berbew | 7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1

Analysis

max time kernel
92s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1.exe
Size

69KB
MD5

a38ed5fd49168dc9049b4744569b43f0
SHA1

85867731f82336eaee3dd78bb488167eab89a989
SHA256

7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1
SHA512

b8e7a29ec2c3c25f7b946dd6fee8f2630592cc1ce8a86de8e4f1a4b8219e2c93952062d3b70b1b48a79692acec60b07e04321694a2437bd6009f978b0a731eba
SSDEEP

1536:bShlJbg3pFMqhC3Sv5wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww5Iwzwwwwwwlw1g:IxQvOLJNFn/GFZC1yN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmfhig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdkcde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pgllfp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdkcde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdmpje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
2904	Pdkcde32.exe
4060	Pflplnlg.exe
1336	Pmfhig32.exe
4604	Pdmpje32.exe
3616	Pgllfp32.exe
1384	Pjjhbl32.exe
656	Pmidog32.exe
1848	Pdpmpdbd.exe
1340	Pfaigm32.exe
336	Qmkadgpo.exe
4844	Qceiaa32.exe
1476	Qjoankoi.exe
808	Qmmnjfnl.exe
4828	Qcgffqei.exe
4612	Aqkgpedc.exe
2872	Anogiicl.exe
1516	Aclpap32.exe
4588	Afjlnk32.exe
1364	Amddjegd.exe
4888	Acnlgp32.exe
980	Afmhck32.exe
2388	Amgapeea.exe
3912	Acqimo32.exe
4552	Ajkaii32.exe
1908	Aminee32.exe
2764	Accfbokl.exe
3340	Bfabnjjp.exe
3384	Bmkjkd32.exe
2224	Bebblb32.exe
4764	Bfdodjhm.exe
2012	Bmngqdpj.exe
4836	Beeoaapl.exe
2912	Bffkij32.exe
1568	Bnmcjg32.exe
4528	Balpgb32.exe
2028	Beglgani.exe
1700	Bfhhoi32.exe
2356	Bnpppgdj.exe
1116	Banllbdn.exe
3916	Bclhhnca.exe
3760	Bfkedibe.exe
1496	Bnbmefbg.exe
3260	Bmemac32.exe
4960	Belebq32.exe
2260	Cfmajipb.exe
1600	Cndikf32.exe
1656	Cenahpha.exe
3444	Chmndlge.exe
4872	Cfpnph32.exe
3992	Cnffqf32.exe
3208	Caebma32.exe
3236	Chokikeb.exe
4752	Cjmgfgdf.exe
2964	Cagobalc.exe
1192	Chagok32.exe
5064	Cnkplejl.exe
4284	Ceehho32.exe
392	Chcddk32.exe
4596	Calhnpgn.exe
1680	Dfiafg32.exe
2236	Dmcibama.exe
2364	Ddmaok32.exe
832	Dhhnpjmh.exe
3968	Djgjlelk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Pdmpje32.exe	Pmfhig32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Ciopbjik.dll	Pmfhig32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Pjjhbl32.exe	Pgllfp32.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qmkadgpo.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Pgllfp32.exe	Pdmpje32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3468	2784	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmfhig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdkcde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgllfp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdmpje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmblqfc.dll"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pflplnlg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcmjaol.dll"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpabk32.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdmpje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2904	2988	7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1.exe	84
PID 2988 wrote to memory of 2904	2988	7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1.exe	84
PID 2988 wrote to memory of 2904	2988	7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1.exe	84
PID 2904 wrote to memory of 4060	2904	Pdkcde32.exe	85
PID 2904 wrote to memory of 4060	2904	Pdkcde32.exe	85
PID 2904 wrote to memory of 4060	2904	Pdkcde32.exe	85
PID 4060 wrote to memory of 1336	4060	Pflplnlg.exe	86
PID 4060 wrote to memory of 1336	4060	Pflplnlg.exe	86
PID 4060 wrote to memory of 1336	4060	Pflplnlg.exe	86
PID 1336 wrote to memory of 4604	1336	Pmfhig32.exe	87
PID 1336 wrote to memory of 4604	1336	Pmfhig32.exe	87
PID 1336 wrote to memory of 4604	1336	Pmfhig32.exe	87
PID 4604 wrote to memory of 3616	4604	Pdmpje32.exe	88
PID 4604 wrote to memory of 3616	4604	Pdmpje32.exe	88
PID 4604 wrote to memory of 3616	4604	Pdmpje32.exe	88
PID 3616 wrote to memory of 1384	3616	Pgllfp32.exe	89
PID 3616 wrote to memory of 1384	3616	Pgllfp32.exe	89
PID 3616 wrote to memory of 1384	3616	Pgllfp32.exe	89
PID 1384 wrote to memory of 656	1384	Pjjhbl32.exe	90
PID 1384 wrote to memory of 656	1384	Pjjhbl32.exe	90
PID 1384 wrote to memory of 656	1384	Pjjhbl32.exe	90
PID 656 wrote to memory of 1848	656	Pmidog32.exe	91
PID 656 wrote to memory of 1848	656	Pmidog32.exe	91
PID 656 wrote to memory of 1848	656	Pmidog32.exe	91
PID 1848 wrote to memory of 1340	1848	Pdpmpdbd.exe	92
PID 1848 wrote to memory of 1340	1848	Pdpmpdbd.exe	92
PID 1848 wrote to memory of 1340	1848	Pdpmpdbd.exe	92
PID 1340 wrote to memory of 336	1340	Pfaigm32.exe	93
PID 1340 wrote to memory of 336	1340	Pfaigm32.exe	93
PID 1340 wrote to memory of 336	1340	Pfaigm32.exe	93
PID 336 wrote to memory of 4844	336	Qmkadgpo.exe	94
PID 336 wrote to memory of 4844	336	Qmkadgpo.exe	94
PID 336 wrote to memory of 4844	336	Qmkadgpo.exe	94
PID 4844 wrote to memory of 1476	4844	Qceiaa32.exe	95
PID 4844 wrote to memory of 1476	4844	Qceiaa32.exe	95
PID 4844 wrote to memory of 1476	4844	Qceiaa32.exe	95
PID 1476 wrote to memory of 808	1476	Qjoankoi.exe	96
PID 1476 wrote to memory of 808	1476	Qjoankoi.exe	96
PID 1476 wrote to memory of 808	1476	Qjoankoi.exe	96
PID 808 wrote to memory of 4828	808	Qmmnjfnl.exe	97
PID 808 wrote to memory of 4828	808	Qmmnjfnl.exe	97
PID 808 wrote to memory of 4828	808	Qmmnjfnl.exe	97
PID 4828 wrote to memory of 4612	4828	Qcgffqei.exe	98
PID 4828 wrote to memory of 4612	4828	Qcgffqei.exe	98
PID 4828 wrote to memory of 4612	4828	Qcgffqei.exe	98
PID 4612 wrote to memory of 2872	4612	Aqkgpedc.exe	99
PID 4612 wrote to memory of 2872	4612	Aqkgpedc.exe	99
PID 4612 wrote to memory of 2872	4612	Aqkgpedc.exe	99
PID 2872 wrote to memory of 1516	2872	Anogiicl.exe	100
PID 2872 wrote to memory of 1516	2872	Anogiicl.exe	100
PID 2872 wrote to memory of 1516	2872	Anogiicl.exe	100
PID 1516 wrote to memory of 4588	1516	Aclpap32.exe	101
PID 1516 wrote to memory of 4588	1516	Aclpap32.exe	101
PID 1516 wrote to memory of 4588	1516	Aclpap32.exe	101
PID 4588 wrote to memory of 1364	4588	Afjlnk32.exe	102
PID 4588 wrote to memory of 1364	4588	Afjlnk32.exe	102
PID 4588 wrote to memory of 1364	4588	Afjlnk32.exe	102
PID 1364 wrote to memory of 4888	1364	Amddjegd.exe	103
PID 1364 wrote to memory of 4888	1364	Amddjegd.exe	103
PID 1364 wrote to memory of 4888	1364	Amddjegd.exe	103
PID 4888 wrote to memory of 980	4888	Acnlgp32.exe	104
PID 4888 wrote to memory of 980	4888	Acnlgp32.exe	104
PID 4888 wrote to memory of 980	4888	Acnlgp32.exe	104
PID 980 wrote to memory of 2388	980	Afmhck32.exe	105

C:\Users\Admin\AppData\Local\Temp\7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1.exe
"C:\Users\Admin\AppData\Local\Temp\7459eb695019bf1c94e99e168db193ffdb260a982edb8917f1ddc036864253f1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\Pdkcde32.exe
  C:\Windows\system32\Pdkcde32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\Pflplnlg.exe
    C:\Windows\system32\Pflplnlg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\Pmfhig32.exe
      C:\Windows\system32\Pmfhig32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\Pdmpje32.exe
        
        C:\Windows\system32\Pdmpje32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Windows\SysWOW64\Pgllfp32.exe
        
        C:\Windows\system32\Pgllfp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3968
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        76⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 404
        77⤵
        Program crash
        
        PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2784 -ip 2784
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
69KB

MD5
0ce0d3423024f922f8f9a79e01b38c91

SHA1
ffa46a278ea21504d3f538d0aa991ebbfa684007

SHA256
8c4e39a703f5b51f987300042c945b3cfc8be4bc66b7fb728dcbb204e894fbd5

SHA512
d608b0fa5e539b27a3bb41c7e1ae0dbbb849f363522f638f9e0d758d509ba69874e3a3d5e3fe5c24f2d12c9ed0f326d1daa358e4c644006c1661c028dfc39b1f

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
69KB

MD5
8c210347cab70cc902c908881884b9cc

SHA1
72fb54692d7c47aa9e325c6d2616d0a6bc3a0a33

SHA256
c42ff039efeb574181efad84943c954bad59d4ada03cbe9834b8056c37da3a05

SHA512
4d80e69389ce14c47665cc9cd6ad82ec47254c447c3eb3d448756a5fa8e5428c668e39cfcce9bc5b5aecac5eb2cdfad5a8824fbbeabb7bde4983d1d3bbd581bf

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
69KB

MD5
0041b32d2bd6cf7acc8618b1117e315a

SHA1
1f59f82e56fe154aec96e5757f7dbf4d17e20eb9

SHA256
caff917f88146a0208ddc4dba0653ca35bdf148502290b37a31132597fc6e752

SHA512
f9c34ac801a72c03504d6bfa27c7971eff8c53354b82afc9491cc0288eefaad2362c6a679fdfefab147360c02872dd9a773677949950f32eb607bfbb04791b4b

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
69KB

MD5
566e7a5e76c5c20a16c7351bed940f3a

SHA1
0078593ed4d63e3e9d993a9817f98ce9d298e376

SHA256
3b190cfe36562d19d8bfdb697ea1a84196b6cf998073b3656cc77ec581db17cd

SHA512
d14f5ceccc6369741bc43a708dd2ae2ceb1b09608b05fb8f6a5b4afdbd84606d040987ff72dae375d30058620a47605c5e9f34e7291387cb5e273706dc4f74f4

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
69KB

MD5
c881dfb4e80d2d66a68a18aef710182d

SHA1
a99003cc65ae51c7045c20ffe27e7667ff8161e2

SHA256
218070b6dadc15027910d1d1b4314458469fdeb9375ee617b877cadad4e7503e

SHA512
7ffa6f21be67271f0bad7f209ca3c6e4b21ca48f8c830f6b2c805f08debe0940250cf663408aa326f961d9bde2d9492afae98e0efa52fbce0650e53584aceb74

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
69KB

MD5
361d4da34e42b1a87dc7dffe8c04e5ef

SHA1
ed00c095bfa6ea280576ab1c116fe78072b9c814

SHA256
5add2726acc51ad83336577150c86c6af175c10f209d8a4e44a4219ccda15a83

SHA512
ecfdc6ecbeddafedf4e4406b456284ba202838c85177bbe30b011fec055d18e7b80381dcd53b77380b4d75540266bf4079a03eb2e5a516257d04b0d1abb02bfa

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
69KB

MD5
06f48daca4a1090846a0b4ca8e44536e

SHA1
e34810d8f0973eabf46cc44012885fbe8cf6efef

SHA256
651eb271706f663e91581b68f40340b87e02c3df4830833890dfe0adebb9b54a

SHA512
366a7cd5a575a92e313ef465f9dcb06a8ddad45061fcf1a6ea30d4d22eed39d5ce11a7cc12d7b63be2421c936443136062799d09fa3d2c6c86202f275b87f9f4

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
69KB

MD5
a057b6cca63bd252d31fcb241d7595c1

SHA1
fcef88da2fd7757c039d82b4b78e79f07e116f80

SHA256
d742a2c350a0a73acab2a84fc37d9a0e61922aa333e4205595dddc815ba937a4

SHA512
9286a5bf1559d19ce617630bec96b60282a61529932072571c83ccfa4d9aa9288dcece10c259b7ac6e70995f1d679a3e44d7a09573be631471cca0c61b551002

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
69KB

MD5
46e5dbefe50643535e4ce824b0b69cd2

SHA1
d0181a914d6579c234dd46fb433503019aad3549

SHA256
52ec1611070bba8980e615e27684c90ab805b8cb70e87d762e538e0c25a0c6f5

SHA512
7939783f193aa4125a1bb165c5b448215dfc32f06b380db1489643401b1593f0bcf86e0473975ec7d4c645f1f4dfa5523d8e0aa742976efe3af9dba33036a096

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
69KB

MD5
0dd345387b4fb11ac1e40f13f2086d0c

SHA1
6332db93b4b178a420ef17f7bdb009b256391fec

SHA256
3802b11bbda7856af52f785592651c56348a42e36f5069129ffabf9efde0eb8f

SHA512
ebda193b70c2858b96cb3c7db2d30ccb60d613a4a14759991b599a8330ea29105d04822ca157e1e9b44db7d40fbec1b954bf0edfd862e76548460c7eb5241549

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
69KB

MD5
65c8b6c964871af49edcda591fab679f

SHA1
66f5a140f478d1e70e3322f538ff27f9d26a06f3

SHA256
d8f529b93970638f40a5afaa282dbe23a932c8e64e7a05085b06ebe9c880e04a

SHA512
de1c1ead650e4e6fdf4bccc1ca937b392e2015bfca829df007a74756409fed0c435a2114224f8ee14385f37bf026e84cfae18e658cab81818b1c7a821dfd0ec2

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
69KB

MD5
9d7e69577f7a28bc3bd18aa697df3491

SHA1
9533e6c197f13590f0bd450dec4d6e19ab124825

SHA256
4444f9186d1ad0cdfe4abf6456694e94a12c6f3be10c924cc1ad1ea26ac729e2

SHA512
db18b4f0123a2a329ceea54ceadecf5726e3a48879635aae21bf12f3929085310006b53ca2eb2ed45794d420ca55c3b88556f012b0d8932fa448e2eb7214bfee

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
69KB

MD5
78e8a636dc7bb86abc5ff8710d58e706

SHA1
ed824a6a81303a11032135e5f7f963520802921c

SHA256
98957f673af87f51f3e8536beddd9da2079bf0b0433d9d6727863570f673bbd7

SHA512
617b75c84cfb67a4e4845cea8c20a4eff973e3cf651ade6baa6fd07c8ba38c015148d3aadf7e6eafc4f4b39d67d2168ce6120e4de18251f9cde4800916cf03a0

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
69KB

MD5
301ecf258ad5c07d8310b8845c289f62

SHA1
63e6cc12ffb03148c93a6c848cdaa021253e0ce8

SHA256
1f2d613dec06d26dbb6264e0c047f6269c5f4eda89dd80211bf20c5a7c72e980

SHA512
ef0eec493ad63c5ef5c8f983ece62834babbe731b73dc4d09b7fd29b6cc3cf4239b8b7d6f80e8e3218049332a6808ee5819ead6f9641cf9870f75ff99cb00d92

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
69KB

MD5
7b423cc9bffc8d2a18752b31430e7d09

SHA1
ff051624cd2928c1104bb829a377106e73f2b2a4

SHA256
e5faff1694baba20e528599a952b450a5ff735e8f699359a8b9fe4f14b77b2f3

SHA512
a8a5abc105b2ee30b082b1beccd875157a0772eb924537cf42a3aeaf13f57e150632f5fa0108936666dd756c7b9b4eb90d375a340bab9c2774c4e946dcadd2ec

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
69KB

MD5
52b530dcb69bc61b6646efa07d373e3a

SHA1
d3d114551bd46737b04a7e5348c033c1bffc20ce

SHA256
54f2b31e8b648c49f0417c88e4d47976042939f1eb912edfcd5238303b229e1d

SHA512
a9b748a9f0d6cd9f7541aa0d55000d36a4c8aaba03850ec28fd0eb02697277ad81637495613b3648ca6567097d651300a9ed0768cc52da3ea0d6e94f5bfb8e97

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
69KB

MD5
3881d259850affeae6869abcca02628d

SHA1
51c9cc554632c732af390e4e04cd8d16fea34387

SHA256
59b9ee640386df20041e033884f0d3474e85bdd5eb77a7b67dbc4a51a672321f

SHA512
9ec7f5a32dd8cdb1dd7bd56bcadc5945ef350e1bed22b6ce0727cf9f35056c46cc626325440cbb9a182369a9e16b1f63d2c0624bb53da971689f9a265feee519

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
69KB

MD5
3b06613efb02cfe37ec905878ff561a4

SHA1
b32b5a7c19d2e4739f128f3f667e113116f9d66e

SHA256
0df85f96adc9e1c3f8ab83208a7828d6c2c190b9733991622603af9fc410b312

SHA512
dad8de52555a79302cda08b761d5f4a44659bbeeea7073e464b215137133c79f95c650660e70d722c43328a3b32564d75f99d4142d0f8c58e712652d305fffa4

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
69KB

MD5
f2849db3c9f0ae2eeeb6e6f89610ecca

SHA1
1b64399cfee664590d10c6912da241f19f7a1deb

SHA256
001ec1483c1da5758a8bdd17f1cac4d737bafc57bf12ee24de1f0dea726cb51c

SHA512
0e30cc082ea7870e050912d9887abf1c1a7d304abc8393f946705faa03225f9ef1e28ec66c70f28a1f07641644660a28a71f6df3ee7f71f8e2dc39a02bcdefef

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
69KB

MD5
a4d2051be71d63d6d615de254a3e0f06

SHA1
86b00c11c8e8cb99ac5d593377ee3de98eae35c3

SHA256
1e2e6851f2372050c90354fe2daa4784bc55c3d55c5c4ccb60c966c98d87f33d

SHA512
1c5962f9f844c29b246ac6052a9ce9765ecf8963af7f89c4a4b11f94d8bda941841d65a42a67233c43002b9c707a5e6f59b1e34bb46bcc5d6244d8699f77711f

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
69KB

MD5
a411367abb616cb303d073b9acac0846

SHA1
26dfdb788aeab5b12ad17f027c0d6c5f4864bc96

SHA256
87b4f4ce58d0ddd369bea17c704de367de9c641bd1634165bd91fb6c0b183526

SHA512
18f3716b48167969c44179991524ec30cd62fb752784476809bd5e97f7f3f324418b03fd672ca698ebcaf2d7d09aa3e672ae1ddefe5e726cfca639be5bd7988d

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
69KB

MD5
164ca0ac6d20085bd06acea5fe69a60c

SHA1
950f3dde1896c9d5329a0ea5509850422bd9ea40

SHA256
bb1361d727be318cfd4161b7605269779d72598e867f26bb08c6ca50e49822ea

SHA512
7e345244979b4a19190624d7f5ec2dee9eafadf900c46658aaec28f706c3d538319716ee964c6e5537e7e33e5c8d32c27909cd29b1c44e821ae5ea3ddb50df00

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
69KB

MD5
afdec02cb03a594bae8d2584e22d80bc

SHA1
4071829e48ad0eef2d6d3e505e6ae5c7042efe82

SHA256
cf4dbc093da5958d1d672157cb30e7e3a50c9da58d05f04ede96d102ad17cc7f

SHA512
f9782abc19b17c9de083f5c94ff86572dd916c6799fff6facbe8bb1ec69d8b2c76d352402acca6737b9450ab53a48f5094dec7bfc3b092ed86c4a11895d4400e

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
69KB

MD5
20bad89ad4c241b7fbe0534ec7b5015a

SHA1
1cfd92c22f2de4bebcae2b0263c33a1127f0f9e8

SHA256
19c01bcb61b2b9fcdf3d8e3a5c0b02a8a41c397bb3e3006eb69b5bc33c957017

SHA512
254be2b0d98bcff4591ddeab694058ffe6a37c030be8e6513a17801565c22b0cc4fe1148789ff362dc324173637472e3150f9ee6e86fbbb4ec271c0e00a10296

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
69KB

MD5
745607b5eb80e41e50fb154225e298c7

SHA1
bac8d165ff6be3c925c0c70193d996ca080038d4

SHA256
0a5acf465b2aee007b2771dbd38caf6e3dfc5d2b12a1662ec450d788ee15d5aa

SHA512
7a4c1b3bc818a63da21087ad5d245486957c555f2162bf8f199da9d39aa67afe2b6b7865f15b252299b0d282cccc7fd26f8c769d492b3d4039d3b6030def0ddc

Download Submit
C:\Windows\SysWOW64\Pdkcde32.exe

Filesize
69KB

MD5
9255f2394a1a3f0a395338740e22e3e0

SHA1
f8152a056a0a64d62d623bdffca62bf8548568c0

SHA256
b0117072494128ff3dcc9c96b9ffd131d81fdc43f65bd9b14585c61df627cabf

SHA512
2225973001bb217cae7ffad94bef5f0b27c801564d7416bd0d321ee44d346d6f785dde7d7ddaffa5ab110351bdd566078f4e46193706c1713cf0955a246cb010

Download Submit
C:\Windows\SysWOW64\Pdmpje32.exe

Filesize
69KB

MD5
ce5a780d24caea0ad5def2873a797720

SHA1
dc62e7ea446e8d9a500c977e56c607f6e35b98d9

SHA256
809a84b1a9e293927e89c6cfc5303a661a81f0b05aa30e7b40edbaab1db49d85

SHA512
d17329340108a87d26cae30697056d740b3b2c17bb50bc242c2dd5b8f21dd53c4b7b857acfbaee40a5c4dfa6b65dc0822437305c967139f7075bff8b5528d7cc

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
69KB

MD5
fec60cf24672d818e1e32c2e1bab67e8

SHA1
9274956ceb9e1f7919ddf8bb4392234876d7b70b

SHA256
f63db98e2ba72497a4e2eb2a8c31d3395c9c0e5faae31d2f6b808fc592e5164d

SHA512
f8e08d9db2da63398b97df5a85ec19e015222bdf60dedf1727176b677e9765529607ed5e7f6022b1220cf4e7a4502a261b3b8fe509a74e5775f4f9f527968f90

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
69KB

MD5
05d59a1795a8af4fc9156436e1c7e928

SHA1
14dcb73c2f72f3b412c44ce0da6498a1a71cb1c5

SHA256
9406ef44bd33f024d0e0501d0a06c207e37429b395b964daf19c327cfa033492

SHA512
1e7c97617747e6e1d7c6a0025ba277b16a547fe2aad02b1e4fa94958577d518c73947b967809876ef1806531e1c6d7c9518d90a8228b27502da7a52a7196d0b8

Download Submit
C:\Windows\SysWOW64\Pflplnlg.exe

Filesize
69KB

MD5
81ddd3763076b2e5befb968aeeabd88a

SHA1
c276f033efb7db0b762418fc286f646b233df02f

SHA256
fe14d3e5556f974544abe6fcd115887f5a2cf649d6604f0c119c9ed8fd8bd35d

SHA512
2ef0f699721989f166041860e0826ca24e70aa156d6848769c027e965137049fefee8fe69b30515e1a86e083441053b087b334529688e934ad574b4a0e76c399

Download Submit
C:\Windows\SysWOW64\Pgllfp32.exe

Filesize
69KB

MD5
dd479bc04606c332adf5b921cae3f9b4

SHA1
5524a74316e4225c3f8958d40d709ef6ea4fe46e

SHA256
92f3ee80e1d75b6e433d8fd3dd56aea955858be8d56c20add1c3adfe57822a54

SHA512
29c1de6a3b85e2e0048af5fb7528299cca5896ccef5816dc137eb2b3626147537967dd9bcafb294ff3a3aad2d7b6f8545402167e02d3882297d9e964fe981879

Download Submit
C:\Windows\SysWOW64\Pjjhbl32.exe

Filesize
69KB

MD5
14d43969b2ead2cd012b64357a2ea857

SHA1
9bdc5d99e0cfd2c5e2ef74f692154534137f5b8f

SHA256
260a06ca976494de7f5f1779d3403ca406d71a4b953ca2652165d34c554cdd07

SHA512
b3c086ecb13b95843a0edded8f31ffbbda6c23fbf20e1d805ef508e86625966b9904f328a45412e66365c7458d3a3dff42555786f836ead7401353bcd2f646a8

Download Submit
C:\Windows\SysWOW64\Pmfhig32.exe

Filesize
69KB

MD5
3bae8cf06e6c3cc4abfbe41490f890fc

SHA1
814415e06a83bedf3baf223ec035a465bc983737

SHA256
9ad4f7e807662579b34582b8759a16526d9ac69c42ef004ac048ba3001556906

SHA512
a62c97b11592a033b62a2978905d2dc269af28f4491bb6f2771b03602318839ceca1c7639380fc2b5111f1309b4fedfad2f640650219272ffd37e2043634712c

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
69KB

MD5
0f7253fba8074fe4c0b7998246e30b4b

SHA1
a43ca845ec4a8012e45a37536df8af1eb78dd027

SHA256
0e3300dd71b6e8001d49b1fecec78a98c5464af3450c8b7dc3a9b5f1068fdd41

SHA512
5c52e9c53460779e68701f2b74f01fbd9c2b8ee06f20a4839d843341ba18a36a64a9cb9a5a173d88eeceb097cd975395851f959ed03e127156ec9d0448c59bfd

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
69KB

MD5
fa6563a623a6bc8ad84a0f3ad3c22357

SHA1
45a9169bdf380ae2d4700d7659c6efadc5e998ec

SHA256
bdf224f38ea6fc05f193ba8ff1ee3b8d44fdd198048364ee3a361e3a45c4e26d

SHA512
ae51145204444ea1f9b5c3a398c519f1bf221aa08c99b4543a9cc247d9debefd9914751e28e72f952ed7aec4fd1d001e873623f5ec39bae9e7c4a4c15c069a74

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
69KB

MD5
068886262a9709c4fc380dfc566c2d9b

SHA1
a7449a733d49c52662ae6e20fa41dd6241bae905

SHA256
0582d7818e34900684bfffacb8814cab597d7af27790f7146d1cfc6816ead18c

SHA512
746b5145b62ca4567146af343236bd90ea67ebc24a72bf5ec58b2ac3cbdc1460c64a5442df5232ae867c462dead69da8efc20fb82f34ab23a2e25406b0a5556d

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
69KB

MD5
70d2d112ed8a04f8927e3b2422cbaf91

SHA1
354b0a8dc57f1a4d857d011414a8c137985e7bbd

SHA256
28252d236b797238612719c39fd5542b96ea08b780d9d783f572e299f05b7276

SHA512
cc02531f9c9647304e2c4b6364f3e275200dfdf3da33daf138f4830dae870dd09532016a8a1027a9dae16a8656cc0522b0b9e8374cb4c9d16a71305b635e176f

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
69KB

MD5
1a1e2a11ed988cc5467eec0ec328c3db

SHA1
8e311d3ee0f60c8a470318c63ecacda69984bd96

SHA256
d8336df5466f70ed63c30318e729564e6f00f750110b7d7de7b9654b53974b2e

SHA512
0eb4a695f1d8c84fa681181acb049d3a1f9d5077ef0b185bccb8ecd44a685bf340b83eb5b0fa4e7dd84b025bc62573f6c2e97e84b49ef38dc2b322fd3591e196

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
69KB

MD5
467c2f9eadc7d03db1408777dc1a7150

SHA1
846374cedd94f297d4fd8d815526b721b46194f7

SHA256
833f590f67d5856c2e514ca7e60374172700e9c9f1596c131e79e349845c3f65

SHA512
c32eef3daa000a2c9da0f3f1477ebe38de8475ea40e9a0fd03f47133f754d4a237207747ca7d1af53e14be0b0daca2f798174760f48d17c4d832a962750e3798

Download Submit
memory/336-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/392-528-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/392-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/656-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/688-512-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/808-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-524-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/832-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/980-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-518-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-484-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1192-531-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1192-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1232-478-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1232-519-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-520-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1336-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1340-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1364-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1384-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1476-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1516-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1568-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1600-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1656-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-526-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1700-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1848-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1908-200-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2012-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2236-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2236-525-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2260-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2356-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2388-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-516-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2572-502-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2764-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2784-515-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2784-514-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2872-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2904-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2912-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2960-494-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-532-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2988-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-376-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3236-534-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3260-322-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3340-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3384-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3420-476-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3444-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-522-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-454-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3616-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3760-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3912-183-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3916-304-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3968-523-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3968-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3992-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4060-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4216-521-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4216-460-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4284-529-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4528-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4552-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4588-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4596-527-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4596-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4612-119-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-382-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4752-533-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4764-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4828-111-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4836-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4844-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-517-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4868-496-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4872-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4888-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4960-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-530-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads