/NcZq

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4568	Pncgmkmj.exe
3664	Pdmpje32.exe
2640	Pjjhbl32.exe
4260	Pmidog32.exe
2316	Pgnilpah.exe
4020	Pfaigm32.exe
4764	Qdbiedpa.exe
1344	Qceiaa32.exe
2620	Qfcfml32.exe
2656	Qnjnnj32.exe
4936	Qddfkd32.exe
4268	Qgcbgo32.exe
3492	Anmjcieo.exe
1636	Aqkgpedc.exe
2400	Acjclpcf.exe
5116	Afhohlbj.exe
3968	Anogiicl.exe
4524	Aclpap32.exe
3832	Ajfhnjhq.exe
5056	Aqppkd32.exe
3384	Agjhgngj.exe
4304	Ajhddjfn.exe
1800	Amgapeea.exe
3040	Aeniabfd.exe
3516	Aglemn32.exe
1484	Anfmjhmd.exe
368	Aepefb32.exe
1252	Agoabn32.exe
5036	Bagflcje.exe
112	Bganhm32.exe
4004	Bjokdipf.exe
3152	Bmngqdpj.exe
3940	Beeoaapl.exe
4656	Bffkij32.exe
4588	Bmpcfdmg.exe
5004	Bfhhoi32.exe
2180	Bnpppgdj.exe
4968	Bmbplc32.exe
4360	Bclhhnca.exe
1440	Bfkedibe.exe
316	Bjfaeh32.exe
2280	Bapiabak.exe
4196	Bcoenmao.exe
3784	Cfmajipb.exe
2384	Cndikf32.exe
3468	Cabfga32.exe
1536	Cenahpha.exe
1380	Cfpnph32.exe
1500	Cjkjpgfi.exe
404	Cmiflbel.exe
880	Ceqnmpfo.exe
3004	Chokikeb.exe
3984	Cfbkeh32.exe
4100	Cnicfe32.exe
1696	Cagobalc.exe
628	Ceckcp32.exe
2436	Chagok32.exe
2796	Cjpckf32.exe
4964	Cmnpgb32.exe
4488	Cdhhdlid.exe
2724	Cffdpghg.exe
2672	Cjbpaf32.exe
936	Cmqmma32.exe
3660	Calhnpgn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pjjhbl32.exe
File opened for modification	C:\Windows\SysWOW64\Pgnilpah.exe	Pmidog32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pgnilpah.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Kgldjcmk.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4908	2264	WerFault.exe	167

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pncgmkmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeiam32.dll"	1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4568	4872	1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe	82
PID 4872 wrote to memory of 4568	4872	1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe	82
PID 4872 wrote to memory of 4568	4872	1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe	82
PID 4568 wrote to memory of 3664	4568	Pncgmkmj.exe	83
PID 4568 wrote to memory of 3664	4568	Pncgmkmj.exe	83
PID 4568 wrote to memory of 3664	4568	Pncgmkmj.exe	83
PID 3664 wrote to memory of 2640	3664	Pdmpje32.exe	84
PID 3664 wrote to memory of 2640	3664	Pdmpje32.exe	84
PID 3664 wrote to memory of 2640	3664	Pdmpje32.exe	84
PID 2640 wrote to memory of 4260	2640	Pjjhbl32.exe	85
PID 2640 wrote to memory of 4260	2640	Pjjhbl32.exe	85
PID 2640 wrote to memory of 4260	2640	Pjjhbl32.exe	85
PID 4260 wrote to memory of 2316	4260	Pmidog32.exe	86
PID 4260 wrote to memory of 2316	4260	Pmidog32.exe	86
PID 4260 wrote to memory of 2316	4260	Pmidog32.exe	86
PID 2316 wrote to memory of 4020	2316	Pgnilpah.exe	87
PID 2316 wrote to memory of 4020	2316	Pgnilpah.exe	87
PID 2316 wrote to memory of 4020	2316	Pgnilpah.exe	87
PID 4020 wrote to memory of 4764	4020	Pfaigm32.exe	88
PID 4020 wrote to memory of 4764	4020	Pfaigm32.exe	88
PID 4020 wrote to memory of 4764	4020	Pfaigm32.exe	88
PID 4764 wrote to memory of 1344	4764	Qdbiedpa.exe	89
PID 4764 wrote to memory of 1344	4764	Qdbiedpa.exe	89
PID 4764 wrote to memory of 1344	4764	Qdbiedpa.exe	89
PID 1344 wrote to memory of 2620	1344	Qceiaa32.exe	90
PID 1344 wrote to memory of 2620	1344	Qceiaa32.exe	90
PID 1344 wrote to memory of 2620	1344	Qceiaa32.exe	90
PID 2620 wrote to memory of 2656	2620	Qfcfml32.exe	91
PID 2620 wrote to memory of 2656	2620	Qfcfml32.exe	91
PID 2620 wrote to memory of 2656	2620	Qfcfml32.exe	91
PID 2656 wrote to memory of 4936	2656	Qnjnnj32.exe	92
PID 2656 wrote to memory of 4936	2656	Qnjnnj32.exe	92
PID 2656 wrote to memory of 4936	2656	Qnjnnj32.exe	92
PID 4936 wrote to memory of 4268	4936	Qddfkd32.exe	93
PID 4936 wrote to memory of 4268	4936	Qddfkd32.exe	93
PID 4936 wrote to memory of 4268	4936	Qddfkd32.exe	93
PID 4268 wrote to memory of 3492	4268	Qgcbgo32.exe	94
PID 4268 wrote to memory of 3492	4268	Qgcbgo32.exe	94
PID 4268 wrote to memory of 3492	4268	Qgcbgo32.exe	94
PID 3492 wrote to memory of 1636	3492	Anmjcieo.exe	95
PID 3492 wrote to memory of 1636	3492	Anmjcieo.exe	95
PID 3492 wrote to memory of 1636	3492	Anmjcieo.exe	95
PID 1636 wrote to memory of 2400	1636	Aqkgpedc.exe	96
PID 1636 wrote to memory of 2400	1636	Aqkgpedc.exe	96
PID 1636 wrote to memory of 2400	1636	Aqkgpedc.exe	96
PID 2400 wrote to memory of 5116	2400	Acjclpcf.exe	97
PID 2400 wrote to memory of 5116	2400	Acjclpcf.exe	97
PID 2400 wrote to memory of 5116	2400	Acjclpcf.exe	97
PID 5116 wrote to memory of 3968	5116	Afhohlbj.exe	98
PID 5116 wrote to memory of 3968	5116	Afhohlbj.exe	98
PID 5116 wrote to memory of 3968	5116	Afhohlbj.exe	98
PID 3968 wrote to memory of 4524	3968	Anogiicl.exe	99
PID 3968 wrote to memory of 4524	3968	Anogiicl.exe	99
PID 3968 wrote to memory of 4524	3968	Anogiicl.exe	99
PID 4524 wrote to memory of 3832	4524	Aclpap32.exe	100
PID 4524 wrote to memory of 3832	4524	Aclpap32.exe	100
PID 4524 wrote to memory of 3832	4524	Aclpap32.exe	100
PID 3832 wrote to memory of 5056	3832	Ajfhnjhq.exe	101
PID 3832 wrote to memory of 5056	3832	Ajfhnjhq.exe	101
PID 3832 wrote to memory of 5056	3832	Ajfhnjhq.exe	101
PID 5056 wrote to memory of 3384	5056	Aqppkd32.exe	102
PID 5056 wrote to memory of 3384	5056	Aqppkd32.exe	102
PID 5056 wrote to memory of 3384	5056	Aqppkd32.exe	102
PID 3384 wrote to memory of 4304	3384	Agjhgngj.exe	103

C:\Users\Admin\AppData\Local\Temp\1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe
"C:\Users\Admin\AppData\Local\Temp\1966a890d1e03eff4c3321a99102b07ec67d654f4f59ff0c5004315ae4bc26c7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\Pncgmkmj.exe
  C:\Windows\system32\Pncgmkmj.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\Pdmpje32.exe
    C:\Windows\system32\Pdmpje32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\SysWOW64\Pjjhbl32.exe
      C:\Windows\system32\Pjjhbl32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Windows\SysWOW64\Pgnilpah.exe
        
        C:\Windows\system32\Pgnilpah.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:112
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        50⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2724
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4884
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        75⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        77⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        79⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        86⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        87⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 404
        88⤵
        Program crash
        
        PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2264 -ip 2264
1⤵
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
320KB

MD5
9c46d2e303d77817ac8078e935b6a03a

SHA1
8c12c4c12316c69e226e61a8d978e86cef5e4a99

SHA256
ed34a315e87371676c83ad45a99f0aa09e56621aac5196a9b9ed19f811bd8914

SHA512
66c02c430c9cb6808616736adeeeae372acadbd3242b008524e8380dad43fedff8593bf9ac128d4a0af955296c9c476b83ecc4f2e2a26f9f0c16d984c1a42328

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
320KB

MD5
6dfab82ec72f4b39aae0ef2a7f95f5ce

SHA1
19f77a3bdd9a39f267eeb0dd4c8afafc7a884848

SHA256
3c76d1efe00b7adc4798589211dbcdfb851f4d5ce087453beaaa96e7e01c869c

SHA512
860e52ed8e2e113c8b7c8b710532ce1efb2a5ebbc2edb88b74c60f23f6674f265982d24f915adb72db5282004f8ec175d3a51c469c5292d5f4ea501048b908d2

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
320KB

MD5
6f39ce12ccd9370425c549235d70b4d5

SHA1
266d2872ae5cf60a01acd25e5df814d48bc4eebb

SHA256
28c55a79aa4bd3fbaac54b014c995fc64bd176c1f659a2658c5638172380ac66

SHA512
15190445a296332ead1a443b20fb46b8de9543fc397cf5b98b038d29fb7a93bd07911fad853d0bd889ce085cdbf1aa79798deb48a9d2ad606d6bf48fa23114ad

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
320KB

MD5
ab063bd8c6cf53d0089475fb7af7623c

SHA1
6aefabe522902cc2de700454a6c20edfe0a54477

SHA256
d5e6ee0b32fd1172cca6e8b0e53fda3c12808b57cb15bbf36757a784e22653e8

SHA512
e3b42aa47cc4b080079a85e211d05f28315a6b244cb838a78fee96472580e6db68d82a7bc4e74f4d2f1b426d594539a79a850cff98292e8eab8a698fcd4da99d

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
320KB

MD5
c2be51adb1e5d39dd4be39787eb7802e

SHA1
38b601368cea94b327afe0c5a9735a1f0330a11b

SHA256
4e040772a7ee6d951d77dc40c361ae4d12600f66a5800c6e20c241ae3e3c9d77

SHA512
ebb67d6f5dcb7447be57e087b587d51be777b3cdee89c7f422ab77804b48bc293536bd4120c9847d2f9e8d55beff2f557280d706fb0f7774fc10caa43c3f7fd0

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
320KB

MD5
b5a260c58ab7138bd3b1642209925e57

SHA1
9d84e918e511b572de8206a2eb916c71ea863998

SHA256
ba13c3568675405734a24616abfe0382dbd4094a15cb12dfe608415ed3e9cf6c

SHA512
6c2f204d9ebbc7c4341db2b9769f6833c0ff1485f07a17ea1ad5a55437f3d0bdffa2d13f4d166735edd9219dd689cf60654a02ddd4d8a88596cde647d30b25ec

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
320KB

MD5
2861d3d01369f42a1129eebf55271934

SHA1
d7ded2fd25945b3ef3027ed877ada8ab54baba11

SHA256
8a475c7271b70b0c4ee3aba568fd8502e1871512387e7a4d7a6c58f3ebd43295

SHA512
7342c8f58f78fa615df174ff3d4065f15389687f366a92c4fd0ff22c07a6d11ec910d5920ada6ed43bf2692f28f67af74d2e8d462b234a101368a451dde8395b

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
320KB

MD5
4f3419052d7f9e69741ccfa69e9a1d4d

SHA1
8bc43965f84c74ea163628442354b2c6803fa727

SHA256
ba66b92d8d26bfc6285adb26c7109456804860e64d255c28a53c311a8299a9b3

SHA512
343a026705452951d2dc44d4afc352b6386c78e7e5aa7e6d1020f51128d4b02978bb8718ac6a087c4ebf9ba4a185365f5cf82e9081ba2b649754cbc49f4bfd90

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
320KB

MD5
d56a5e7bd6ce38f12286550c6991390d

SHA1
d75268013585339164cf6d9344b2e78598c4ad8f

SHA256
2c15572fba6b715ec85ef9f8b58f21934296c445a4769eb400a7e95023bc97cf

SHA512
4560b7f99148ca196e5c971b545f6d61cb861778cfcc2e6035d69c813ed85199b5a6cb5ed71eab5db32e5dd19f330be7dd118b5e206faa9265b78cf49197f0d9

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
320KB

MD5
4b05627bc43566e4a3b0088885470927

SHA1
c309d06532d74d99689b2ef21ab36162b71e557b

SHA256
40bba08b99bb7acf59f174e4289c5faa2c3d096c33fa2b2b6d5eb66a65718173

SHA512
5ccc0f086e29b556954d1c317aff4bd789d4f7f39fd24d6fce0eb0d56dee639509e2b6596cbbd1b1fb0a9a7276dde613f48b3997d4bd9c7d547f5520948f0f64

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
320KB

MD5
41ebd9ddd9aca63e0538e333240ee165

SHA1
3154dd8841dd240635f74399cabea561a64e38b1

SHA256
3a756b927eae2375715c81dcb3938e2d48225e6ef172d7355cd0a02d1f53fe07

SHA512
4f51011b078984b444653185e7c5d9233ad7dd8771133ec044d51a267d8434a07118174bb7cff4ceef75b70deb6c87d68625b149b4d08c8ce272349daf245775

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
320KB

MD5
4ecbe6ec06402d89fd2a5fc37a26de61

SHA1
4dc0fdfcaa38a8e9d3b8148ed62ae41c5e33a10d

SHA256
da72f999bcc6af646da71de0536c6c9810d1a5a7b7ef5cec4d6556a30512902b

SHA512
64adfc104abda32bdb1255d8f57983fe220d2fd46f5213c529d80cd1731b15f6dab10870a3369ba4aca312ab36171fb5a665dbdf04388debd5dbdbadcdd3fcb6

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
320KB

MD5
b3dd260a0e1d44ab2d2cb1e192a04312

SHA1
fc03a6250c41d33ba02c60504f9d94925c4ade64

SHA256
a3a542d6d624f715a58874cf9b04d6ae4f6d556b276886d517f4428edc0f5a17

SHA512
4cf9f66e68b026a720a236cd1821631daf64863cbf4ee9546a567e64259b1bfde89926836d66bd245c3a7203d0c6952f5a6f336d20d82b1ef148129fde9e3bc9

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
320KB

MD5
4aa9c8ab50b1fc91311eb60ae9b9d38e

SHA1
a1e798a33a95244efb9835a809619209cdf87c2e

SHA256
0f28de9752ac73e2596c0f3574e9d09a968c6e4ad6c8a3edf6cc34425fbb52ac

SHA512
ae688cf2dc0dbd7dc282d54b91a97e79603eeff9c8bccf4ba9e5c5c48f6d7593a67ccea07dd93c79ee0e782f49352866138cf75a2a1dad392dd9a529b7489e7d

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
320KB

MD5
74ccbde2a4375e173ccd85be21b1d8a8

SHA1
f03ac444ccc277a88597b3407209643623947c9d

SHA256
66eef9bddcc3563f88e9d8eb4e770cad454a6246010c15a7e71cb8f5517d1031

SHA512
0fd79f47832a0066587b15fce7dbe23d51e4fe2336979da14f3e075dcd5ef2bc654c339658ec61dba8286d0a27a1c45ef25fb5f722c2fb29be1b671d3d2ca8f5

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
320KB

MD5
e7767af23fcd6af2083f0855da25470b

SHA1
81c934d15b5be6c71fc10ca2a6fc0c3f129a2f3b

SHA256
5194abdd958defc0f9f0541a3af370da1cfd0e5e6a5e6aeab01670a772c2e9df

SHA512
890009da67a04668ff5d315617ab98e2b47169f3771b851c441a027161af3e4b8b10e398b28d3d7cba6f094b587d4378c16d214dac1f0291748571ad7ebb1351

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
320KB

MD5
fa2121d7b696298284469bfb6f8a51a2

SHA1
a891decc6bd7e4b1921b7c3397cb8dbe4d862b96

SHA256
532c48e9ea0869c19c0807409c168ac8c9b1994086ba301bf7093880ede8039f

SHA512
f9d2b20038fba8422752d785d0bce5238a4b0ff3456877c56fe393737aebc8a19af88e4619aaa9a27039612565636d54ff589b4a556741036eea66f9bba80886

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
320KB

MD5
d2ce5f7fb5fb55855e2a3e59a4d401d3

SHA1
5c7c6af0397ba53a9609d883c2c6695db56a80df

SHA256
83260a6a0a194cf39a641f4b0c87170c348fc14cafde60e93a6b84a4dde8f9b6

SHA512
1f84bd18ab7cbb948644a60041fec5c6384514e421bd840168e4115e7f65dafd56ed4dc6bce714ddd9ec7b6d894278eee265d9705ecc38a6b528f0ad3eb0403f

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
320KB

MD5
d5e8d438cd31f88ec32d460dae44ecfe

SHA1
b230d025643065a34d3d7269c1c457b2e5119167

SHA256
384f977fb5c0bc04417c8fa154ae51400c2ceac330a5bd56ad9c89bb5072629c

SHA512
5318fcb5503da36608594d2323a65aee2b8264dd47a208c5d2e62989c7f80f889b5bc3d28505d123c6cb139166ae445832c80decf714017c3397ad3b38355c06

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
320KB

MD5
c48c0d978babfb08b010235c429991f5

SHA1
7e5817061f51a9b50bf85d60f82ab31474512118

SHA256
f523b72f1907a7ae72c19b202bc958f4507f847b41b69a11965019d8e21a7b28

SHA512
78ff0db834c54be7f8bc176fb57713a981814076eb142fb5ec8e000080c85120d497ed4b81def856e66aea906f4fb185761fb7c70187e438d862b3d16e860f0c

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
320KB

MD5
08152f331c32888fbe431fbf97bcffe4

SHA1
362d1a6ce46457109631bfd742175aa9bd8f0ad9

SHA256
a6ffcbb03ef7699bf408297efc1896ef1c4099b259330799910a29ad74bdde1f

SHA512
8d896cdfe8a0193cf5eb9f0f4768fa8231a9defb08d8d7051d0302e36d9c6bfe1f58e5b5c7fa6fc13bae2929f7f938d62274706ee524878e7c6003a356746122

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
320KB

MD5
26aa65d70d4b3d818e318bbffd7c9b4e

SHA1
18f292af7ce94720e1a4906defe0c42774cecf77

SHA256
6a7e8368cba7cc685a36623de5d46ed6cbbd24b8cc1d7352fa4d6352c32800ca

SHA512
a74c3bdd9e53409c428163467fa66b00807c757fd435fd3888805c280c7ee626980b276545a618dc33a077a9e00b97218dfdb7a0d2d6d5ef733fdd6d0996d7c3

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
320KB

MD5
96c73446102cd060189afb57306b183c

SHA1
78dfd7602ce82dd7db838e894f6c6de87f5393d6

SHA256
a4c19886d2866563c91d260608708d169b68cddeb8264bc55d3cc01dac455e92

SHA512
b0b754205707c4738c6ac19c51774f01dcca4ed4c5768839b1e5acca3b1873c630a04b18453c51bdf95253a7b0f7f9eb07227368b3f8efb21bc5beec61ed8ae9

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
320KB

MD5
bacda2f61d0883f918b1dc7193b5c284

SHA1
7f7bae27f43cb9d99da81959d9dedb759ef6f360

SHA256
27a6660af524f36c0c984b050829f78bd643ee0a21dabfc1a5f0f1663d63814f

SHA512
818360db002bd54f8615d50cbc6ebe20093845fe2267635e22c0092047b4b8c798a8da41d2735ed8da0ebe16fd40803838f0f7055e16d0d7323412b803dc45c4

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
320KB

MD5
27f204f576fd333146ac7217807b9b63

SHA1
65457801da359fe94ca1b9d4d207046e75cc5081

SHA256
70300513433e1ce07e4290b81c2e2bf4919d24bb2f4acf488f15292468d43329

SHA512
eea0c12b4e55be14d3f270e76aa8639c6fbcc0c0391818db87c5bc08c332c837b01bcc2ab4534e1f573a397a366f0108b2488d7a333a82b56e2ffa5b7b6370b0

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
320KB

MD5
dde09c31a31f471fc1adc852e6dd26c7

SHA1
e217c9d99a57d65e9f95c33ab1f2b5b05233b159

SHA256
2d85ee120c8ba53fd695db787325ad351791cb0e3ecfab0b0e53507393518bc7

SHA512
0b02b2ac7283094d114f560a62cb00b7a61334223b86265c0ea3cf1a0759d03afb94d73e68b66907b3871ad3fa654a6b7caef2243d92a148bebd304fcb387510

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
320KB

MD5
68c52cdcd490a6dcc03d62f24820d152

SHA1
b4b8064bb6aefba26f497e7c369e4fe8f4398938

SHA256
e6ce38a6769743706118e48b07fca26c781f10083fed064f40633ead8eb3911e

SHA512
6aea818ddc14f4bc9d159acda07ac3adea88790edad37834dfc3d6382dc7fe2f9cd429edeef692a5556f1c2c8eb0fe674b12f16f6f64ed4fc96d127ced8cc820

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
320KB

MD5
5c1ecbbdc04037c001119c4ba5fe62b4

SHA1
23dbd7c8a263c9aa03c3ba48b29dc39a9f6a2c76

SHA256
b4a8aec8a15a361b4757434533d0573c9f15ecdefb009b5a618a506b64940dae

SHA512
5c4ee7c6ec40070285ff47ae98821c86cfa591e7f9b3bc746851fb6f39d60e4b1f6d1bdac23c6e3d5d47260047fe57d31794131709ab2e5af9c24fa4137da4f4

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
320KB

MD5
1bcaadba7efbd3efd7af1e23a5ebce63

SHA1
5b177083b0fa3372516b7199fb4699d932973ff1

SHA256
9cf515ea89a37647d1cb76ff4fa6207a9e94215d1729531a8ec6f50bdda5b0da

SHA512
4345f06e8a6746b09d51851c5e7db69fa0d27aceb603a2b1da0301d5d1c8f72ad79e03d9928f68b54bda32e9cd4039e266a731e5c450753d668b2433a649410a

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
320KB

MD5
ba019091be2640ccce493b3837751baa

SHA1
85f686dda1fc0e41137b02714ab7e23747ee9704

SHA256
9afef646f26e0d025e8317e88b9e2efc3fe2a3f90bbff5dcf66074debc1156f5

SHA512
b0edf03ded7547e0b19e0e71ccc25358ee1519aba6f3bc6edf95aeeeba22394cc5775729f447f3553f39670aaa12666e0021e2b57732498607eeefbabf5e1ae1

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
320KB

MD5
fb003716acf48f15aa474386ab1caf06

SHA1
61e9d8d5dc29fa094e30f09ed7ca973d487bd0d5

SHA256
9e4fde1205e8fee74238d02322daeed4fd669cce2fa015a5174151b11de8d747

SHA512
14d40f482d985a9e09a0560e83beb402ef6ccf4913373ba1bedc7a19118aeaa3bd0f3f3a6c0b13a60a15f11ca997b4b3e6e86c0706713757f3842f0e5e58cfe3

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
320KB

MD5
8e33a32046e2dc8c5abb94ebdca93ad4

SHA1
96d68311e9d8cc6657810cacbb9247b990dd7618

SHA256
84aaf6e61e007d7b460de87820aad323bdb254f1e49597b89885430c444cff31

SHA512
eba42f91e8e275169ddd2988889334ced9ab81cf953233efd62b85e2f305906ef59eadb62ffb7b6377ebeeedb77f8b31fd2ee640e2502fb5a5cc0cbe2dc4a0e9

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
320KB

MD5
8ffad45aac5412ac7d55da55bde456d8

SHA1
421cc03e5f99cc4ca298ba5dc661ce68d7df8750

SHA256
3893df2743d17118f9cd605af39e781a4bb2095ff9586730aa1aa718b0d3519d

SHA512
54acb52479efb6ed5d11122700113bb96fbdfdefc3b96587c3127fd65df81498d772bfdcfe62db2e4592ded2a7f8ce15dd84fda3248892001d13bcf2a7e2cebd

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
320KB

MD5
539ad2052453cb83ca3d1606b4269d4b

SHA1
44edee94c383d14819b76647f24bbe95b9d335da

SHA256
de895420ec4599acb395ceb63478c10d5831392a1e135f9f43bc866481f8c738

SHA512
86289641f2e04529b9ac681ff37a5d6de52cdfe2e9662b0e39a53175c2ae40511c61e1fa2cb72fbf9cea1c34a2c314c1748397f4872d8f5e1b8faf0aed9bd708

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
320KB

MD5
24fd1cf9d8471dd0d76abce288d75988

SHA1
fd73a56b1468aac39c0da47b0a51a1104c5e0653

SHA256
608544960a5aeeeaaa7dc457f27c71571c328b2f02aa6cb6c800b38d744db86c

SHA512
eb2874615b9e409d8f6f19dda06a217154a63537f3d4f3ebe0b82ca0f4a600fe0e1db0c1629ec4767737ba24b896aa7a5adea52ceb4c39348b031924141fa02f

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
320KB

MD5
0f32350e68833dc24d981366d57ace66

SHA1
d5691847125221fc5081891ce2cf3f83454390e5

SHA256
5afb99edac1d6af93415824372768a4b53e6e93ed26d6fa979591754c231432c

SHA512
d43473ae96e5e87a94447e6a8543bc67af10a233150c7dcfdd672589950af0f3f9d66dec8723b32535fdc6fe655c5b1114868b0862ad6c9934e08f3c5ff46bbc

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
320KB

MD5
fb420b3f1d4c00e62950dbcd3efb6a12

SHA1
658c40fd6ff2f45330ea9c18088eea0999529158

SHA256
6d6d4b4537e9c8983c7a0d0c023fd59074673dc954d1f71d8ca57a995f3ac2e0

SHA512
7a5bf4e73bb9e1c730cf4c8eecff32143b6e5b2fee16d29445c27344dfadd7703b35504b8d014a51cadc2c937f48ffa5167c062c79f313e08ae034d7526f2c92

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
320KB

MD5
25811ab995474d5602a4b1652acf6dc8

SHA1
3ca6dbd1d45e75535aac871d517cf545c685fa1a

SHA256
0c2a8671c572bdcd1f4c61e06a021017e178eb3882617d0267f19a794452c68e

SHA512
175ae7116a80f3ffdd953a0a1220b0499f19e4359aac545a7bdf77adcd9e5e179ac9923eb78722ff7d334db0d99cdc6036eb90200ddcdfb163a2e868d6ec18d1

Download Submit
memory/112-241-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/316-312-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/368-217-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/404-366-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/628-402-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/872-555-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/880-372-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/888-270-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/936-444-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1076-576-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1252-225-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1332-548-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1344-64-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1380-354-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1440-310-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1444-492-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1484-209-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1500-360-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1536-348-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1636-112-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1696-396-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1780-474-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1800-184-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1828-522-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1972-528-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2180-292-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2264-583-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2264-585-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2280-318-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2292-541-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2316-575-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2316-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2384-336-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2400-121-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2436-408-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2620-72-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2640-561-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2640-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-81-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2672-438-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2724-432-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2796-414-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2936-468-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3004-378-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3040-192-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3100-480-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3152-257-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3384-168-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3468-342-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3492-104-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3516-201-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3644-562-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3660-450-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3664-16-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3664-554-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3668-466-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3784-330-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3832-152-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3932-569-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3940-263-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3944-516-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3968-136-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3984-384-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4004-249-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-582-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4020-48-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4100-390-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4104-535-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4108-498-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4196-324-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4260-568-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4260-32-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4268-96-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4304-177-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4360-300-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4436-456-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4488-426-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4524-145-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4540-504-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4568-547-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4568-8-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4588-276-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4620-510-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4656-269-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4764-56-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4764-584-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4872-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4872-534-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4872-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4884-486-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4936-88-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4964-420-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4968-299-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5004-282-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5036-233-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5056-160-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5116-129-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads